Data Processing Agreement

1. Definitions

"Personal Data" has the meaning given in EU GDPR Article 4(1).

"Processing," "Controller," "Processor," "Sub-processor," "Data Subject" etc. have the meanings given in the GDPR.

2. Roles & Scope

2.1 Customer is the Data Controller; Reeply AI is the Data Processor. Reeply AI processes Personal Data only on Customer's documented instructions and for the duration of the Services.

2.2 This DPA covers all Processing of Personal Data by Reeply AI on behalf of Customer in connection with Customer's use of the Reeply AI platform.

3. Categories of Data & Data Subjects

3.1 Data Subjects: Customer's end users, employees, contractors.

3.2 Categories of Personal Data:

• Identifiers: name, email address, IP address
• Org & Company Data: company name, website URL, privacy-policy URL
• Ad Account Data: campaign metrics, targeting settings, preferred ad locations, language
• Interaction Data: chat logs, AI prompts for image/video generation

4. Special Categories

By default, Reeply AI does not collect "special categories" under GDPR Art 9. If Customer enables any recruitment-focused or specialized ad features that surface sensitive attributes, Customer confirms it has lawful basis and documents it in its own instructions.

5. Sub-processors

5.1 Reeply AI engages the following Sub-processors for the SaaS:

• AWS (hosting, storage & database management)
• Vercel (deployments & CDN)
• Clerk (user authentication & identity)
• OpenAI Enterprise (chat & embedding API calls)
• Replicate (image/video model inference)
• Stripe (payment processing)
• Crisp (in-app messaging & support)

5.2 Reeply AI will:

• Maintain an up-to-date list at https://reeply.ai/subprocessors
• Provide 14 days' notice of any additions; Customer may object on reasonable privacy grounds.

6. Security Measures

Reeply AI implements appropriate technical and organizational measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS with rotation)
• Access controls: role-based permissions, MFA, principle of least privilege
• Logging & monitoring: audit logs of access and system events retained for at least 90 days
• Network protection: firewalls, intrusion detection
• Staff training: annual GDPR and security awareness for everyone with data access

7. Breach Notification

Reeply AI will notify Customer “without undue delay,” and no later than 72 hours after discovery, of any Personal Data breach affecting Customer's data, including:

• Nature and scope of the breach
• Categories & approximate number of Data Subjects/data records
• Measures taken to mitigate and remediate

8. Data Subject Rights & Assistance

8.1 Reeply AI provides an export/delete API and self-service within the platform for all Personal Data. Self-service includes the ability to delete chat logs, leads, and user account data.

8.2 On Customer request, Reeply AI will assist with Subject Access, rectification, portability, erasure, and objection requests.

9. Retention & Deletion

9.1 Customer controls retention via self-service; deletions are reflected in Reeply AI's systems within 30 days.

9.2 Backups and logs containing Personal Data are purged no later than 60 days after deletion or contract termination.

10. International Transfers

Reeply AI may transfer Personal Data outside the EEA (e.g. U.S.). All such transfers are protected by the EU Standard Contractual Clauses (SCCs) or equivalent lawful safeguards.

11. Audit & Compliance

11.1 Customer may, once per year on 30 days' notice, conduct remote audits of Reeply AI's GDPR compliance or review third-party security assessments on request.

11.2 Reeply AI will maintain records of processing activities as required by GDPR Art 30 and make them available on request.

12. DPIA Assistance

Reeply AI will, upon Customer's request, provide reasonable assistance for Data Protection Impact Assessments or consultations with supervisory authorities.

13. Change Management for Sub-processors

Reeply AI will give 14 days' prior notice of any new Sub-processor. Customer may object in writing on reasonable grounds; if unresolved, Parties will mutually agree on mitigation or Customer may terminate affected Services.

14. Liability & Insurance

Each Party's liability under this DPA is subject to the caps and exclusions in the underlying agreement. Reeply AI intends to obtain cyber and professional liability insurance as it scales. Upon reasonable request by the Customer, Reeply AI will provide evidence of such insurance once in place.

15. Contacts & DPO

Reeply AI Data Protection Lead: contact@reeply.net

Customer Data Protection Contact: [Name, Email]

16. Change Control

Reeply AI may update this DPA with 30 days' notice. Customer may terminate Services without penalty if it reasonably objects to material changes.

17. Governing Law & Jurisdiction

This DPA is governed by Dutch law. Disputes are subject to the exclusive jurisdiction of the courts of Nieuwegein, The Netherlands.

Execution