This Data Processing Agreement ("DPA") is incorporated by reference into the Terms of Service or Master Services Agreement between:
Data Controller: [Customer Legal Name], [Customer Address] ("Customer")
Data Processor: Reeply B.V., Hoornseschans 52C, 3432TM Nieuwegein, The Netherlands ("Reeply AI")
and together the "Parties."
"Personal Data" has the meaning given in EU GDPR Article 4(1).
"Processing," "Controller," "Processor," "Sub-processor," "Data Subject" etc. have the meanings given in the GDPR.
2.1 Customer is the Data Controller; Reeply AI is the Data Processor. Reeply AI processes Personal Data only on Customer's documented instructions and for the duration of the Services.
2.2 This DPA covers all Processing of Personal Data by Reeply AI on behalf of Customer in connection with Customer's use of the Reeply AI platform.
3.1 Data Subjects: Customer's end users, employees, contractors.
3.2 Categories of Personal Data:
By default, Reeply AI does not collect "special categories" under GDPR Art 9. If Customer enables any recruitment-focused or specialized ad features that surface sensitive attributes, Customer confirms it has lawful basis and documents it in its own instructions.
5.1 Reeply AI engages the following Sub-processors for the SaaS:
5.2 Reeply AI will:
Reeply AI implements appropriate technical and organizational measures, including:
Reeply AI will notify Customer “without undue delay,” and no later than 72 hours after discovery, of any Personal Data breach affecting Customer's data, including:
8.1 Reeply AI provides an export/delete API and self-service within the platform for all Personal Data. Self-service includes the ability to delete chat logs, leads, and user account data.
8.2 On Customer request, Reeply AI will assist with Subject Access, rectification, portability, erasure, and objection requests.
9.1 Customer controls retention via self-service; deletions are reflected in Reeply AI's systems within 30 days.
9.2 Backups and logs containing Personal Data are purged no later than 60 days after deletion or contract termination.
Reeply AI may transfer Personal Data outside the EEA (e.g. U.S.). All such transfers are protected by the EU Standard Contractual Clauses (SCCs) or equivalent lawful safeguards.
11.1 Customer may, once per year on 30 days' notice, conduct remote audits of Reeply AI's GDPR compliance or review third-party security assessments on request.
11.2 Reeply AI will maintain records of processing activities as required by GDPR Art 30 and make them available on request.
Reeply AI will, upon Customer's request, provide reasonable assistance for Data Protection Impact Assessments or consultations with supervisory authorities.
Reeply AI will give 14 days' prior notice of any new Sub-processor. Customer may object in writing on reasonable grounds; if unresolved, Parties will mutually agree on mitigation or Customer may terminate affected Services.
Each Party's liability under this DPA is subject to the caps and exclusions in the underlying agreement. Reeply AI intends to obtain cyber and professional liability insurance as it scales. Upon reasonable request by the Customer, Reeply AI will provide evidence of such insurance once in place.
Reeply AI Data Protection Lead: contact@reeply.net
Customer Data Protection Contact: [Name, Email]
Reeply AI may update this DPA with 30 days' notice. Customer may terminate Services without penalty if it reasonably objects to material changes.
This DPA is governed by Dutch law. Disputes are subject to the exclusive jurisdiction of the courts of Nieuwegein, The Netherlands.
Date: __________
[Customer Legal Name]
Signature: ______________________
Date: __________
Reeply B.V.
Signature: ______________________