rd station

Data Processing Agreement

This Personal Data Processing Agreement (“DPA” or “Agreement”) is an integral part of the Agreement between the Customer and RD Station (“Terms of Use” or “Agreement”) and governs the personal data processing activities carried out by the Parties within the scope of the provision of Services, in compliance with each Party’s roles and responsibilities as defined in this DPA and applicable law. Except for the modifications provided herein, the Agreement executed between the Customer and RD Station remains unchanged and in full force and effect. In the event of a conflict between this DPA, the Agreement, or any other terms, the provisions of this DPA shall prevail with respect to data protection, security, and privacy matters.

 

1. Definitions

The following terms shall have the following meanings when used in this DPA. Any capitalized terms not defined in this DPA shall have the meaning set forth in the Terms of Use and applicable law.

Customer: means any natural person or legal entity that agrees to contract and/or use the services offered by RD Station.

Controller: means any natural person or legal entity, under public or private law, that individually determines the purposes and essential elements of the Personal Data Processing, being responsible for the decisions relating to the personal data processing operation, as provided for in the applicable Data Protection Law.

Customer Personal Data: means the Personal Data shared by the Customer on the RD Platform for the purpose of utilizing the functionalities of the services offered.

Data Protection Laws: means any and all legislation relating to data protection and privacy applicable to the respective party, considering its role and activities during the Personal Data Processing under the scope of this Agreement, including, but not limited to, the following legislation: (i) the General Data Protection Law, Federal Law No. 13,709/2018, “LGPD”; (ii) the Brazilian Internet Bill of Rights (Federal Law No. 12,965/2014) and its regulatory decree (Decree No. 8,771/2016); and (iii) any other data protection legislation applicable to the respective Party in its role within the Personal Data Processing.

RD Station Platform (“RD Platform”): means the integrated set of solutions offered by RD Station, including, without limitation, tools such as RD Station Marketing, RD Station CRM, RD Station Conversas, RD Station for E-commerce, and any other functionalities that may be accessed by Customers.

RD or Company: means RD Gestão e Sistemas S.A.

Sub-processor: means any Data Processor contracted by RD to process Customer Personal Data.

 

The terms “Personal Data”, “Data Subject”, “Processor”, “Processing”, and “Authority” shall have the meanings defined in the LGPD.

 

2. Personal Data Processing

2.1. The Parties declare that they carry out the Personal Data Processing in accordance with the Data Protection Law and any other applicable legislation, committing to observe the relevant legal bases and to adopt appropriate technical and organizational measures to ensure the lawfulness and security of the processing. Each Party shall be responsible for the Personal Data Processing it carries out, in its capacity as a Controller or Data Processor, as applicable.

2.2. Within the scope of this Agreement, the Parties acknowledge and agree that, with respect to Customer Personal Data, the Customer shall act as a Controller, while RD shall act as a Processor, carrying out the Personal Data Processing on behalf of the Customer and in accordance with its documented instructions.

2.3. The Customer represents and warrants that: a) any and all Personal Data Processing activities carried out on the RD Platform are lawful and authorized under the Data Protection Law, as well as in compliance with the Terms of Use; b) the Personal Data entered into the RD Platform was lawfully collected, based on an appropriate legal basis, and provided with due notice to the Data Subject; c) it holds the right to transfer or share the Personal Data with RD; d) it shall not make any unauthorized use of the Personal Data and other information obtained through the RD Platform; e) it shall ensure the confidentiality and security of the access data to the RD Platform; f) it shall be solely responsible for managing its users’ access to the RD Platform, including the granting, configuration, monitoring, and revocation of credentials; and g) any transmission of messages, communications, or emails carried out through the RD Platform complies with the recipients’ consent, where applicable, and does not constitute spam, or content that is abusive, fraudulent, discriminatory, illegal, or offensive of any nature.

2.4. As a general rule, the services made available on the RD Platform are not intended for the processing of Sensitive Personal Data. The Customer is advised not to enter or utilize this type of data on the Platform. Should the Customer choose to process Sensitive Personal Data, it must do so in compliance with applicable legislation and at its own responsibility, adopting the necessary measures to ensure the adequacy of such processing, including, when available, utilizing the identification tag for this category of data on the RD Platform.

2.5. The Personal Data Processing of children and adolescents shall be carried out in accordance with all applicable legislation on the matter. Where applicable, the Customer shall adopt the necessary measures to obtain the consent of parents or legal guardians, observe legal restrictions regarding the use of such data, and implement protection measures compatible with the best interests of the child and adolescent.

2.6. RD commits to providing reasonable assistance to the Customer in the event of: (a) a Data Subject request; (b) the performance of data protection impact assessments by the Customer, when required under the Data Protection Law; and (c) requests from authorities regarding the Customer Personal Data Processing.

2.7. RD hereby informs that it shall process Personal Data and other data stored in its systems within the purposes defined in the Terms of Use and in compliance with applicable legislation, including to: (a) provide the services to the Customer; (b) create security backups; (c) analyze, investigate, and remedy potential security incidents involving personal data, fraud, and/or audit trails; (d) improve, customize, and/or develop functionalities and products; and (e) perform statistical analyses and studies related to the performance and use of the RD Platform, prioritizing data minimization, anonymization, and/or pseudonymization whenever possible and in compliance with applicable legislation. In the event that RD carries out the Personal Data Processing for its own purposes, it shall act as an independent Controller, being fully responsible for the Processing carried out under its management, and holding the Customer harmless from any liability in this regard. The Customer acknowledges and agrees that such Processing is compatible, reasonable, and proportionate to the provision of the services.

2.8. RD shall process Customer Personal Data in accordance with its instructions, in compliance with the Data Protection Law, and shall not sell or share this information with third parties unrelated to the provision of the service, or for any purpose other than those specified in this Agreement, the Terms of Use, and the Privacy Notice.

2.9. Should the Customer, for any reason, request additional account data from RD, the Customer represents that it shall utilize such information responsibly and in compliance with applicable legislation. The Customer shall be solely responsible for any and all Processing carried out with the Personal Data shared by RD.

 

3. Security Incident

3.1. RD represents that it adopts and maintains appropriate and adequate technical and organizational measures to protect Personal Data against unauthorized access, accidental or unlawful situations of destruction, loss, alteration, communication, or any other form of inappropriate or unlawful Processing that compromises the security, integrity, confidentiality, or availability of the Personal Data processed under this Agreement (“Security Incident”).

3.1.1. RD shall notify the Customer, without undue delay, within up to 72 (seventy-two) hours upon becoming aware of a Security Incident related to Customer Personal Data, and, in compliance with CD/ANPD Resolution No. 15/24, shall provide all necessary assistance, including: (a) adopting measures to mitigate the effects of the Incident; and (b) providing all information required by law to the Customer, as it becomes known. Such notification does not constitute an admission of fault or liability on the part of RD. The Customer shall be responsible for assessing and deciding on the notification to Data Subjects or competent authorities, committing to align in advance with RD the wording of any public communications or official notifications that directly reference the RD Platform or that may attribute liability to it.

 

4. Sharing of Personal Data

4.1. Personal Data may not be disclosed to third parties, except when sharing is necessary for the fulfillment of the obligations arising from this Agreement and the Contract, including, but not limited to, the use of cloud storage services, technology providers, technical support platforms, and other subcontractors essential for the execution of the contractual purpose, as well as with companies belonging to the same economic group, their controlled companies, controlling companies, subsidiaries, affiliates, or companies in which it holds an equity interest, including under a joint venture or corporate partnership regime. In such cases, the sharing shall be carried out in compliance with applicable Personal Data protection legislation, through the adoption of appropriate technical and organizational measures to safeguard the confidentiality, integrity, and security of the information.

4.1.1. Sub-processors. The Customer acknowledges and agrees that RD may engage sub-processors for the Personal Data Processing, as necessary for the execution of this Agreement and the Contract. The list of sub-processors used by RD is available at: https://www.rdstation.com/legal-e-privacidade/lista-de-suboperadores/. The Customer agrees to consult the list periodically to remain informed about any updates. RD shall use commercially reasonable efforts to adjust the services in the event that the Customer submits a substantiated objection regarding a new sub-processor.

4.1.2. Regarding the interoperability between the RD Platform and the products and systems of TOTVS S.A., the resulting Personal Data Processing shall be carried out based on specific purposes and limited to what is necessary for the execution of the integrations contracted by the Customer, in compliance with the provisions set forth in this Agreement, the Customer’s instructions, and the Data Protection Law. The parties involved in the Processing resulting from such integrations shall have their roles defined and maintained in accordance with the contractual instruments applicable to each solution.

 

5. Data Subject Rights

5.1. RD commits to notifying the Customer, in writing, whenever it receives any request from a Data Subject related to the Customer Personal Data Processing under this Agreement, and may, when appropriate, guide the Data Subject to direct their request to the Customer’s official customer service channels.

5.2. The Customer, in its capacity as a Controller, is responsible for assessing, deciding upon, and fulfilling Data Subject requests. RD shall provide reasonable assistance to the Customer in fulfilling such requests, including the execution of actions such as access, rectification, or deletion of Personal Data, when technically applicable and upon the Customer’s instruction.

 

6. International Data Transfer

6.1. For the execution of the RD Platform services, RD may transfer data to third parties located outside the national territory, especially related to cloud storage services, with data centers located predominantly in the United States.

6.1.1. In such cases, RD commits to utilizing one of the mechanisms provided for in Article 33 of the LGPD, including, where applicable, the use of the standard contractual clauses established by CD/ANPD Resolution No. 19/2024.

6.2. For international data transfers between Brazil and the European Union, the mutual adequacy decision adopted by the National Data Protection Agency (“ANPD”) and the European Commission shall apply, in accordance with applicable legislation, waiving the adoption of additional international transfer mechanisms for such flows.

 

7. Audit


7.1. RD represents that it is aware of and authorizes, upon prior written notice, the conduct of due diligence regarding its internal privacy and Personal Data governance program, limited to the data related to this Agreement. The procedure shall be conducted exclusively on a documentary basis, through the request for specific evidence and information, subject to business secrets and confidentiality, without physical access to RD’s premises.

 

8. Data Deletion and Return

8.1. Upon the Customer’s express request, at any time, or upon contract termination, RD shall delete the Customer Personal Data from the RD Platform, except in events of retention provided for by law.

8.2. The return of Customer Personal Data shall be carried out through extraction directly on the RD Platform, the Customer being solely responsible for performing such extraction during the term of the contract or within up to 60 (sixty) days following the termination of the Contract, noting that automatic deletion occurs at the end of this period for certain products.

8.3. The Customer represents that it is aware that the deletion of Customer Personal Data prior to contract termination or the termination of services may negatively impact the operation of the RD Platform, including the loss of features and the permanent removal of the data history associated with the account.

 

9. Artificial Intelligence

9.1. RD may make available features and solutions that utilize Artificial Intelligence (“AI”) on the RD Platform, with the purpose of enhancing the services offered and better supporting the Customer’s strategies. The Customer acknowledges that the outputs generated by AI features are probabilistic in nature and may contain inaccuracies, inconsistencies, hallucinations, incomplete or untruthful information, and it is the Customer’s sole responsibility to evaluate their suitability before utilizing them in decision-making, operational, or commercial processes.

9.2. RD commits to adopting an ethical and responsible approach, with technical measures aimed at implementing AI features in compliance with applicable information security and data protection standards and other laws in force. The Customer acknowledges that such features may involve learning processes for generating outputs and that their use shall be carried out in compliance with applicable legal and regulatory provisions.

9.3. The Customer acknowledges that the use of AI features may involve the Processing of Personal Data from its database, the Customer being responsible for: (a) evaluating the suitability of using these features for its operation and the profile of the Data Subjects involved; (b) informing Data Subjects about the use of these tools in the Processing of their data, when required by applicable legislation; and (c) ensuring that the Personal Data Processing carried out through the AI features is supported by an adequate and valid legal basis, as required by applicable legislation.

9.4. The Customer may opt out of using the AI features made available on the RD Platform, without prejudice to the continuity of the other contracted services.

 

10. Confidentiality

10.1. The Parties commit to maintaining the secrecy and confidentiality of all information, documents, data, and business secrets that may be shared under this Agreement, including, but not limited to, information regarding technological infrastructure, internal processes, business strategies, Sub-processors, and security measures adopted. The Parties shall: (a) utilize such information exclusively for the purposes provided for in this Agreement; (b) restrict access to confidential information to employees and service providers who need to know it to fulfill the obligations established herein; and (c) adopt the same protection measures they apply to their own confidential information, which shall never be less than a reasonable standard of diligence.

 

11. Liability

11.1. RD shall only be liable for Personal Data breach events and/or non-compliance with the Data Protection Law that are proven to result from its willful misconduct or negligent act or omission during the execution of this Agreement, in which events it shall indemnify the Customer within the limits established in the RD Terms of Use, provided that there is proof of the causal link and the damage suffered.

11.2. In the event that joint and several liability is recognized between the Parties, each Party shall be liable exclusively to the extent of its effective and duly proven participation in the event.

 

12. General Provisions

12.1. Notwithstanding any provision to the contrary in the Terms of Use, RD reserves the right to make any modifications to this Agreement that are necessary to comply with Data Protection Laws.

12.2. The invalidity or unenforceability of any provision of this Agreement, whether as a result of a legislative change, a judicial or administrative decision, or any other reason, shall not affect the validity and enforceability of the remaining clauses, which shall remain in full force and effect.

12.3. AAll communications, notices, and requests regarding data protection and privacy under the scope of this Agreement shall be forwarded to RD exclusively to the following email addresses: privacidade@rdstation.com and dpo@rdstation.com.

12.4. Any claims made based on this Agreement shall be subject to the terms and conditions provided for in the Terms of Use, including, but not limited to, the exclusions and limitations of liability established therein.

12.5. This Agreement shall remain in force during the term of the Terms or for as long as RD is Processing Personal Data subject to this Agreement, whichever is longer.