Terms and Conditions
REVERSA — DISRUPTIVE LABS, S.L.
Version: 1 | Effective date: 10/4/2026
1. Purpose and Parties
This document (the “Terms”), together with the relevant Purchase Order and the Annexes forming an integral part thereof, governs the conditions under which Reversa provides services to the Customer. In the event of any conflict between these Terms and the Purchase Order, the provisions of the Purchase Order shall prevail. The Annexes form an integral part of these Terms and shall have the same binding force.
Reversa: DISRUPTIVE LABS, S.L., Tax Identification Number B21866249, registered office at Calle Valle de la Fuenfría 10, P1, 6ºC, 28034 Madrid.
Customer: the entity identified in the relevant Purchase Order.
2. Description of the Service and Nature of the Outputs
2.1 Description
Reversa shall design, configure and validate, together with the Client, a customised regulatory intelligence solution in SaaS mode (the “Platform”), which simplifies the workflows of the areas identified and agreed in the Purchase Order, including configuration tailored to the Client’s operational context and ongoing support throughout the term of the contract.
The aim of the service is to enable the Client to: (i) reduce the time spent identifying and analysing relevant regulatory changes; (ii) centralise regulatory information in a single source of truth; and (iii) generate actionable outputs that streamline decision-making and internal coordination.
2.2 Nature of the outputs: information, not legal advice
The outputs, analyses, alerts and summaries generated by the Platform —including those produced wholly or partly by means of artificial intelligence models, natural language processing algorithms or other automated techniques— are for information and guidance purposes only. They do not constitute legal, regulatory, tax or any other form of professional advice, nor do they in any way replace the judgement of a qualified professional. The Customer expressly acknowledges and agrees that: (a) artificial intelligence models may generate results that are inaccurate, incomplete, out of date or contain errors (commonly referred to as ‘hallucinations’); (b) the Platform does not guarantee the correctness, accuracy, completeness or suitability of the outputs for a specific purpose; and (c) ultimate responsibility for any decision taken on the basis of the outputs lies exclusively with the Customer.
The Platform is a tool designed to support the regulatory analysis and identification process. Its coverage is based on monitored official sources (the Official State Gazette, regional bulletins, European institutions, amongst others), but may not be exhaustive nor capture all relevant sources for each specific situation. Reversa will use commercially reasonable efforts to keep the monitored sources up to date, without this constituting any guarantee of exhaustiveness.
The Customer is solely responsible for any decisions made on the basis of the Platform’s outputs and for verifying, with such advisers as they deem appropriate, the information provided by the Platform.
3. Access, Users and the Client’s Obligations
3.1 Access and credentials
Access to the Platform shall be via credentials. The Customer shall be responsible for the use of their credentials and for ensuring that their users comply with these Terms.
3.2 Prohibited Uses
The Customer may not: (i) resell, redistribute or sub-license the Service to third parties; (ii) reverse engineer, decompile, disassemble or attempt to extract the source code, prompts, underlying models or any technological component of the Service; (iii) interfere with the security, integrity or availability of the Service, or take any action that impairs or may impair the performance or proper functioning of the Platform; (iv) use the Service in a manner contrary to applicable law or the rights of third parties; (v) use robots, web crawlers, web scrapers or other automated means or processes to access, collect data or otherwise interact with the Platform; (vi) circumvent, disable or attempt to bypass any technological protection measures implemented by Reversa or its suppliers; (vii) use the Service to develop, train or exploit products or services in competition with the Platform; or (viii) make any unauthorised use of Reversa’s content, trademarks, technology or intellectual property.
Reversa assumes no obligation to monitor the Customer’s or its users’ access to or use of the Platform, nor to review or modify any content uploaded by them, but reserves the right to do so for the purpose of: (i) operating, protecting, analysing and improving the Platform; (ii) verify compliance with these Terms; (iii) comply with applicable legislation or respond to a judicial or administrative order or request; or (iv) prevent or mitigate security or fraud risks.
The Customer undertakes to indemnify and hold harmless Reversa, its partners, directors, employees, collaborators and agents against any damages, losses, costs, expenses (including reasonable legal fees) or third-party claims arising directly or indirectly from the use or misuse of the Platform by the Customer or its users, from a breach of these Terms or from the infringement of third-party rights.
4. Price, Changes to Scope and Invoicing
The applicable price is that stated in the Purchase Order.
If the Customer requests changes to the scope of work (new modules, additional sources, additional agents or relevant configurations), the Parties shall negotiate in good faith to agree on a price adjustment, which shall be proportional to the reasonable increase in costs and/or value delivered. Changes to the scope of work shall be formalised in writing by means of a new Purchase Order or an addendum.
Prices do not include VAT or other applicable taxes.
5. Intellectual Property and Data
5.1 Reversa’s Ownership
Reversa retains exclusive ownership and all intellectual and industrial property rights over the Platform, its artificial intelligence models, prompts, algorithms, methodologies, interfaces, know-how, technical documentation and any improvements, updates or derivative developments. Nothing in these Terms constitutes an assignment, licence or transfer of such rights to the Customer, except for the limited, non-exclusive, non-transferable and revocable right of use granted for the duration of the contract to access and use the Platform in accordance with the provisions of the Purchase Order.
5.2 Client Ownership
The Customer retains ownership of their data and content uploaded or generated through the Service, to the extent that such data and content are their property.
5.3 Use of data to improve the service — Distinction between confidential data and reusable data
Documents, enquiries, outputs and any information that the Customer or its users enter or generate on the Platform in the course of their professional activities, and which are directly linked to their specific operational context, are considered to be the Customer’s confidential interaction data. Such data is the exclusive property of the Customer. Reversa shall process it solely in its capacity as a data processor, on behalf of and for the account of the Customer, subject to the Data Processing Agreement set out as Annex I to these Terms and to the Customer’s documented instructions.
Reversa may process technical and usage data that has undergone an irreversible anonymisation process — such as performance data, system logs, aggregated usage metrics (response times, aggregated query types, technical errors) — in such a way that it does not allow the identification of the Customer or its users, for the purpose of operating, maintaining and improving the Service.
By signing the Purchase Order, the Customer expressly authorises Reversa to use duly anonymised interactions and content for the improvement and training of its artificial intelligence models and agents, provided that an effective anonymisation process has been applied that prevents the identification of the Customer or its users. Such authorisation constitutes explicit, specific and informed consent for the purposes of Article 6(1)(a) of the GDPR. The Customer may revoke this authorisation at any time by written notice to Reversa, without such revocation affecting the lawfulness of the processing carried out previously or the provision of the main Service. The revocation shall take effect within a maximum of thirty (30) calendar days from its receipt by Reversa.
6. Confidentiality
Each Party shall keep strictly confidential all non-public information of the other Party to which it has access in connection with the contract (“Confidential Information”) and shall not disclose it to third parties except: (i) where necessary for the performance of the contract, to persons subject to equivalent confidentiality obligations; (ii) where required by law or by a competent authority, in which case the Party obliged shall inform the other Party in advance, unless prohibited by law; or (iii) where the prior written consent of the Party holding such information has been obtained. This obligation shall remain in force for the duration of the contract and for five (5) years following its termination for any reason.
The following shall be considered the Customer’s confidential information, including but not limited to: its operational data, compliance strategy, organisational structure, internal documentation and any specific output from the Platform directly linked to its activity.
Reversa’s confidential information shall include, but is not limited to: its prompts, artificial intelligence agent architecture, processing models and methodologies, pricing structure, product roadmap and any technical information relating to the internal functioning of the Platform.
7. Limitation of Liability and Nature of the Service
Except in cases of wilful misconduct or liability that cannot be limited or excluded by mandatory law, Reversa’s total aggregate liability to the Customer for any claims arising out of or in connection with the contract — whether of a contractual, non-contractual or any other nature — shall not exceed, in any event, the amount actually paid by the Customer to Reversa in the twelve (12) months immediately preceding the event giving rise to the claim. Under no circumstances shall Reversa be liable to the Customer for indirect, incidental, special or consequential damages, including, without limitation, loss of profit, loss of data, loss of business opportunities, reputational damage or business interruption, regardless of whether Reversa had been advised of the possibility of such damages.
The Platform is provided “as is” and “as available”, without warranty of any kind, whether express, implied or statutory, including, without limitation, the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, non-infringement of third-party rights or freedom from errors. Reversa does not guarantee that the Platform is free from errors, interruptions, viruses, malware or other harmful components, nor that it will operate continuously, without interruption or securely. The Platform facilitates access to and analysis of regulatory information from public sources using artificial intelligence techniques. Reversa does not guarantee: (i) the completeness, accuracy or real-time updating of information obtained from external sources; (ii) that the outputs — including those generated by artificial intelligence models — are correct, complete, up to date or suitable for a specific decision by the Customer; nor (iii) any result arising from the use of the Platform. Reversa’s liability as a provider of information society services is governed by the general rules of civil, criminal and administrative liability, subject to the limits set out in Law 34/2002 of 11 July on information society services and electronic commerce (LSSI-CE), and applicable regulations.
The Customer expressly acknowledges and agrees that the Platform’s outputs constitute an informative starting point subject to independent professional verification, that no output constitutes legal advice, and that use of the Platform is at the Customer’s sole risk.
The Customer acknowledges and agrees that access to the Platform is subject to interruptions and may not be available at all times, depending, among other factors, on scheduled or unscheduled maintenance, updates, internet connectivity issues, infrastructure provider failures, or other circumstances beyond Reversa’s reasonable control. Reversa may restrict the availability of the Platform or certain areas or features where necessary for reasons of capacity, security or the integrity of its servers, or to carry out maintenance measures to ensure the proper or improved functioning of the Service. Reversa shall not be liable for any unavailability caused by circumstances beyond its reasonable control, including, without limitation, cases of force majeure.
8. Term, Renewal and Termination
The contract shall come into force on the start date indicated in the Purchase Order and shall have the duration set out therein. Either Party may terminate the contract for material breach by the other Party if such breach is not remedied within thirty (30) calendar days of receipt of a written notice to that effect. Furthermore, misuse of the Platform or a breach of these Terms may result, at Reversa’s sole discretion, in the immediate suspension of the access privileges of the Customer and its users, without the need for prior notice and without prejudice to any other legal or contractual actions to which Reversa may be entitled, including termination of the contract.
At the end of the pilot period, the Parties must confirm in writing (via valid email) whether they wish to continue the service on an annual basis.
Upon termination of the contract for any reason, the Customer shall cease to have access to the Service. Reversa may delete the Customer’s data in accordance with its retention policies, unless there is a legal obligation to retain it. In particular, personal data shall be retained for the limitation periods required by current legislation and, where deletion is appropriate, shall be blocked in accordance with Article 32 of the LOPDGDD, being reserved exclusively for disclosure to judges, the public prosecutor’s office or competent authorities. The obligations regarding confidentiality, limitation of liability and intellectual property shall survive the termination of the contract.
9. Data Protection
The processing of personal data in the context of the provision of the Service is governed by Reversa’s Privacy Policy, available on the Platform, and by the Data Processing Agreement set out as Annex I to these Terms (the “DPA”). The DPA forms an integral part of these Terms and governs the conditions under which Reversa, acting as a data processor, will process the Customer’s personal data. In the event of any conflict between these Terms and the DPA regarding data protection, the provisions of the DPA shall prevail. Both Parties undertake to comply at all times with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD), and any other applicable data protection regulations.
10. Amendments to the Terms
Reversa may amend these Terms with a minimum of thirty (30) calendar days’ notice. The amendments shall be notified to the Customer by email or via the Platform. If the Customer does not communicate their rejection in writing within the notice period, they shall be deemed to have accepted the updated version. In the event of rejection, the Customer may terminate the contract without penalty up to the date on which the amendment comes into force, without prejudice to any obligations accrued prior to that date.
11. Governing Law and Jurisdiction
These Terms and any disputes or claims arising out of or in connection with them, their subject matter or their formation (including disputes or claims of a non-contractual nature) shall be governed by and construed in accordance with Spanish law. The Parties expressly submit to the exclusive jurisdiction of the Courts and Tribunals of the city of Madrid, expressly waiving any other jurisdiction to which they might be entitled.
12. Miscellaneous
These Terms, together with the Purchase Order and the Annexes, constitute the entire agreement between the Parties in relation to the subject matter of the contract and supersede any prior agreements, negotiations or communications, whether oral or written. The invalidity or unenforceability of any clause in these Terms shall not affect the validity or enforceability of the remaining provisions, which shall remain in full force and effect. The failure to exercise, or any delay in exercising, any right by either Party shall not constitute a waiver of that right nor shall it preclude its future exercise. Communications relevant to the contract shall be made in writing; for these purposes, email shall have the same legal effect as a written document for all contractual purposes. Neither Party may assign or transfer the rights or obligations arising from these Terms without the prior written consent of the other Party.
Annex I — Personal Data Processing Agreement
This Data Processing Agreement (hereinafter the “DPA”) supplements Reversa’s Terms and Conditions of Service (the “Terms”) and Reversa’s Privacy Policy, as updated from time to time, and forms an integral part thereof. The DPA is entered into between the Customer identified in the relevant Purchase Order (the “Data Controller” or “Customer”) and DISRUPTIVE LABS, S.L. (“Reversa” or the “Data Processor”). In the event of any conflict between this DPA and the Terms or the Privacy Policy regarding the protection of personal data, the provisions of this DPA shall prevail.
1. Definitions and Interpretation
1.1 The terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (including its derived forms “Process” and “Processed”) shall have the meaning attributed to them by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “GDPR”), or, where applicable, the meaning of essentially equivalent terms in other applicable data protection legislation.
1.2 “Data Protection Legislation” means all applicable legislation relating to the Processing, privacy and use of Personal Data, including: (i) the GDPR; (ii) Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD); (iii) any laws that implement, replace, extend, recast or amend the foregoing; (iv) any relevant national laws or regulations; and (v) the guidelines, codes of conduct or certification mechanisms issued by the competent supervisory authorities in relation to such laws.
1.3 “Customer Personal Data” means the Personal Data provided or made available to Reversa by the Customer (or collected or generated on the Customer’s behalf) in connection with the provision of the Service.
1.4 Capitalised terms not defined in this DPA shall have the meaning attributed to them in the Terms, the Purchase Order or the Privacy Policy, as applicable.
1.5 References to legal provisions include their implementing regulations and shall be understood to refer to such provisions in their version in force at any given time.
2. Processing of the Customer’s Personal Data
2.1 For the purposes of this DPA, the Customer acts as the Data Controller and Reversa acts as the Data Processor in respect of the Customer’s Personal Data described in Appendix 1, unless expressly stated otherwise. Reversa shall process the Customer’s Personal Data solely: (a) in accordance with the provisions of this DPA, the Terms and the Purchase Order; (b) where required by a legal obligation applicable to Reversa, in which case Reversa shall inform the Customer of such legal obligation prior to processing, unless prohibited by law; or (c) in accordance with the Customer’s documented instructions. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are described in Appendix 1. Special categories of Personal Data shall not be processed without the Customer’s prior written authorisation.
2.2 The Parties acknowledge that, in addition to processing Personal Data as a Data Processor on behalf of the Customer, Reversa may process certain Personal Data as an independent Data Controller for the following limited purposes: (i) management and administration of the Customer’s account; (ii) invoicing and payment processing; (iii) compliance with legal and regulatory obligations applicable to Reversa; and (iv) internal service administration and security. Such Processing shall be carried out in accordance with Reversa’s Privacy Policy and the applicable Data Protection Legislation, and falls outside the scope of this DPA.
2.3 Reversa shall process the Customer’s Personal Data exclusively in accordance with this DPA and to the extent necessary for the provision of the Service.
2.4 Reversa undertakes to: (i) comply with the applicable Data Protection Legislation in all Processing of the Customer’s Personal Data; (ii) cooperate with and assist the Customer in carrying out data protection impact assessments and in consultations with the competent supervisory authorities, as well as in responding to requests, investigations or enquiries from such authorities; (iii) ensure that its policies, measures and procedures comply with the Data Protection Legislation and that it has the necessary legal bases, consents and information notices for the lawful Processing and, where applicable, the disclosure of the Customer’s Personal Data to third-party recipients during the term and for the purposes of this DPA; and (iv) Process the Customer’s Personal Data solely in accordance with the terms set out in clause 2.1 above. Reversa will periodically review its privacy notices and policies and keep them up to date.
2.5 The Customer undertakes to: (i) ensure that the processing carried out under this DPA and the associated disclosure of Personal Data are carried out in strict compliance with the applicable Data Protection Legislation; (ii) provide Reversa with the Customer’s Personal Data necessary for the provision of the Service; (iii) ensure, prior to and during the Processing, that Reversa complies with the Data Protection Legislation; (iv) supervise the Processing, including carrying out inspections and audits in accordance with the provisions of this DPA; (v) reciprocally comply with the obligations set out in this DPA insofar as they are applicable to the Customer; and (vi) any other obligations arising from current and applicable legislation.
3. Reversa Staff
3.1 Reversa shall ensure that all personnel authorised to Process the Customer’s Personal Data are subject to appropriate contractual or legal confidentiality obligations and shall Process such Personal Data only to the extent necessary for the provision of the Service.
3.2 Reversa shall cease Processing the Customer’s Personal Data when it is no longer necessary for the provision of the Service, unless retention is required by applicable legislation. Upon termination or expiry of the contract, and at the Customer’s discretion, Reversa shall delete or return the Customer’s Personal Data within a maximum period of thirty (30) calendar days from receipt of the Customer’s written request. Where deletion is appropriate, Reversa shall take reasonable measures to securely delete such Personal Data, including backups, in accordance with its retention practices. In any event, the deletion or return of the Customer’s Personal Data shall be subject to Reversa’s compliance with the legal retention obligations applicable to it. Personal Data retained pursuant to such legal obligations shall remain subject to the safeguards of this DPA and shall be blocked in accordance with Article 32 of the LOPDGDD.
4. Security
4.1 The Parties declare that they have implemented and will maintain the appropriate technical and organisational measures to protect the Customer’s Personal Data against Personal Data Security Breaches, which shall at all times meet, as a minimum, the standards required by the Data Protection Legislation.
4.2 Reversa shall ensure that it has in place the appropriate technical and organisational security measures, as described in Appendix 2, to protect the Customer’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage, commensurate with the potential harm that could result from such unauthorised or unlawful processing or from accidental loss, destruction or damage, and the nature of the data to be protected, taking into account the state of the art and the cost of implementing the measures, ensuring that the availability of and access to Personal Data can be restored in a timely manner following an incident, and periodically evaluating and assessing the effectiveness of the technical and organisational measures adopted.
5. Notifications and Personal Data Security Breaches
5.1 If Reversa receives any complaint, request or enquiry regarding the Processing of the Customer’s Personal Data (in particular, those relating to the exercise of Data Subjects’ rights under the applicable Data Protection Legislation), Reversa shall forward it to the Customer without undue delay and shall cooperate with and assist the Customer in addressing it in accordance with the Customer’s instructions.
5.2 If Reversa becomes aware of any Personal Data Breach, it shall notify the Customer without undue delay and, in any event, within a maximum of thirty-six (36) hours, investigate the breach, take the necessary measures to remedy or mitigate the damage and prevent its recurrence (providing the Customer with detailed information throughout the process), and cooperate with the Customer in notifying the competent supervisory authorities or the Data Subjects concerned, where appropriate.
5.3 Reversa, taking into account the nature of the Processing, shall assist the Customer through appropriate technical and organisational measures, to the extent possible, in fulfilling its obligation to respond to requests for the exercise of Data Subjects’ rights in accordance with the applicable Data Protection Legislation, including the rights of access, rectification, erasure, restriction of processing, data portability and objection. Reversa shall notify the Customer of any such request without undue delay and, in any event, within a maximum of five (5) working days of receipt, and shall provide reasonable cooperation to enable the Customer to respond within the time limits required by the applicable Data Protection Legislation.
6. Sub-processors
6.1 The Customer grants Reversa general authorisation to engage sub-processors to process the Customer’s Personal Data in connection with the provision of the Service.
6.2 Reversa shall ensure that all sub-processors are bound by written obligations offering, at a minimum, the same level of protection for the Customer’s Personal Data as that established in this DPA.
6.3 Reversa shall remain fully liable to the Customer for the compliance of any sub-processor with its obligations and for any acts or omissions of such sub-processor in relation to the processing of the Customer’s Personal Data, as if they were its own, in accordance with the terms of this DPA and the Terms.
6.4 Reversa shall inform the Customer of any planned addition or replacement of sub-processors in good time, giving the Customer the opportunity to raise objections based on reasonable data protection grounds within fourteen (14) calendar days of such notification. If the Customer raises a reasonable objection and Reversa is unable to accommodate it in a reasonable manner, either Party may terminate the affected Services in accordance with the Terms.
6.5 The updated list of authorised sub-processors is set out in Appendix 3 to this DPA.
7. International Data Transfers
7.1 Reversa (or any sub-processor) shall only transfer the Customer’s Personal Data to a country outside the European Economic Area (EEA) or to an international organisation where such transfer is subject to appropriate safeguards and complies with the applicable Data Protection Legislation.
7.2 Where such transfers take place, Reversa will implement appropriate safeguards, including the use of standard contractual clauses adopted by the European Commission (including Commission Implementing Decision (EU) 2021/914), binding corporate rules or other valid transfer mechanisms in accordance with the applicable Data Protection Legislation. To ensure the optimal provision of the Service, Reversa or its sub-processors may store the Customer’s Personal Data on servers located outside the EEA, in which case the aforementioned safeguards shall apply in a manner appropriate to Reversa’s position as a Data Processor.
8. Records and Audits
8.1 Reversa shall maintain complete and accurate records and the information necessary to demonstrate compliance with this DPA, making them available to the Customer immediately upon request. Reversa shall provide the Customer with all information reasonably necessary to demonstrate compliance with this DPA and the applicable Data Protection Legislation, and shall permit and assist with audits conducted by the Customer or by an independent auditor appointed by the Customer, subject to reasonable notice and confidentiality obligations.
8.2 Reversa may fulfil the obligations set out in the preceding clause by providing relevant independent certifications, reports or assessments.
9. Term and Termination
9.1 This DPA shall enter into force on the date of signing of the Purchase Order and shall remain in force for as long as Reversa processes the Customer’s Personal Data in connection with the provision of the Service, including the legally required retention periods following the termination of the contract.
9.2 The confidentiality obligations set out in clause 10 of this DPA shall survive the termination or expiry of this DPA and shall remain in force indefinitely.
10. Confidentiality
The Parties shall not disclose, without the prior written consent of the other Party, any information disclosed or made available, in any form or medium, directly or indirectly, before or after the date of this DPA, in relation to the Processing, as well as information relating to services, financial plans, intellectual and industrial property rights, customers, suppliers, employees, plans, know-how, designs, trade secrets, technical information or software, any other information that either Party wishes to protect from unrestricted disclosure and which is marked as confidential or proprietary or which, by its nature, is clearly confidential, as well as any findings, data or analyses derived from such information, unless its disclosure is required in judicial or administrative proceedings or by law. In such a case, the Party required to disclose shall inform the other Party in advance so that the latter may take the necessary legal measures to ensure the protection of the information within the scope of the mandatory disclosure.
11. Indemnity
11.1 Each Party shall indemnify and hold harmless the other Party against any direct losses, damages, costs and expenses (including reasonable legal fees) arising from a material breach by the indemnifying Party of its obligations under this DPA or the applicable Data Protection Legislation, subject to the following conditions: (i) the indemnifying Party’s liability shall be limited to losses directly attributable to its own acts or omissions; (ii) neither Party shall be liable to the other for indirect, incidental, special or consequential damages, including loss of profits, loss of revenue or loss of business opportunities, whatever the cause; and (iii) the indemnifying Party shall not be liable for any breach caused exclusively by the acts or omissions of a sub-processor, except to the extent that the indemnifying Party has breached its obligations under Clause 6 of this DPA in relation to such sub-processor.
11.2 Notwithstanding the foregoing, in the event that Reversa, in its capacity as Data Processor, breaches the provisions of this DPA as a direct result of acts, omissions or instructions from the Customer, the Customer shall assume liability for the resulting breach and shall indemnify Reversa against any direct losses, damages, costs and expenses arising therefrom, including any claims by Data Subjects or penalties imposed by the competent supervisory authorities attributable to such acts, omissions or instructions.
12. Governing Law and Jurisdiction
This DPA and any disputes or claims arising out of or in connection with it, its subject matter or its formation (including disputes or claims of a non-contractual nature) shall be governed by and construed in accordance with Spanish law. The Parties expressly submit to the exclusive jurisdiction of the Courts and Tribunals of the city of Madrid, expressly waiving any other jurisdiction to which they might otherwise be entitled.
13. Communications
13.1 All communications and notifications made pursuant to this DPA must be in writing and shall be delivered in person, by post or by email to the address or email address indicated in the Purchase Order or to any other address notified by the Parties from time to time.
13.2 For any enquiries regarding the processing of personal data under this DPA, the Customer may contact Reversa via the email address tomas@reversa.ai or any other contact details provided by Reversa from time to time.
Appendix 1 — Information on the Processing
1. Nature and Purpose of Processing
The processing of the Customer’s Personal Data is carried out for the purpose of providing the Service offered by Reversa via the Platform, including, without limitation: (a) provision, configuration and support of the regulatory intelligence Platform in SaaS mode, as specified in the Terms and the relevant Order Form; (b) communication with the Customer and its users; (c) management of user accounts, invoicing and payment processing; (d) technical operations, including hosting, storage, backups and system monitoring; (e) security logging, access control, abuse prevention and error debugging; and (f) record-keeping for the fulfilment of legal, accounting, tax or regulatory obligations. Where necessary, Personal Data may also be Processed for the fulfilment of legal obligations or for the exercise or defence of legal claims.
2. Duration of Processing
The Customer’s Personal Data will be Processed for the duration of the contract between the Parties and: (a) for as long as is necessary for the specific purpose for which they were collected; (b) for the periods required by applicable law (for example, accounting or tax retention obligations); and (c) upon termination of the contract, the data shall be returned or deleted in accordance with clause 3.2 of this DPA, unless applicable law requires its retention.
3. Personal Data Subject to Processing
Reversa may process the following categories of the Customer’s Personal Data in the course of providing the Service:
| Category | Examples |
|---|---|
| Identifying data | Full name, user ID |
| Contact details | Email address |
| Usage data | IP address, access logs, browser |
| Billing details | Company registration number, company name and registered address |
No special categories of personal data will be processed.
4. Categories of Data Subjects
The group of Data Subjects affected by the processing of their Personal Data comprises users of the Platform, the Customer’s representatives, employees and collaborators, and service providers. In the event that the Customer is not the Data Subject affected by the processing, the Customer guarantees that it has obtained all necessary consents and authorisations from the Data Subjects and/or, where applicable, has informed them of the processing of their Personal Data by Reversa.
Appendix 2 — Technical and Organisational Measures (TOM)
Reversa implements the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described below.
1. Organisational measures
Responsibilities regarding information security and data protection are defined and reviewed periodically. Access to systems is restricted to authorised personnel based on their role and need (principle of least privilege). Staff with access to Personal Data are subject to confidentiality obligations. Internal training is provided on security and privacy awareness. Incident management and response procedures are in place. Suppliers and infrastructure providers are assessed from a security and data protection perspective. Regular risk assessments are carried out. Measures are reviewed and updated to reflect changes in risk, technology and regulatory requirements. The principles of data protection by design and by default are applied. There is a process for managing and reporting Personal Data Security Breaches.
2. Technical measures
Personal data in transit is encrypted using secure protocols (e.g. HTTPS/TLS). Access to the infrastructure is protected by authentication controls and activity logging. Systems are subject to regular updates, patching and vulnerability management. Monitoring and logging mechanisms are in place to detect and respond to security incidents. Backup and recovery procedures are in place to ensure availability and resilience. Changes to production systems follow defined change management processes. Production and non-production environments are segregated.
3. Sub-processors and infrastructure measures
Reversa relies on established infrastructure providers and data processors who implement appropriate security measures, including: physical security of data centres, network and infrastructure protection, redundancy, availability and resilience controls, and independent certifications and audits (e.g. ISO 27001, SOC reports). Reversa engages these providers under appropriate contractual and data protection terms and periodically reviews their security commitments.
4. Shared responsibility
Where the Service is integrated into environments controlled by the Customer, the Customer shall be responsible for: the security of its systems, infrastructure and hosting environment; the management of user access, authentication and roles; the application of updates and patches; and the management of data retention and deletion.
5. Data Minimisation
Reversa processes only the Personal Data necessary for the provision of the Service, such as content uploaded to the Platform for processing, licence information and operational metadata. Reversa does not use the Customer’s content to train artificial intelligence models without the Customer’s express authorisation in accordance with clause 5.3 of the Terms, and does not retain such content beyond what is necessary for the provision of the Service.
Appendix 3 — Sub-processors
In accordance with this DPA, the currently authorised sub-processors and/or transfers of the Customer’s Personal Data are set out in the table below.
| Sub-processor | Service | Location |
|---|---|---|
| Amazon Web Services EMEA | Cloud infrastructure and storage | EU |
| Render Services, Inc. | Application hosting | EU |
| MongoDB, Inc. | Database | EU |
| AI model providers* | Natural language processing | EU |
| Twilio Inc. (SendGrid) | Transactional emails | EU |
*Reversa uses artificial intelligence models from market-leading providers (Gemini, Antrophic, Grok and OpenAI) within a closed system.