Template document. This DPA is a template for customers deploying Reva. Fields marked with [Customer Name] must be completed before signing. The downloadable Markdown version includes signature blocks.
Contracting Parties
[Postal code, City]
Represented by: [Name, Title]
[Postal code, City]
Represented by: [Name, Managing Director]
- Preamble
- Subject and Duration
- Nature and Purpose of Processing
- Types of Personal Data
- Categories of Data Subjects
- Obligations of the Processor
- Sub-processors
- Technical and Organizational Measures
- Data Subject Rights
- Data Breach Notification
- Audit Rights
- Deletion and Return
- Appendix 1: Technical and Organizational Measures
Preamble
The Controller uses the software Reva, an AI-powered release management assistant for Microsoft Teams, developed by the Processor and deployed on-premise on the Controller’s infrastructure. In the course of this use, the Processor processes personal data on behalf of the Controller. This agreement governs the rights and obligations of the Parties pursuant to Art. 28 GDPR.
§ 1 Subject and Duration
(1) The subject of this agreement is the processing of personal data by the Processor in the course of providing, maintaining, and supporting the Reva software.
(2) The duration of processing corresponds to the term of the underlying license or service agreement between the Parties. The agreement begins on ________________ and runs for an indefinite period until terminated by either Party in accordance with the provisions of the main agreement.
(3) Processing takes place exclusively on the Controller’s infrastructure (on-premise operation). The Processor only gains access to personal data in the context of support and maintenance services and with the express authorization of the Controller.
§ 2 Nature and Purpose of Processing
(1) Processing encompasses the following activities:
- Conversation processing: Receiving, processing, and responding to user queries via Microsoft Teams using local AI inference (Ollama/LLM on the Controller’s infrastructure).
- Release management: Querying and displaying release information from Digital.ai Release via the Model Context Protocol (MCP).
- Jira integration: Querying and displaying Jira issue data via MCP.
- Memory function: Optional cross-session storage of user memories using PostgreSQL and pgvector embeddings.
- Notifications: Managing notification subscriptions for release and Jira events.
- Logging: Anonymized activity logging for system monitoring and error diagnostics.
(2) The purpose of processing is to provide natural language access to release and issue management functions for the Controller’s employees.
(3) AI inference is performed exclusively on the Controller’s local GPU hardware. No data is transmitted to external AI services or cloud LLM providers.
§ 3 Types of Personal Data
The following categories of personal data are processed:
| Data Category | Description | Storage Location |
|---|---|---|
| Microsoft Teams display names | Usernames from the Bot Framework Activity | PostgreSQL |
| Conversation content | User messages and bot responses | PostgreSQL |
| Release management metadata | Release names, status, dates, team assignments | Runtime memory (MCP) |
| Jira issue metadata | Issue numbers, summaries, status, assignees | Runtime memory (MCP) |
| User memories | Optional cross-session memorized content with vector embeddings | PostgreSQL (pgvector) |
| Notification subscriptions | Mappings of users to releases/Jira issues | PostgreSQL |
| Activity logs | Anonymized usage logs (no individual attribution) | Filesystem / PostgreSQL |
§ 4 Categories of Data Subjects
Data subjects are the employees and agents of the Controller who use Microsoft Teams and interact with the Reva assistant.
§ 5 Obligations of the Processor
(1) The Processor shall process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR), unless required to process by Union or Member State law. In such cases, the Processor shall inform the Controller of that legal requirement before processing.
(2) The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
(3) The Processor shall implement the technical and organizational measures required under Art. 32 GDPR (see § 7 and Appendix 1).
(4) No individual user activity evaluation. Activity logs are always maintained in anonymized form; individual actions are not attributed to identified persons. This complies with the German Works Constitution Act (BetrVG) requirement to prevent individual performance monitoring.
(5) The Processor shall assist the Controller in fulfilling obligations under Art. 32–36 GDPR, insofar as they concern the Controller and the nature of the processing.
§ 6 Sub-processors
(1) The following sub-processors are approved at the time of contract execution:
| Sub-processor | Processing Activity | Location |
|---|---|---|
| Microsoft Corporation (Azure Bot Framework) | Relay of Teams messages between Microsoft Teams and the Controller’s Reva instance | EU/EEA (per Microsoft DPA) |
(2) No cloud LLM providers are used. All AI inference is performed locally on the Controller’s infrastructure using Ollama.
(3) The Processor may only engage additional sub-processors with the Controller’s prior written consent. The Processor shall inform the Controller of planned changes at least 30 days in advance. The Controller may object within 14 days.
(4) The Processor shall ensure that each sub-processor is subject to the same data protection obligations set out in this agreement (Art. 28(4) GDPR).
§ 7 Technical and Organizational Measures
The Processor has implemented the following measures pursuant to Art. 32 GDPR (details in Appendix 1):
Encryption
- HTTPS/TLS for all external communication
- Bot Framework JWT validation (Azure AD signature verification)
- PostgreSQL SSL (self-signed CA) for database communication
- Optional disk encryption by the Controller
Access Control
- Network-based isolation (only Microsoft Teams and authorized reverse proxies reach the bot endpoint)
- Optional user-level authorization (
REVA_AUTH_ENABLED) - Webhook authentication via shared secrets
- Kubernetes NetworkPolicies (default-deny ingress)
Data Backup
- Daily automated database backups
- 30-day retention period for backups
- Documented recovery procedures
Data Minimization & Privacy by Design
- Activity logs are always anonymized (no individual attribution)
- Individual performance monitoring is technically prevented (BetrVG compliance)
- All LLM inference on the Controller’s GPU — no data leaves the Controller’s network
- Conversation history with configurable retention period
- Memories are soft-deleted with audit trail upon deletion
§ 8 Data Subject Rights
(1) The Processor shall assist the Controller in fulfilling data subject requests pursuant to Art. 15–22 GDPR.
(2) Reva provides the following self-service functions for data subjects:
- Right of access (Art. 15): Users can view their stored memories via the “show memories” command.
- Right to erasure (Art. 17): Users can delete their memories via the “forget memories” command.
- Conversation history: Can be deleted per user upon request.
(3) The Processor shall forward any data subject requests received directly to the Controller without undue delay.
§ 9 Data Breach Notification
(1) The Processor shall notify the Controller of any personal data breach without undue delay and no later than 24 hours after becoming aware, so that the Controller can fulfil its notification obligation under Art. 33 GDPR (72-hour deadline).
(2) The notification shall include at minimum:
- The nature of the breach
- The categories and approximate number of data subjects and data records affected
- The likely consequences of the breach
- Measures taken or proposed to address and mitigate the breach
(3) The Processor shall assist the Controller in fulfilling its documentation and notification obligations.
§ 10 Audit Rights
(1) The Controller has the right to verify compliance with this agreement and applicable data protection regulations. The Processor shall make all necessary information available to the Controller and enable audits including inspections (Art. 28(3)(h) GDPR).
(2) Audits shall be announced with at least 14 days’ notice and conducted with due regard to the Processor’s legitimate business interests.
(3) The Processor provides a support bundle tool (/api/support-bundle) that delivers GDPR-compliant diagnostic data (secrets masked, no personal data in the output). This can be used to support remote audits.
§ 11 Deletion and Return
(1) Upon termination of the main agreement, the Processor shall delete all personal data processed under this agreement, unless retention is required by Union or Member State law.
(2) Since Reva operates as an on-premise solution, data remains physically on the Controller’s infrastructure. The Processor shall:
- Delete all copies of personal data held in connection with support services
- Provide the Controller with instructions for complete data deletion from the PostgreSQL database upon request
- Confirm deletion in writing
(3) The Controller may request the return of data in a common, machine-readable format before deletion.
Appendix 1: Technical and Organizational Measures
1. Confidentiality (Art. 32(1)(b) GDPR)
| Measure | Implementation |
|---|---|
| Physical access control | On-premise operation — physical security is the Controller’s responsibility |
| System access control | Bot Framework JWT validation, optional user authorization, webhook authentication via shared secrets |
| Data access control | Restricted PostgreSQL user (CONNECT, CREATE, DML only), network isolation, Kubernetes NetworkPolicies |
| Separation control | Tenant separation through separate database instances per deployment |
2. Integrity (Art. 32(1)(b) GDPR)
| Measure | Implementation |
|---|---|
| Transfer control | TLS/HTTPS for all connections, PostgreSQL SSL |
| Input control | Audit trail for memory deletion (soft-delete), conversation history with timestamps |
3. Availability and Resilience (Art. 32(1)(b), (c) GDPR)
| Measure | Implementation |
|---|---|
| Availability control | Daily automated backups (30-day retention), health check endpoint (/api/health), Docker log rotation |
| Recoverability | Documented backup-restore procedure, support bundle for remote diagnostics |
4. Regular Review Procedures (Art. 32(1)(d) GDPR)
| Measure | Implementation |
|---|---|
| Data protection management | Anonymized activity logs, prohibition of individual performance monitoring (BetrVG) |
| Order control | This DPA, no processing without instructions |
| Privacy by design | Local LLM inference, no cloud AI services, configurable data retention |
Signature blocks are included in the downloadable Markdown version of this document.