Skip to content
reveren
PricingManifestoGitHub
Legal

Data Processing Agreement

Last updated: May 2026 · Pre-launch

A Data Processing Agreement (DPA) governs the terms under which reveren processes personal data on a customer's behalf in the course of providing its service. This page explains where we are today, what a DPA with reveren will cover at launch, and how to request the current draft.

Where we are today

Pre-launch, the only personal data reveren handles is the email address you give us when you join the waitlist. The reveren CLI runs locally — your code, prompts, and model API keys do not flow through us. There is no hosted product yet, and we are not acting as a processor of your customers' data.

For teams evaluating reveren today, the privacy posture documented on the Privacy and Security pages is the binding picture of what we collect and how we protect it.

Requesting the draft DPA

A draft DPA suitable for negotiation is available on request. It tracks the current GDPR Article 28 requirements and is structured to slot into your vendor review process. Email hello@reveren.ai with your company name and use case, and we will send the latest version. We're a small team — expect a real human reply within a few business days, not a generic auto-response.

What the DPA will cover at launch

When the hosted dashboard launches, the executed DPA between your organisation and Reveren Pty Ltd will set out:

  • Roles. You as the controller, reveren as the processor of personal data we hold on your behalf in the dashboard.
  • Subject matter and duration. The processing is limited to operating your reveren workspace for the term of your subscription, plus a defined wind-down period after termination.
  • Categories of data. Account identifiers (name, email, OAuth identifier), repository identifiers, billing metadata, and audit-log entries. We do not process special category data.
  • Subprocessor list. The current list is maintained on this page; material additions are notified in advance with a right of objection consistent with Article 28(2).
  • Security measures. Mirroring the controls described on the Security page — encryption in transit and at rest, OAuth-based authentication, per-tenant isolation, audit logging.
  • International transfers. Standard Contractual Clauses (UK IDTA / EU SCCs) for transfers to subprocessors outside the originating jurisdiction, plus a Transfer Impact Assessment summary on request.
  • Data subject rights assistance.We'll assist you, by appropriate technical and organisational measures, in fulfilling access, rectification, erasure, portability, and restriction requests within statutory timelines.
  • Breach notification.We'll notify you without undue delay — and within 72 hours where feasible — of a personal data breach affecting your data, with the information you need to meet your own notification obligations.
  • Audits. A right to request annual SOC 2 Type II reports (once available) and to audit on reasonable notice subject to confidentiality and proportionality.
  • Return and deletion. On termination, we delete or return your data within 30 days, except where retention is required by law.

Subprocessors

The vendors we rely on, and what they do for us. This list is the authoritative reference for subprocessor notices — bookmark it.

  • Vercel Inc. (United States) — site and dashboard hosting, edge delivery, request logs.
  • Neon Inc. (United States) — managed Postgres (waitlist today; application data at launch).
  • Stripe, Inc. (United States, with Australian presence) — payment processing at launch.
  • GitHub, Inc. (United States) — OAuth provider and (at launch) GitHub App platform for repository integrations.
  • Google LLC (United States) — OAuth provider at launch.
  • Resend or equivalent — transactional email delivery (magic links, account email) at launch.

Note that model providers (Anthropic, OpenAI, GitHub Copilot, and others) are notreveren subprocessors when the CLI runs locally — your contract with those providers is direct, using your keys. They become relevant subprocessors only if a future hosted-execution feature ships and you opt in to it. We'll update this page before any such change.

Self-serve at launch

A signed DPA will be available as a self-serve download from the dashboard once Phase 1 ships, alongside the SOC 2 Type II report when it is complete. Until then, an email exchange with us is the path.

Contact

hello@reveren.ai for DPA requests and subprocessor questions. security@reveren.ai for security-specific concerns.

Reveren Pty Ltd (ACN to be assigned on incorporation), Australia.