Data Processing Addendum

This Data Processing Addendum (“DPA”) applies when Going Macro S.r.l. processes personal data on behalf of a business customer through RevScout.

1. Parties

Processor:

Controller: the business customer using RevScout.

This DPA supplements the Terms & Conditions and any commercial agreement between the parties. In case of conflict on data protection matters, this DPA prevails.

2. Roles

For Customer Data processed through RevScout, the customer acts as data controller and Going Macro S.r.l. acts as data processor.

3. Subject matter

Going Macro S.r.l. processes personal data on behalf of the customer to provide RevScout, including customer-health monitoring, churn-risk analysis, revenue-signal monitoring, integrations, AI-assisted summaries, alerts, and related SaaS functionality.

4. Duration

Processing continues for the duration of the customer’s use of RevScout, plus any additional period required for deletion, export, legal retention, backup rotation, security, or dispute resolution.

5. Nature and purpose of processing

• connect third-party integrations;
• import, sync, and store data;
• analyze product usage, billing, support, and customer-health signals;
• generate risk indicators, alerts, summaries, and reports;
• provide AI-assisted insights;
• provide support; secure and maintain the service;
• monitor errors and service reliability;
• delete or export data as instructed.

6. Categories of personal data

• names; business email addresses; user IDs;
• company names; account IDs; organization IDs;
• Stripe customer IDs; subscription, billing, and payment metadata;
• product usage events;
• support tickets and messages;
• CRM metadata; customer-success notes;
• account health indicators;
• AI-generated summaries and insights.

7. Categories of data subjects

• customer’s users and employees;
• customer’s customers and their employees;
• customer’s prospects, where applicable;
• workspace administrators; support contacts.

8. Customer obligations

• have a valid legal basis for processing personal data through RevScout;
• provide all required notices to data subjects;
• ensure connected data is accurate and lawful;
• avoid submitting unnecessary sensitive data;
• configure integrations and permissions appropriately;
• manage user access;
• respond to data subject requests as controller;
• ensure that its use of AI-generated outputs complies with applicable law.

9. Processor obligations

• process personal data only on documented customer instructions;
• ensure authorized personnel are bound by confidentiality;
• implement appropriate technical and organizational security measures;
• assist the customer with data subject requests where legally required and technically feasible;
• assist with security, breach, and DPIA obligations where reasonable;
• notify the customer of personal data breaches without undue delay;
• use subprocessors under appropriate contractual obligations;
• delete or return personal data after termination, subject to legal, security, and backup retention requirements;
• make available information reasonably necessary to demonstrate compliance with this DPA.

10. Subprocessors

The customer authorizes Going Macro S.r.l. to use subprocessors needed to provide RevScout. Current subprocessors are listed on the Subprocessors page. Going Macro S.r.l. will ensure subprocessors are subject to appropriate data protection obligations. If a new subprocessor materially changes the processing of Customer Data, Going Macro S.r.l. will provide reasonable notice where required by law or contract.

11. International transfers

Where personal data is transferred outside the European Economic Area, Going Macro S.r.l. will use appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or equivalent lawful transfer mechanisms.

12. Security measures

• encryption in transit where applicable;
• provider-level encryption at rest where available;
• access control; least-privilege access;
• authentication protections;
• logging and monitoring;
• error monitoring;
• backup procedures;
• segregation of environments where applicable;
• confidentiality obligations for authorized personnel.

13. Personal data breaches

Going Macro S.r.l. will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Data, with information reasonably available to help the customer meet its own legal obligations.

14. Data subject requests

If Going Macro S.r.l. receives a request from a data subject relating to Customer Data, it may direct the request to the customer and will provide reasonable assistance where required by applicable law and technically feasible.

15. Deletion or return

Upon termination, the customer may request export or deletion of Customer Data within a reasonable period. After that period, Going Macro S.r.l. may delete Customer Data, subject to legal, backup, security, and dispute-resolution retention requirements.

16. Audits and documentation

Upon reasonable written request, Going Macro S.r.l. will provide information necessary to demonstrate compliance with this DPA. Any audit must be reasonable, limited in scope, subject to confidentiality, and must not compromise the security or confidentiality of other customers.

17. Liability

Each party is responsible for its own compliance with applicable data protection laws. The customer remains responsible for the lawfulness of Customer Data and the instructions provided to Going Macro S.r.l.

18. Governing law and jurisdiction

This DPA is governed by Italian law. The Court of Como, Italy, has exclusive jurisdiction, unless mandatory law provides otherwise.

19. Contact

For DPA-related requests: info@goingmacro.it.