Data Processing Addendum — Ravenite
← Back to Ravenite Ravenite
LEGAL // DATA PROCESSING ADDENDUM

Data Processing Addendum

Effective date: July 6, 2026 · Last updated: July 6, 2026

This Data Processing Addendum ("DPA") forms part of, and is subject to, the Terms & Conditions between the Customer and Sell Me This Pen Inc., doing business as Ravenite. It governs how Ravenite handles candidate personal data on the Customer's behalf, and addresses Québec Law 25, PIPEDA, the GDPR, and the CCPA/CPRA. The Customer's name and its acceptance or signature of this DPA are captured at contracting.

CONTENTS
1 · Parties & roles 2 · Definitions 3 · Details of processing (Annex A) 4 · Processor obligations 5 · Sub-processors (Annex C) 6 · International & cross-border transfers 7 · Confidentiality incidents & breach notification 8 · CCPA service-provider terms 9 · Audit & compliance 10 · Security measures (Annex B) 11 · Liability, precedence & governing law 12 · Annex D: Standard Contractual Clauses

1 · Parties & roles

For personal data processed on the Customer's behalf to deliver a search, the Customer is the controller (GDPR) / business (CCPA) and Ravenite is the processor / service provider. Ravenite processes such data only to provide the service described in the Terms.

2 · Definitions

"Personal Data" / "Personal Information", "Processing", "Data Subject", "Controller", "Processor", "Business", "Service Provider", "Sub-processor", and "Standard Contractual Clauses" ("SCCs") have the meanings given in the GDPR, Québec Law 25, PIPEDA, and the CCPA, as applicable. "Confidentiality Incident" has the meaning given in Québec Law 25 and includes a personal data breach under the GDPR. Capitalized terms not defined here have the meanings in the Terms.

3 · Details of processing (Annex A)

  • Subject matter: research and sourcing support for executive search mandates run by the Customer.
  • Duration: the term of the Customer's agreement, plus any wind-down period needed for return or deletion.
  • Nature and purpose: surfacing, organizing, and summarizing professional information against criteria the Customer defines, for human review.
  • Types of personal data: business-context professional data — name, professional title, current and past employers, work history, professional contact details. No special- category or sensitive data is intentionally processed.
  • Categories of data subjects: candidates surfaced for a search run by the Customer.

4 · Processor obligations

Ravenite will: (a) process personal data only on the Customer's documented instructions, including with regard to transfers; (b) ensure persons authorized to process the data are bound by confidentiality; (c) implement appropriate technical and organizational security measures (Annex B, section 10); (d) assist the Customer, taking into account the nature of the processing, with data-subject requests, breach notification, and privacy or data-protection impact assessments; and (e) at the end of the engagement, delete or return the personal data at the Customer's choice, unless retention is required by law.

5 · Sub-processors (Annex C)

The Customer authorizes Ravenite to engage sub-processors under written terms imposing obligations equivalent to this DPA. Ravenite maintains and discloses a current sub-processor list — covering cloud hosting and infrastructure and licensed professional-data provider categories — and will give the Customer notice of intended changes with a right to object on reasonable grounds.

6 · International & cross-border transfers

For transfers subject to the GDPR, the parties rely on Standard Contractual Clauses or other appropriate safeguards (Annex D, section 12). For personal information communicated outside Québec, Ravenite conducts the privacy impact assessment Québec Law 25 requires before the transfer and ensures the information receives adequate protection.

7 · Confidentiality incidents & breach notification

Ravenite will notify the Customer without undue delay after becoming aware of a Confidentiality Incident affecting personal data processed under this DPA, and will provide the information reasonably needed for the Customer to meet its own obligations — including GDPR notification within 72 hours and Québec Law 25 notification to the Commission d'accès à l'information and to affected individuals where the incident presents a risk of serious injury. Ravenite maintains an incident register.

8 · CCPA service-provider terms

Where the CCPA applies, Ravenite acts as a service provider: it will not sell or share personal information received under this DPA, and will not retain, use, or disclose it for any purpose other than performing the services, or as otherwise permitted by the CCPA. Ravenite certifies that it understands and will comply with these restrictions.

9 · Audit & compliance

Ravenite will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to reasonable audits conducted by the Customer or its mandated auditor, on reasonable notice and subject to confidentiality.

10 · Security measures (Annex B)

  • Encryption of personal data in transit and at rest.
  • Role-based access controls and the principle of least privilege.
  • Logging and monitoring of access to production systems.
  • Vendor due diligence before engaging sub-processors.
  • Personnel confidentiality commitments and security awareness.

11 · Liability, precedence & governing law

Liability under this DPA is subject to the limitations and exclusions in the Terms. If this DPA conflicts with the Terms on the subject of personal data processing, this DPA prevails to the extent of the conflict. This DPA is governed by the laws of the Province of Québec, Canada.

12 · Annex D: Standard Contractual Clauses

Where a restricted transfer requires them, the applicable module of the European Commission's Standard Contractual Clauses (and the UK Addendum, where relevant) is incorporated into this DPA by reference, completed with the details of processing in Annex A, the security measures in Annex B, and the sub-processor list in Annex C.

Ravenite
Home Team Integrations Terms Privacy DPA
© 2026 Ravenite