Skip to content

Data processing addendum

About this addendum

This Data Processing Addendum ("DPA") forms part of the Reqio Terms of Service and is incorporated into and governed by those Terms. By using the Reqio service, you (the controller or Data Fiduciary) and K S Poorvik, an individual operating under the trade name Reqio ("Reqio", the processor or Data Processor), agree to be bound by this DPA in addition to the Terms of Service.

This DPA governs how Reqio processes personal data on your behalf when you use the Reqio service to collect end-user feedback. Together, the Terms of Service and this DPA constitute the complete agreement between the parties on data processing matters.

Where applicable law requires a written data processing agreement between a controller and a processor, including Article 28 of the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act 2023 of India (DPDP Act), this DPA is intended to satisfy that requirement.

Reqio recommends that you have this document reviewed by legal counsel in your jurisdiction before relying on it for regulatory compliance purposes.

Definitions

Controller (or Data Fiduciary under the DPDP Act): the party that determines the purposes and means of processing personal data. Under this DPA, the controller is you, the customer.

Processor (or Data Processor under the DPDP Act): the party that processes personal data on behalf of the controller. Under this DPA, the processor is Reqio.

Personal data: any information relating to an identified or identifiable natural person, or digital personal data as defined under the DPDP Act.

Data subject (or Data Principal under the DPDP Act): the individual whose personal data is being processed. Under this DPA, data subjects are the end users who interact with the Reqio widget embedded on your website.

Sub-processor: any third party engaged by Reqio to process personal data on Reqio's behalf in connection with providing the service.

Processing: any operation or set of operations performed on personal data, including collection, storage, use, disclosure, or deletion, whether or not by automated means.

Roles and scope of processing

You are the controller. You determine what personal data your end users submit through the Reqio widget and the purposes for which it is collected. Reqio is the processor. Reqio processes personal data solely to provide and operate the service on your behalf.

Reqio processes the following categories of personal data on your behalf: anonymous browser identifiers, optional email addresses, optional external user identifiers (where you enable the identity feature), revenue attributes (monthly recurring revenue, plan name, or external identifiers, where you pass them in an identity token), feature request text, votes, comments, page URLs, optional context strings, browser and device diagnostics submitted at the time of a widget interaction, and the content and headers of inbound email replies from end users who reply to Reqio notification emails (stored in the associated conversation thread).

Reqio does not process personal data for its own purposes beyond what is strictly necessary to provide the service, unless required by applicable law.

Customer instructions and lawful basis

Reqio processes personal data only on your documented instructions, as set out in the Terms of Service and this DPA, and as strictly necessary to comply with applicable law.

You warrant that you have a lawful basis under applicable law (including the GDPR and the DPDP Act) to collect and process the personal data of your end users through the Reqio widget, and that you have provided end users with an appropriate privacy notice.

You must not instruct Reqio to process personal data in a manner that would violate applicable law. If Reqio reasonably believes that an instruction would result in a breach of applicable law, Reqio will promptly notify you and may pause processing under that instruction until you provide a revised instruction.

Sub-processors

Reqio currently engages the following sub-processors to assist in providing the service:

Dodo Payments: payment processing and billing. Processes subscriber email addresses for receipts. Does not process end-user personal data collected via the widget.

Vercel: hosting and serverless compute. Processes all request data passing through the application.

Neon: managed PostgreSQL database. Stores all structured application data, including end-user widget submissions.

Resend: transactional email. Processes recipient email addresses and email content where email notifications are enabled.

Reqio will give you reasonable advance notice of any intended change to its sub-processor list. You may object to such a change by notifying Reqio at support@reqio.app within 14 days of the notice. If Reqio cannot accommodate the objection without materially affecting the service, you may terminate the agreement.

Security measures

Reqio implements appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, disclosure, or destruction, including:

Encryption of data in transit using TLS.

Encryption of sensitive stored secrets using AES-256-GCM.

Hashed passwords using bcrypt (12 rounds).

Access controls limiting employee access to personal data to those who require it to provide the service.

Rate limiting and abuse detection on authentication and widget endpoints.

Reqio reviews and updates its security practices periodically to maintain a level of protection commensurate with the risks presented by the processing.

International transfers

Reqio is operated from India. Some sub-processors (including Vercel and Neon) store and process personal data in the United States or other countries outside India and the European Economic Area.

Reqio relies on its sub-processors' own compliance frameworks, including Standard Contractual Clauses or equivalent safeguards where required under applicable law, for cross-border transfers.

By using the service, you acknowledge that end-user personal data may be transferred to and processed in countries whose data protection laws differ from those in your jurisdiction.

For personal data of data subjects in the European Economic Area or European Union, the parties hereby incorporate by reference the Standard Contractual Clauses issued under Commission Implementing Decision (EU) 2021/914 (Module Two: Controller to Processor), with the Customer as the data exporter and controller and Reqio as the data importer and processor. These clauses apply to and govern such transfers. Where these Standard Contractual Clauses conflict with the remaining provisions of this DPA in respect of the data they cover, the Standard Contractual Clauses shall prevail. The optional and docking clauses are deemed selected to the extent applicable.

For personal data of data subjects in the United Kingdom, the parties further incorporate by reference the UK Information Commissioner's International Data Transfer Addendum to the EU Standard Contractual Clauses (the 'UK IDTA'). The UK IDTA is deemed to form part of the Standard Contractual Clauses as they apply to UK transfers and shall prevail over any conflicting provisions of this DPA for the data it covers.

Data subject rights

As the controller, you are responsible for responding to requests from data subjects (or Data Principals) exercising their rights under applicable law, including rights of access, correction, deletion, restriction, and portability.

Reqio will provide reasonable assistance to help you fulfil such requests, to the extent technically feasible. To request assistance, contact Reqio at support@reqio.app. Reqio will respond within 30 days.

On written request, Reqio will delete or return personal data it holds on behalf of a specific data subject within 30 days, subject to any legal retention obligations.

Data breach notification

If Reqio becomes aware of a security incident affecting personal data processed under this DPA, Reqio will notify you without undue delay, and in any event within 72 hours of becoming aware of the incident.

The notification will include, to the extent known at the time: the nature of the incident, the categories and approximate number of data subjects affected, the categories and approximate volume of personal data involved, the likely consequences, and the measures taken or proposed to address the incident.

You are responsible for notifying the relevant supervisory authority or data subjects as required by applicable law. Reqio will cooperate with your investigation and remediation efforts.

Audit and records

Reqio maintains records of its processing activities under this DPA as required by applicable law.

On written request, Reqio will make available to you the information reasonably necessary to demonstrate compliance with this DPA. Reqio may fulfil this obligation by providing a written description of its current security measures or a relevant third-party audit summary where one is available.

Reqio does not routinely permit physical on-site audits given the nature of the service, but will cooperate with reasonable information requests at no additional cost.

Return and deletion of data

On termination or expiry of the agreement, Reqio will, at your election, return or securely delete all personal data processed under this DPA within 30 days of your written request.

This obligation does not apply to the extent Reqio is required by applicable law to retain the data, in which case Reqio will continue to protect that data in accordance with this DPA and will not process it for any other purpose.

Data export requests should be submitted to support@reqio.app before account deletion. Once an account is permanently deleted, recovery is not possible.

Liability and governing law

The liability of each party under this DPA is subject to the limitations set out in the Reqio Terms of Service.

This DPA is governed by and construed in accordance with the laws of India. Any dispute arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the courts located in India.

If any provision of this DPA is found to be unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.