Privacy & Compliance
Record of Processing Activities
This is WiserReview's simplified public Record of Processing Activities (RoPA), maintained pursuant to GDPR Article 30. It describes the personal data processing activities carried out by Tatvam Cloud Solutions, Inc.
Version 1.0·Last Updated: March 2026·Tatvam Cloud Solutions, Inc
Note on Controller / Processor roles: WiserReview acts as both a Data Controller (for merchant account data, error monitoring, and billing) and as a Data Processor (for consumer review data, processed on behalf of merchants who are the Controllers). Both roles are reflected in this register. Our Data Processing Agreement governs the Processor relationship.
Processing Activities Register
PA-01
Merchant Account Management
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Controller) |
| Purpose | Account creation, authentication, billing, and platform access management |
| Legal Basis | Contract (GDPR Art. 6(1)(b)); Legitimate Interest (Art. 6(1)(f)) |
| Data Categories | Name, email address, company name, hashed password, platform type |
| Data Subjects | Merchants / business users |
| Retention | Active subscription lifetime + 60 days post-cancellation |
| Sub-Processors | Microsoft Azure, MongoDB Atlas, Chargebee |
| Cross-Border Transfers | United States (Azure, MongoDB Atlas) |
PA-02
Review Request Emails
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Processor for Merchant) |
| Purpose | Sending automated review request emails to merchant's customers after purchase |
| Legal Basis | Legitimate Interest of Merchant (GDPR Art. 6(1)(f)); merchant is Controller |
| Data Categories | Customer email address, first name, order ID, product name, order date |
| Data Subjects | End consumers (shoppers) of merchant stores |
| Retention | While merchant account is active; auto-deleted on account closure or GDPR request |
| Sub-Processors | Azure Service Bus, AWS SES, SendGrid, Microsoft Azure, MongoDB Atlas |
| Cross-Border Transfers | United States |
PA-03
Review Collection & Storage
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Processor for Merchant) |
| Purpose | Collecting, storing, and managing customer reviews on behalf of merchants |
| Legal Basis | Consent of reviewer; Legitimate Interest of Merchant (merchant is Controller) |
| Data Categories | Reviewer name, email address, review text, star rating, photos/videos, IP address, submission timestamp |
| Data Subjects | End consumers who submit reviews |
| Retention | While merchant account is active; deleted on review deletion, GDPR request, or account closure |
| Sub-Processors | Microsoft Azure, MongoDB Atlas, Azure Blob Storage, AWS S3 |
| Cross-Border Transfers | United States |
PA-04
Review Display (Widget)
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Processor for Merchant) |
| Purpose | Displaying approved reviews on merchant storefronts via the WiserReview pixel widget |
| Legal Basis | Legitimate Interest of Merchant |
| Data Categories | Reviewer name (or anonymized), star rating, review text, review date, photos/videos |
| Data Subjects | End consumers whose reviews are displayed publicly |
| Retention | Same as review storage (PA-03) |
| Sub-Processors | Cloudflare CDN, Microsoft Azure |
| Cross-Border Transfers | Cloudflare global edge (caches public widget assets only, no PII in CDN cache) |
PA-05
Platform Integration Sync (Shopify, WooCommerce, etc.)
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Processor for Merchant) |
| Purpose | Syncing order data from connected e-commerce platforms to trigger review requests and verify purchases |
| Legal Basis | Contract / Legitimate Interest of Merchant |
| Data Categories | Order ID, customer email, customer name, product name/ID, order date, platform store ID |
| Data Subjects | End consumers of the merchant's store |
| Retention | While merchant account is active |
| Sub-Processors | Microsoft Azure, MongoDB Atlas |
| Cross-Border Transfers | United States |
PA-06
Error Monitoring & Application Diagnostics
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Controller) |
| Purpose | Detecting, diagnosing, and resolving application errors and performance issues |
| Legal Basis | Legitimate Interest: ensuring platform reliability and security (Art. 6(1)(f)) |
| Data Categories | Anonymized request context (URL, browser, error stack trace), IP address fragments, timestamps |
| Data Subjects | Merchants and, to a limited extent, end consumers interacting with the platform |
| Retention | 90 days (automatic log rotation in Sentry) |
| Sub-Processors | Sentry |
| Cross-Border Transfers | United States (Sentry) |
PA-07
Billing & Subscription Management
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Controller for billing; Chargebee as Processor) |
| Purpose | Processing subscription payments, invoicing, and managing subscription lifecycle |
| Legal Basis | Contract (GDPR Art. 6(1)(b)) |
| Data Categories | Merchant name, billing email, subscription plan, payment references (no card data; handled by Chargebee PCI DSS L1) |
| Data Subjects | Merchants |
| Retention | Duration of subscription + legally required financial record retention periods |
| Sub-Processors | Chargebee (PCI DSS Level 1) |
| Cross-Border Transfers | United States (Chargebee) |
PA-08
AI-Assisted Text Generation
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Controller; Merchant as initiating user) |
| Purpose | Generating AI-suggested review response text and grammar corrections for merchants |
| Legal Basis | Contract / Legitimate Interest |
| Data Categories | Review text content only. No PII (names, emails) is sent to OpenAI. |
| Data Subjects | Merchants (initiating the AI feature); no end-consumer PII involved |
| Retention | Not retained by OpenAI per API usage terms; not stored in WiserReview beyond the session |
| Sub-Processors | OpenAI (review text only, anonymized, no PII) |
| Cross-Border Transfers | United States (OpenAI) |
PA-09
GDPR Data Subject Rights Fulfilment
| Controller / Processor | Tatvam Cloud Solutions, Inc (as Controller for merchant data; Processor for consumer data) |
| Purpose | Processing and responding to data subject access, deletion, and portability requests |
| Legal Basis | Legal Obligation (GDPR Arts. 15–22) |
| Data Categories | Data identified in the original processing activity subject to the request |
| Data Subjects | Merchants and/or their end consumers |
| Retention | Records of requests retained for accountability; 3 years |
| Sub-Processors | None (internal process) |
| Cross-Border Transfers | None |
General Security Measures
All processing activities are protected by the following technical and organisational measures (full detail at /security):
✓AES-256 encryption at rest (MongoDB Atlas, Azure Blob Storage, AWS S3)
✓TLS 1.2+ in transit on all endpoints
✓Cloudflare WAF + DDoS protection
✓Workspace-level multi-tenant data isolation
✓JWT authentication + RBAC (Admin/Editor/Viewer)
✓MongoDB Atlas IP whitelisting (not publicly accessible)
✓Continuous automated backups (MongoDB Atlas point-in-time recovery)
✓Incident response plan with 72-hour breach notification
Full technical security documentation: Incident Response · Infrastructure Security · Compliance & Certifications
Cross-Border Transfer Safeguards
All cross-border data transfers to the United States are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent GDPR-compliant transfer mechanisms maintained by our Sub-Processors (Microsoft Azure, AWS, MongoDB Atlas, Cloudflare, Sentry, OpenAI, Chargebee). Our DPA covers these transfer mechanisms.
Article 30 Compliance & Inquiries
This public register is a summary. The full internal RoPA is maintained by the Security Officer (Tatvam Cloud Solutions, Inc). For GDPR Article 30 compliance inquiries, DPA requests, or data subject rights: