Terms of Service
Privacy Policy
Acceptable Use Policy
Data Processing Addendum
Sub-Processor Disclosure

Data Processing Addendum

Version
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Review Engine Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) applies when Tiny Mammoth (dba Review Engine, “we,” “us,” or “our”) Processes Covered Data as a Processor or Service Provider for the Client (“you” or “Client”) in connection with our provision of Services under the Review Engine Terms of Service or a Master Services Agreement (collectively, the “Underlying Agreement”).

1. Definitions

1.1 Applicable Data Protection Law means all applicable privacy and data protection laws governing Review Engine’s Processing of Covered Data on behalf of Client in connection with the Services, including but not limited to the California Consumer Privacy Act (CCPA), the Gramm-Leach-Bliley Act Safeguards Rule, and the Health Insurance Portability and Accountability Act (HIPAA), each as amended or replaced from time to time.

1.2 Covered Data means any personal data, personal information, or customer information that is provided or made available by Client to Review Engine, or otherwise Processed by Review Engine as a Processor or Service Provider on behalf of Client under the Underlying Agreement.
Covered Data excludes Client Account Data.

1.3 Client Account Data means information that relates to the business relationship between Client and Review Engine (e.g., billing contacts, authorized users, payment data, and authentication credentials).

1.4 The terms “Business,” “Business Purpose,” “Consumer,” “Controller,” “Data Subject,” “Personal Data,” “Personal Information,” “Processor,” “Service Provider,” “Sale,” and “Share” have the meanings assigned to them under Applicable Data Protection Law.

1.5 Process or Processing means any operation or set of operations performed on data, such as collection, storage, use, disclosure, or deletion.

2. Roles and Scope

2.1 Processor Role. For Covered Data, Client acts as Controller (or Business), and Review Engine acts as a Processor (or Service Provider) on behalf of Client. Client instructs Review Engine to Process Covered Data solely to provide and improve the Services under the Underlying Agreement.

2.2 Client Responsibilities.
 Client is responsible for determining the lawful basis for Processing and the means by which Covered Data is collected and shared with Review Engine.
Client represents and warrants that:

  • It complies with all obligations of a Controller/Business under Applicable Data Protection Law.
  • It has obtained all necessary rights, consents, and authorizations to provide Covered Data to Review Engine.
  • It will promptly notify Review Engine of any Consumer or Data Subject request requiring Review Engine’s assistance.

2.3 Review Engine Responsibilities.
 Review Engine shall:

  • Process Covered Data only on documented instructions from Client;
  • Ensure persons authorized to Process Covered Data are subject to confidentiality obligations;
  • Implement administrative, technical, and physical safeguards appropriate to the size and complexity of Review Engine, the sensitivity of the Covered Data, and the risks involved;
  • Maintain and enforce a written Information Security Program aligned with industry standards;
  • Provide reasonable assistance to Client in fulfilling obligations under Applicable Data Protection Law, including Consumer or Data Subject requests and required breach notifications; and
  • Upon written request, make available information reasonably necessary to demonstrate compliance with these obligations.

2.4 Security Program.
 Review Engine’s infrastructure is hosted and maintained on platforms built to comply with GDPR and HIPAA standards (including GoHighLevel, AWS, and related service providers).
Review Engine enforces encryption in transit, access controls, audit logging, and employee security awareness training consistent with industry best practices.

3. Data Deletion and Retention

Upon termination of the Underlying Agreement or upon Client’s written request, Review Engine will delete or de-identify Covered Data within a reasonable period, typically within 30 to 90 days, depending on internal deletion workflows and regulatory requirements.
Deletion may be delayed as necessary for billing, dispute resolution, or legal obligations.

4. CCPA-Specific Terms

To the extent the CCPA applies:

  • Review Engine will act as a Service Provider and will not Sell or Share Personal Information, nor retain, use, or disclose such information for any purpose other than providing the Services.
  • Review Engine will not combine Personal Information received from multiple Clients, except as permitted by law (e.g., for security or analytics purposes).
  • Review Engine will provide the same level of privacy protection required of a Business under the CCPA and will notify Client if it can no longer meet these obligations.
  • If Review Engine receives notice of unauthorized use or disclosure of Personal Information, it will cooperate with Client to address and remediate the issue.

5. HIPAA & GLBA Provisions

5.1 To the extent Client qualifies as a Covered Entity, Business Associate, or Financial Institution, and provides information protected under HIPAA or the Gramm-Leach-Bliley Act, Review Engine will comply with the applicable privacy and safeguard standards.

5.2 If Review Engine receives or accesses Protected Health Information (PHI), the parties agree to execute a Business Associate Agreement (BAA) governing such data.
Absent a BAA, Client shall not upload or transmit PHI through the Services.

6. Sub-Processors

Client authorizes Review Engine to engage sub-processors and service providers necessary for delivering the Services, including infrastructure, communication, and payment partners.
Review Engine ensures such sub-processors are bound by written agreements imposing data protection obligations substantially similar to this DPA.

A current list of sub-processors is maintained internally and made available to Clients upon written request.

7. Audits and Certifications

Upon Client’s written request (no more than once per year), Review Engine will provide documentation or third-party attestations (if available) sufficient to demonstrate compliance with this DPA, including information regarding GoHighLevel’s and AWS’s underlying security certifications.
All audit-related information is deemed Review Engine’s Confidential Information.

8. Data Breach Notification

Review Engine will notify Client without undue delay after confirming a Covered Data breach that compromises the confidentiality, integrity, or availability of Covered Data.
Notifications will include sufficient detail to enable Client to meet its own legal reporting obligations. Review Engine will cooperate in any reasonable investigation or mitigation efforts.

9. Client Account Data (Controller Role)

For Client Account Data, Review Engine acts as an independent Controller, not a Processor.
Review Engine Processes such data to:

  • Manage its business relationship with Client;
  • Process payments and account administration;
  • Detect and prevent fraud or misuse; and
  • Comply with legal and financial obligations.

10. Conflicts

If there is any conflict between this DPA and the Underlying Agreement, this DPA controls to the extent of the conflict.
If this DPA conflicts with any Business Associate Agreement (BAA), the BAA governs as to PHI.

Tiny Mammoth (DBA Review Engine)
 Pasadena, California
support@review-engine.com

Effective: