Need a signed copy?

The DPA below is a pre-negotiated template. To execute it for your organisation, email legal@forceweaver.com with your entity name and we will send a counter-signable copy.

⚖️ LEGAL REVIEW REQUIRED. This is a template. Commercial counsel must (a) confirm jurisdictional fit, (b) set the liability cap and indemnity scope, (c) review consumer-vs-business framing, and (d) align tier descriptions with the live pricing page.

Terms of Service

Effective date: {{EFFECTIVE_DATE}}

These Terms of Service ("Terms") are a binding agreement between {{LEGAL_ENTITY}} ("Revsnap", "we") and the person or entity ("Customer", "you") that accesses or uses the Revsnap service ("Service").

For Enterprise plans, the Order Form executed by the parties (with the SLA) governs in addition to these Terms; in case of conflict, the Order Form prevails.

1. Acceptance

By signing up, clicking "I agree", or otherwise using the Service, you accept these Terms. If you accept on behalf of an organisation, you confirm you have authority to bind that organisation.

2. Definitions

"Account" — your registration with the Service.
"Workspace" — your tenant boundary in the Service.
"Customer Data" — any data, including personal data, you (or any user of your Workspace) submit to the Service or that we receive from your Salesforce org on your instruction.
"Documentation" — the user docs published at {{TRUST_URL}} or in-product.
"Order Form" — a written or electronic ordering document executed between us.
"Subscription" — your right to use the Service for a defined term and tier.

3. The Service

Revsnap provides regression testing for Salesforce Revenue Cloud configurations. You connect your own Salesforce orgs, capture snapshots of pricing and configurator outputs, and run automated comparisons.

3.1 Plans

The plans currently offered are:

Plan	Use
Free	Evaluation and individual use. Limits on connected orgs, snapshots, and monthly test runs.
Pro	Small team use. Higher quotas.
Enterprise	Custom Order Form; SSO; SLA per SLA Template.

Live quotas are published on the pricing page and recorded in your Account.

3.2 Beta features

Features designated "beta" or "preview" are provided as-is, may change or be withdrawn, and are excluded from the SLA.

4. Your account

You must provide accurate registration information and keep it up to date.
You are responsible for all activity on your Account and for safeguarding credentials.
API keys are sensitive; rotate them immediately on suspected compromise.
You will use {{TRIAL_LENGTH_DAYS}}-day trials only for genuine evaluation.

5. Acceptable use

You will comply with the Acceptable Use Policy. Violations may result in suspension or termination under §11.

6. Customer Data

Ownership. As between the parties, you retain all right, title and interest in your Customer Data. We do not acquire any ownership rights in it.
Licence to us. You grant us a non-exclusive, worldwide, royalty-free licence to host, process, transmit, and display Customer Data solely to provide and improve the Service for you and to comply with legal obligations.
Personal data. Where Customer Data includes personal data, the Data Processing Agreement governs, and is incorporated into these Terms by reference.
Salesforce credentials. You authorise us to access your Salesforce orgs via the OAuth tokens you provide. You can revoke this authorisation at any time. We store these tokens encrypted in Supabase Vault and access them only for the purposes you direct.
Backups & deletion. We retain Customer Data per the Data Retention Schedule. On termination, you may export your data for {{NOTICE_PERIOD_DAYS}} days; after that we delete it, subject to limited residual backup retention as documented.

7. Subscriptions, fees, taxes

Fees are billed via Stripe according to your selected plan and Order Form.
Subscriptions auto-renew for the same term unless cancelled before the end of the current term.
Fees are non-refundable except where required by law or stated in your Order Form.
All amounts are exclusive of taxes, which you are responsible for unless we are required to collect them.

8. Free tier and trials

Free tier and trial use is provided "as-is" with no SLA. We may modify the free tier limits with reasonable notice.

9. Intellectual property

We retain all rights in the Service, the Documentation, and all derivatives. You retain all rights in Customer Data. Neither party grants the other any rights by implication.

10. Confidentiality

Each party will protect the other's Confidential Information with the same care it uses for its own, and at least with reasonable care, and will use it only to perform under these Terms.

11. Suspension and termination

For convenience: either party may terminate for convenience with {{NOTICE_PERIOD_DAYS}} days' notice at the end of the then-current term.
For cause: either party may terminate for material breach not cured within 30 days of notice.
Suspension: we may suspend the Service immediately for security, AUP, non-payment, or to comply with law; we will restore promptly once the cause is resolved.
Effect of termination: all your access rights end; we provide a {{NOTICE_PERIOD_DAYS}}-day export window per §6; you remain liable for accrued fees.

12. Disclaimers

EXCEPT AS EXPRESSLY STATED, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE". TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

We do not warrant that the Service will be uninterrupted or error-free, that it will catch every regression, or that it will replace your own testing diligence.

13. Limitation of liability

⚖️ Counsel input required to set the cap, carve-outs, and aggregate limit.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, REVENUE, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY.

EACH PARTY'S TOTAL AGGREGATE LIABILITY UNDER THESE TERMS WILL NOT EXCEED {{LIABILITY_CAP_BASIS}}, EXCEPT FOR LIABILITY THAT CANNOT BE LIMITED BY LAW.

14. Indemnification

Each party will indemnify the other against third-party claims arising out of its breach of these Terms or, in the case of Customer, misuse of the Service. Details to be agreed in counsel review.

15. Data protection

The DPA is incorporated by reference and forms part of these Terms.

16. Sub-processors

We maintain a public list of sub-processors at Sub-processors. We will provide at least {{SUB_PROCESSOR_NOTICE_DAYS}} days' notice of changes; you may object on reasonable grounds.

17. Governing law and disputes

These Terms are governed by the laws of {{GOVERNING_LAW}}, excluding its conflict-of-laws rules. The parties submit to the exclusive jurisdiction of {{COURTS}}, except that either party may seek injunctive relief in any competent court.

18. Notices

To us: {{LEGAL_EMAIL}}. To you: the email address on your Account.

19. Miscellaneous

Entire agreement. These Terms (plus DPA, AUP, applicable Order Form, SLA) are the entire agreement.
Assignment. Neither party may assign without consent, except to a successor in interest of substantially all its assets.
No waiver. Failure to enforce a right is not a waiver.
Severability. If any provision is unenforceable, the rest remains in force.
Force majeure. Neither party is liable for delay caused by events beyond reasonable control.
Independent contractors. The parties are independent contractors; nothing creates an agency, partnership, or joint venture.
Updates. We may update these Terms with reasonable notice; continued use after the effective date constitutes acceptance.

Last reviewed: 2026-05-15

⚖️ LEGAL REVIEW REQUIRED. This is a template DPA. Counsel must (a) confirm the operating entity and registered address, (b) review SCC module choice and UK IDTA, (c) confirm Annex II TOMs match the live whitepaper, and (d) review the audit-rights clause against insurance and operational constraints.

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between {{LEGAL_ENTITY}} ("Processor", "we") and the customer that has accepted the Agreement ("Controller", "you"). Where the Agreement is silent, this DPA governs in respect of personal data.

This DPA reflects the parties' agreement on the processing of personal data under the UK GDPR, the EU GDPR (Regulation (EU) 2016/679) and, where applicable, the Swiss FADP. The 2021 EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), Module 2 (controller-to-processor), and the UK International Data Transfer Addendum (UK IDTA) are incorporated by reference and apply to onward transfers from the UK/EEA.

1. Definitions

Capitalised terms not defined here have the meanings in the GDPR. "Personal Data" means personal data processed by us on your behalf in connection with the Service. "Sub-processor" means any third party engaged by us to process Personal Data.

2. Subject matter and details of processing

Item	Description
Subject matter	Provision of the Revsnap regression testing Service.
Duration	The term of the Agreement plus any post-termination retention period documented in §10.
Nature and purpose	Hosting, storing, transmitting, comparing, and otherwise processing Personal Data submitted by Controller to provide the Service.
Categories of data subjects	Controller's personnel; Controller's customers whose data appears in Salesforce records Controller chooses to snapshot.
Categories of personal data	Identifiers (name, email), professional details, account credentials and tokens, Salesforce business records selected by Controller (which may incidentally include personal data).
Special categories	None expected. Controller agrees not to submit special-category data.
Frequency	Continuous while the Service is in use.
Erasure	Per §10 and the Data Retention Schedule.

3. Roles

Controller is the controller of the Personal Data. We are the processor. To the extent Controller's processing instructions to us require us to act as an independent controller, that processing is governed by the Privacy Policy, not this DPA.

4. Controller obligations

Controller will:

Have all lawful bases necessary for the Personal Data it submits.
Provide all notices and obtain all consents required from data subjects.
Issue all processing instructions through use of the Service and its documented configuration options; out-of-band instructions must be in writing.

5. Processor obligations (Article 28(3))

We will:

Process Personal Data only on Controller's documented instructions (the Agreement, this DPA, and Service configuration), including in respect of international transfers, unless required by law to which we are subject — in which case we will inform Controller of that requirement before processing, unless prohibited by law on important grounds of public interest.
Ensure that persons authorised to process Personal Data are under appropriate confidentiality obligations.
Implement the technical and organisational measures set out in Annex II ("TOMs"), which are reviewed and updated as our security programme matures.
Engage Sub-processors only in accordance with §6.
Assist Controller, taking into account the nature of processing, in fulfilling its obligations to respond to data-subject requests (see §7).
Assist Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, DPIA, prior consultation) taking into account the information available to us.
At Controller's choice, delete or return Personal Data at the end of the Service, subject to limited residual retention required by law (see §10).
Make available all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, in line with §8.

6. Sub-processors

Controller authorises us to engage the Sub-processors listed in our public list at Sub-processors. We will:

Maintain that list current.
Give Controller at least {{SUB_PROCESSOR_NOTICE_DAYS}} days' notice of any new or replacement Sub-processor.
Allow Controller to object on reasonable, documented data-protection grounds. If we cannot accommodate the objection, Controller may terminate the affected Services with a pro-rata refund for prepaid unused fees.
Impose on each Sub-processor data-protection obligations no less protective than this DPA. We remain liable for our Sub-processors' acts and omissions in respect of the Personal Data.

7. Data subject requests

If we receive a request from a data subject directed at Controller's data, we will, without undue delay:

Inform Controller of the request (and not respond directly unless authorised).
Assist Controller in responding, including by providing reasonable technical means (export, deletion, correction). Our procedures are in the DSR Runbook.

8. Audits

We will make available to Controller:

This DPA, the public Security Whitepaper, sub-processor list, and (when produced) external audit reports such as SOC 2 Type II or ISO 27001.
On reasonable written notice no more than once per twelve months (unless required by a regulator or following a confirmed personal-data breach), a written response to a reasonable security questionnaire.

Where Controller's regulator requires an on-site audit, the parties will agree in good faith on scope, scheduling (at least 30 days' notice), confidentiality, and reimbursement of reasonable costs.

9. Personal data breaches

We will notify Controller without undue delay, and in any case within 72 hours, after becoming aware of a personal-data breach affecting Personal Data. The notification will include, to the extent then known, the information required by GDPR Article 33(3). We will cooperate with Controller and provide reasonable assistance with Controller's regulator and data-subject notifications.

Our internal procedure is governed by the Incident Response Policy.

10. Deletion and return

On termination of the Service, Controller may, within {{NOTICE_PERIOD_DAYS}} days, export Personal Data via the Service's existing export features. After that period we will delete Personal Data from production systems within 30 days. Residual copies in backups are retained per platform backup retention and overwritten in the ordinary course; while retained they remain protected by this DPA.

11. International transfers

Where Personal Data is transferred from the UK/EEA to a country without an adequacy decision:

The EU SCCs, Module 2 (controller-to-processor), are incorporated by reference. Annexes I.A, I.B, I.C, II, and III to the SCCs are completed by reference to Annex I and Annex II of this DPA and to the live Sub-processors list.
For UK transfers, the UK IDTA is incorporated and completed by reference to the same Annexes.
For Switzerland, the SCCs apply as if "GDPR" included the Swiss FADP and the supervisory authority included the FDPIC.

12. Liability

The liability provisions of the Agreement apply to this DPA. Nothing in the Agreement or this DPA excludes either party's liability where exclusion is prohibited by data-protection law.

13. Order of precedence

If there is a conflict, the order is: (1) SCCs/UK IDTA; (2) this DPA; (3) the Agreement.

14. Term

This DPA is effective from the {{EFFECTIVE_DATE}} or, if later, from the date Controller accepts the Agreement, and continues for the term of the Agreement plus any retention period.

Annex I — Description of processing

(See §2 above.)

Competent supervisory authority (SCCs Annex I.C): {{SUPERVISORY_AUTHORITY}}.

Annex II — Technical and organisational measures

These TOMs supplement and are summarised in the Security Whitepaper, which is the authoritative description and is reviewed on at least a quarterly cadence.

Area	Measure
Access control	Supabase Auth with role-based access; planned MFA and SSO; SHA-256 hashed API keys; RLS-enforced workspace isolation.
Encryption in transit	TLS 1.3 on all external paths.
Encryption at rest	AES-256 platform-managed for Postgres and Storage; libsodium AEAD (`pgsodium`) for Salesforce OAuth tokens.
Pseudonymisation	API key secrets only stored as one-way hashes; analytics events pseudonymised.
Tenant isolation	Postgres RLS by workspace; application-layer membership checks; private storage prefixed by workspace; SECURITY DEFINER RPC for Vault.
Integrity	Signed webhooks (Stripe HMAC, QStash key rotation, internal worker HMAC + replay window).
Availability	Supabase PITR backups; `database-backup.yml`; Vercel platform redundancy; quarterly restore drill.
Resilience	Independent triple-trigger scheduling for background jobs (Vercel Cron + QStash + pg_cron).
Logging	Workspace audit log; product analytics consent-gated; planned structured logging with PII redaction.
Personnel	Confidentiality undertakings; least-privilege access to production; planned background-check policy at hire scale.
Vendor management	DPAs in place with each Sub-processor; vendor risk reviews per the Vendor Risk Policy.
Security testing	Internal audit annually; planned external penetration test; planned CI gates (gitleaks, Dependabot, SAST).
Incident response	Documented IR policy with 72-hour notification to controllers.

Annex III — Sub-processors

The current list, including the entity name, processing activities, and processing locations, is published at Sub-processors and forms part of this DPA. We will keep it current and notify Controller per §6.

Last reviewed: 2026-05-15

⚖️ LEGAL REVIEW REQUIRED.

Acceptable Use Policy

This Acceptable Use Policy ("AUP") governs all use of the Revsnap service. It is incorporated into the Terms of Service. Capitalised terms have the meanings given there.

1. You must not

Use the Service to violate any applicable law or third-party right.
Submit data you do not have a lawful basis to process, including special-category personal data unless explicitly agreed in writing.
Attempt to access another customer's data, accounts, or systems.
Probe, scan, or test the vulnerability of the Service except via the coordinated disclosure process.
Bypass or interfere with security or access controls, rate limits, audit logs, or anti-abuse mechanisms.
Use the Service to send unsolicited or unlawful communications, malware, or harmful content.
Use the Service to facilitate denial-of-service attacks or to launch attacks against any party, including against your own Salesforce orgs at a volume their service tier does not allow.
Reverse engineer, decompile, or attempt to derive the source code of the Service, except where permitted by law.
Resell, sublicense, or provide the Service to third parties except as expressly permitted.
Submit content that is unlawful, defamatory, obscene, infringing, or harmful.

2. Rate limits and fair use

The Service enforces rate limits to protect itself and other customers. You will not work around them. If your legitimate use exceeds defaults, contact {{SUPPORT_EMAIL}}.

3. Salesforce credentials

You will:

Only connect Salesforce orgs you are authorised to connect.
Only authorise the scopes you actually need.
Revoke the connection promptly when no longer needed.

4. Security and reporting

Treat your account credentials and API keys as sensitive.
Rotate API keys on suspected compromise.
Report security issues to {{SECURITY_EMAIL}} per the coordinated disclosure policy.

5. Beta and preview features

Beta features may be unstable, change without notice, or be withdrawn. Do not use them for production data without an understanding of these limitations.

6. Enforcement

We may investigate suspected violations. We may suspend or terminate access in accordance with §11 of the Terms. For material or repeated violations we may terminate immediately.

If suspension is in your interest (e.g., apparent account takeover), we will act with reasonable speed and restore once the cause is resolved.

7. Cooperation with law enforcement

We respond to validly issued legal process. Where lawfully permitted, we notify the customer of any compelled disclosure of their data so they may seek a protective order.

Last reviewed: 2026-05-15