Back to App
Legal & Policies

Data Processing Addendum

Effective: March 1, 2025Last Updated: March 20, 2026Version 1

Data Processing Addendum (DPA)

Company: RavDev Technologies, LLC Effective Date: March 1, 2025 Last Updated: April 4, 2026 Contact: legal@ravdevtech.com
This policy is provided for informational purposes. Consult legal counsel for jurisdiction-specific compliance.

> Note: This document is a template Data Processing Addendum. For a fully executed, legally binding DPA for your organization, contact legal@ravdevtech.com. Enterprise customers may request a signed DPA as part of their onboarding.

1. Definitions

"Controller" means the Customer (you) who determines the purposes and means of processing personal data. "Processor" means RavDev Technologies, LLC, which processes personal data on behalf of the Controller. "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection law, including the GDPR. "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, erasure, or destruction. "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation) and, as applicable, equivalent legislation adopted in the UK following Brexit. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, as amended from time to time. "Sub-processor" means any third party engaged by RavDev Technologies to process personal data on behalf of the Controller.

2. Scope and Purpose

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other agreement between the Customer and RavDev Technologies, LLC ("Agreement") and governs the processing of personal data by RavDev Technologies as a data processor on behalf of the Customer.

This DPA applies to all personal data processed by RavDev Technologies in connection with the provision of NextGen Grant OS ("Service").

3. Data Processing Instructions

3.1 RavDev Technologies shall process personal data only on documented instructions from the Controller, including those set out in this DPA and the Agreement, unless required by applicable law.

3.2 The categories of personal data processed and the purposes of processing are:

CategoryData ElementsPurpose
User account dataName, email, role, organizationAuthentication, service delivery
Usage dataIP address, feature usage, timestampsSecurity, service improvement
Customer contentDocuments, proposals, budgetsCore service functionality
Payment dataName, billing address (Stripe token)Subscription management

3.3 RavDev Technologies shall immediately inform the Controller if it believes any instruction infringes applicable data protection law.

4. Technical and Organizational Security Measures

RavDev Technologies implements and maintains the following security measures:

  • Encryption in transit: TLS 1.2+ for all data transmitted between users and the Service
  • Encryption at rest: AES-256 for stored personal data
  • Access controls: Role-based access control with least-privilege principles
  • Authentication: Secure password hashing, MFA support, session management
  • Vulnerability management: Regular scanning, patching within defined SLAs
  • Incident response: Documented incident response procedures and breach notification obligations
  • Logging and monitoring: Audit logs for access and processing activities, retained for 365 days
  • Backup and recovery: Daily encrypted backups, quarterly recovery testing

5. Sub-processing

5.1 The Controller authorizes RavDev Technologies to engage the sub-processors listed in our Subprocessor Disclosure.

5.2 RavDev Technologies shall: (a) provide at least 30 days advance notice of changes to sub-processors; (b) impose data protection obligations on sub-processors equivalent to those in this DPA; and (c) remain liable for the acts and omissions of sub-processors as if performed by RavDev Technologies.

5.3 The Controller may object to a new sub-processor within 15 days of notice. If the Controller objects and RavDev Technologies cannot accommodate the objection, the Controller may terminate the Agreement with respect to the affected services with 30 days notice.

6. Data Subject Rights

6.1 RavDev Technologies shall assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) taking into account the nature of the processing.

6.2 The Controller is responsible for responding to data subjects. RavDev Technologies will provide the Controller with the technical capability to fulfill requests and will assist at the Controller's reasonable request.

6.3 RavDev Technologies shall promptly notify the Controller of any data subject request received directly from a data subject without responding to such request, unless legally required to do so.

7. Data Breach Notification

7.1 RavDev Technologies shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach.

7.2 Notification shall include, to the extent known: (a) nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed to address the breach.

8. Audit Rights

8.1 RavDev Technologies shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections.

8.2 Audits shall be conducted at the Controller's expense, with reasonable advance notice (minimum 30 days), no more frequently than once per year, during business hours, and in a manner that minimizes disruption to operations.

8.3 Upon request, RavDev Technologies will provide relevant certifications (e.g., SOC 2 report) in lieu of or in addition to on-site audits.

9. International Transfers

9.1 For transfers of personal data from the EEA, UK, or Switzerland to the United States, the parties agree to the applicable EU Standard Contractual Clauses (Module 2: Controller to Processor), which are incorporated by reference.

9.2 RavDev Technologies shall ensure that any sub-processor receiving personal data from the EEA, UK, or Switzerland is subject to equivalent transfer safeguards.

10. Data Return and Deletion

10.1 Upon termination of the Agreement, RavDev Technologies shall, at the Controller's choice, return or delete all personal data in accordance with our Data Retention Policy.

10.2 RavDev Technologies shall delete personal data from production systems within 90 days and from backup systems within 120 days of termination.

10.3 Upon request, RavDev Technologies shall certify in writing the deletion of personal data.

11. Liability

The parties' liability under this DPA is subject to the limitations and exclusions set out in the Agreement.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, subject to any mandatory requirements of applicable data protection law.

13. Contact and Execution

To execute a legally binding DPA for your organization:

RavDev Technologies, LLC

Legal Department Email: legal@ravdevtech.com Subject: "DPA Request — [Your Organization Name]"

We will provide a countersigned DPA within 10 business days.