Data Processing Agreement

1. Parties and definitions

Processor: Classroom Creatives, operating ReviewPulse, registered in the Netherlands ("we", "us", "ReviewPulse").

Controller: The organisation that has registered an account with ReviewPulse and whose data is processed ("you", "Customer").

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council.

Personal data: Any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1).

By accepting this agreement (at registration or via the in-app prompt), the Customer and ReviewPulse enter into this Data Processing Agreement in accordance with GDPR Art. 28.

2. Subject matter and duration

ReviewPulse processes personal data on behalf of the Customer for the purpose of providing the ReviewPulse service: aggregating, analysing, and surfacing guest review data to help the Customer manage operational quality.

This DPA is effective from the moment of acceptance and remains in force for as long as the Customer maintains an active account. Upon account closure, data is retained for 30 days to allow export, then permanently deleted in accordance with Section 11.

3. Nature, purpose and types of personal data

Categories of data subjects

• Guests who have left reviews on Google, Booking.com, or Revinate for the Customer's property.

Types of personal data processed

• Reviewer display name or username
• Review text (positive and negative comments)
• Star rating
• Review date
• Reviewer nationality or language (where provided by the platform)
• Platform-specific metadata (e.g. Booking.com Genius status, room type)

Purpose of processing

• Storage and deduplication of review records per property
• AI-powered extraction of operational issues from review text
• Generation of department-level action plans
• Analytical reporting (sentiment trends, rating distribution, language breakdown)
• Delivery of weekly digest emails to account users

ReviewPulse does not process payment card data, health data, or special categories of personal data as defined in GDPR Art. 9.

4. Obligations of the processor (ReviewPulse)

ReviewPulse shall:

• Process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country.
• Ensure that persons authorised to process the personal data have committed themselves to confidentiality.
• Implement appropriate technical and organisational security measures (see Section 7).
• Not engage sub-processors without prior written authorisation. General authorisation is granted by the Customer's acceptance of this DPA; specific sub-processors are listed in Section 6.
• Assist the Customer in responding to data subject rights requests (see Section 8).
• Assist the Customer in ensuring compliance with GDPR Arts. 32–36 (security, breach notification, DPIA, prior consultation).
• Delete or return all personal data upon termination of services (see Section 11).
• Make available all information necessary to demonstrate compliance with GDPR Art. 28 and allow for and contribute to audits.
• Notify the Customer without undue delay upon becoming aware of a personal data breach (see Section 9).

5. Obligations of the controller (you)

The Customer shall:

• Ensure that the personal data provided to ReviewPulse has been collected lawfully and that the Customer has a valid legal basis for processing under GDPR.
• Only upload review data that the Customer is entitled to process.
• Ensure that data subjects whose data is uploaded have been informed of the processing in accordance with GDPR Arts. 13–14.
• Promptly notify ReviewPulse of any changes to instructions regarding processing.

6. Sub-processors

The Customer grants ReviewPulse general authorisation to engage the following sub-processors. ReviewPulse will notify the Customer of any intended changes to sub-processors by updating this DPA and incrementing the version number.

Review data (personal data of guests) is transmitted to Azure OpenAI for AI analysis. Microsoft has confirmed that Azure OpenAI does not use customer data for model training. Data is processed within the EU.

7. Security measures

ReviewPulse implements the following technical and organisational measures in accordance with GDPR Art. 32:

• Encryption in transit: All data is transmitted over HTTPS/TLS 1.2+. HSTS is enforced in production.
• Access control: Role-based access (admin, account owner, property user). Authentication via bcrypt-hashed passwords with minimum strength requirements.
• Session security: HTTPOnly, SameSite=Lax cookies; 2-hour inactivity timeout; secure flag enforced in production.
• Rate limiting: Brute-force protection on login, registration, and AI endpoints.
• Data isolation: Each Organisation's data is logically isolated by organisation ID in all queries.
• GDPR purge: Automated deletion of all personal data 30 days after account closure.
• Audit logging: Key actions (login, import, plan change, DPA acceptance) are recorded with timestamp and user identity.
• Infrastructure: Hosted on Microsoft Azure with managed security patching, automated backups, and monitoring.

8. Assistance with data subject rights

If a guest whose review data is stored in ReviewPulse submits a data subject rights request (access, rectification, erasure, restriction, portability, or objection) to the Customer, ReviewPulse will assist the Customer in fulfilling that request.

The Customer should contact ReviewPulse at contact@classroomcreatives.nl with the relevant details. ReviewPulse will respond within 5 business days.

For erasure requests: ReviewPulse can delete all review data for a specific property or account upon written instruction from the Customer.

9. Data breach notification

In the event that ReviewPulse becomes aware of a personal data breach affecting Customer data, ReviewPulse will:

• Notify the Customer's account owner email address without undue delay and within 48 hours of becoming aware of the breach.
• Provide (as soon as available): the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

The Customer remains responsible for notifying the relevant supervisory authority (e.g. the Dutch Autoriteit Persoonsgegevens) within 72 hours where required under GDPR Art. 33.

10. International data transfers

All personal data processed under this DPA is stored and processed within the European Union (Microsoft Azure EU regions). ReviewPulse does not transfer personal data to countries outside the EEA without appropriate safeguards.

Where sub-processors are located outside the EEA, Standard Contractual Clauses (SCCs) approved by the European Commission are in place.

11. Termination and data deletion

Upon account closure (whether initiated by the Customer or by ReviewPulse), the following applies:

• The Customer may export their data within 30 days of account closure using the in-app export function.
• After 30 days, all personal data (review records, issue data, user accounts) is permanently and irreversibly deleted from all systems, including backups.
• ReviewPulse will provide written confirmation of deletion upon request.

12. Liability

Each party shall be liable to the other for damages caused by a breach of this DPA in accordance with GDPR Art. 82 and the ReviewPulse Terms of Service. ReviewPulse's liability for data processing is limited to the extent permitted by applicable law.

13. Governing law

This DPA is governed by the laws of the Netherlands. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.

Questions about this DPA: contact@classroomcreatives.nl