Loading Revisit...

Data Processing Agreement (DPA)

Effective: 2025-10-26

This DPA forms part of the Terms and Conditions between the Customer (controller) and Leveloper Kft. (processor) for the Revisit Service. Capitalized terms not defined here have the meanings in the Terms.

1. Roles and processing

  • Controller: Customer
  • Processor: Leveloper Kft. (2310 Szigetszentmiklós, Gerle utca 1., Hungary; Cg. 13-09-211486; EU VAT: HU29164341)
  • Subject matter: Processing of Visitor/session data and account data as necessary to provide the Service.
  • Duration: For the term of the Agreement and as described in the Terms.
  • Nature and purpose: Hosting, storage, transmission, analysis, and related operations necessary to provide the Service.
  • Types of personal data: As configured by Customer and described in the Privacy Policy (e.g., session identifiers, events for replay, device data, IP address, user-agent, account data).
  • Categories of data subjects: Customer personnel (account users), Visitors of Customer websites where the Recorder is installed.

2. Processor obligations

  • Process personal data only on documented instructions from Customer, including regarding transfers and optional AI features.
  • Ensure personnel are subject to confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist Customer in fulfilling data subjects’ rights and GDPR Articles 32–36 obligations.
  • Delete or return personal data at end of services; delete copies unless law requires storage.
  • Provide information to demonstrate Article 28 compliance and allow audits with reasonable notice and confidentiality.

3. Subprocessors

Customer authorizes use of subprocessors necessary for the Service. We impose equivalent data protection obligations and notify material changes as required by law or contract.

A complete list of current subprocessors, including their purposes, data locations, and safeguards, is available on our Subprocessor List page. We will notify customers of material changes to this list at least 30 days in advance as required by GDPR Article 28(2).

4. International transfers

Processing occurs in the EU (Hungary). If optional features involve third-country transfers (e.g., AI analysis), appropriate safeguards (e.g., SCCs) will be implemented or such features must remain disabled for EEA data until in place.

5. Security measures (summary)

  • Transport: TLS/HSTS; strong cipher suites
  • Authentication: HttpOnly cookies; MFA; session device revocation
  • Data at rest: bcrypt for passwords; AES‑256‑GCM for integration tokens
  • App security: CSRF (double‑submit); rate limiting; audit logging; IP minimization controls
  • Infrastructure: Segmented services; backups; monitoring and alerting

6. Personal data breaches

We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and provide information reasonably available to assist with notifications.

7. Liability and indemnity

Liability is governed by the limitations and exclusions set out in the Terms. Nothing herein limits liability that cannot be limited under applicable law.

8. Conflict

In the event of a conflict between this DPA and the Terms, this DPA prevails with respect to GDPR processing.

For a countersigned copy, contact: info@leveloper.io

Privacy·Cookies·CCPA·Terms·DPA·Subprocessors·Acceptable Use·Security