# Data Processing Agreement (DPA) — ReplyArc

**Effective Date:** {EFFECTIVE_DATE}
**Controller:** {CUSTOMER_LEGAL_NAME}, {CUSTOMER_ADDRESS}
**Processor:** ReplyArc, {REPLYARC_ADDRESS}

This Data Processing Agreement ("DPA") forms part of the ReplyArc Terms of Service
between the Controller and the Processor and reflects the parties' agreement with
regard to the Processing of Personal Data, in accordance with the requirements of
the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and
applicable national implementing legislation.

## 1. Subject Matter and Duration

The subject matter of the Processing is the provision of the ReplyArc platform —
a multi-tenant outbound communications, lead-management, and AI-assisted reply
service — to the Controller. The duration of Processing equals the term of the
Controller's active subscription plus a 30-day post-termination data return /
erasure window described in Section 12.

## 2. Nature and Purpose of Processing

The Processor processes Personal Data on behalf of the Controller for the
following purposes only: (a) operating the ReplyArc service, (b) authenticating
end-users, (c) routing messages between the Controller's connected channels
(Slack, Unipile-bridged providers, email), (d) generating AI-assisted draft
replies using credentials supplied by the Controller (BYOK), and (e) producing
aggregated, non-identifying telemetry necessary to operate the platform.

## 3. Categories of Personal Data

The categories of Personal Data Processed are limited to: identity data
(name, email, role), authentication data (hashed passwords, session tokens),
workspace metadata (organization name, member list), connected-channel
credentials (encrypted at rest using Fernet), message metadata (subject line,
timestamps, source), AI provider credentials (encrypted at rest), and
server-side activity events (HTTP method, path, status code, hashed IP and
user-agent fingerprints — never request or response bodies).

## 4. Categories of Data Subjects

The categories of Data Subjects whose Personal Data is Processed are: (a)
Controller's employees and authorized end-users of the ReplyArc workspace,
(b) external recipients whose contact details the Controller uploads as
leads or recipients, and (c) participants in inbound message threads
(reply senders) whose identifiers reach the platform via channel webhooks.

## 5. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

   - **Vercel Inc.** — frontend hosting, edge network, analytics-disabled.
   - **Render Inc.** — application compute, background workers, managed databases.
   - **Postgres provider** (Supabase or Render Managed Postgres) — primary data store.
   - **Anthropic / OpenAI / Azure OpenAI** — AI completion services. These are
     **Controller-elected (BYOK)**: the Processor never sends data to a provider
     for which the Controller has not configured credentials in Settings → AI.
   - **Slack Technologies, LLC** — Controller-elected workspace integration.
   - **Unipile** — Controller-elected channel adapter for non-native providers.

A current list of Sub-processors is maintained at https://replyarc.com/legal/subprocessors
and changes are notified per Section 11.

## 6. Security Measures (Annex II)

The Processor implements appropriate technical and organizational security
measures including, at minimum:

   - **Encryption at rest** — Fernet symmetric encryption for all secret credentials
     (Slack bot tokens, AI provider API keys, webhook signing secrets); database
     volume-level encryption provided by the database host.
   - **Encryption in transit** — TLS 1.2+ enforced on all internet-facing endpoints;
     HSTS preload-eligible.
   - **Role-based access control** — 5-tier RBAC (OWNER / ADMIN / MEMBER / VIEWER /
     CLIENT) enforced server-side on every authenticated request.
   - **Activity-event retention cap** — server-side activity events automatically
     purged after 90 days (`activity_purge_tasks.py`, scheduled 03:00 UTC daily).
   - **Webhook signing** — all outbound webhooks signed with HMAC-SHA256 using a
     per-subscription secret; constant-time signature verification.
   - **Audit logging** — administrative actions (role changes, integration
     installs, secret rotations) logged to the activity-event store.

## 7. Personal Data Breach Notification

The Processor shall notify the Controller of any confirmed Personal Data
Breach without undue delay and in any event within seventy-two (72) hours of
becoming aware of it. The notification shall describe (a) the nature of the
Breach, (b) the categories and approximate number of Data Subjects affected,
(c) likely consequences, and (d) measures taken or proposed to address the
Breach and mitigate its possible adverse effects.

## 8. Data Subject Rights — SAR + Erasure

The Processor assists the Controller in fulfilling Data Subject requests by
providing the following endpoints:

   - **Subject Access Request (SAR) export** — `GET /api/users/me/sar-export`
     returns a streaming JSON archive of the Data Subject's account, consent
     state, and all activity events.
   - **Erasure** — verified erasure requests are executed within thirty (30) days
     of receipt; cascade-delete on `users.id` removes all associated activity
     events, draft history, style examples, and consent records.

## 9. Audit Rights

The Controller may, upon thirty (30) days' written notice and no more than once
per calendar year, audit the Processor's compliance with this DPA either by (a)
reviewing the Processor's most recent third-party security report (SOC 2 Type II
or equivalent, when available) or (b) submitting a written security
questionnaire which the Processor will complete within thirty (30) days. On-site
audits require mutual agreement and may incur reasonable fees.

## 10. International Transfers

Where Personal Data is transferred outside the European Economic Area, the
parties rely on the European Commission's Standard Contractual Clauses (SCCs,
Decision 2021/914) Module Two (Controller-to-Processor), incorporated by
reference into this DPA. The Processor warrants that it has implemented
supplementary measures consistent with the EDPB Recommendations 01/2020.

## 11. Sub-processor Changes (Notice + Objection Window)

The Processor shall notify the Controller at least thirty (30) days in advance
of engaging any new Sub-processor or replacing an existing one. Within fifteen
(15) days of such notice the Controller may object on reasonable data-protection
grounds; if the parties cannot agree on a mitigation the Controller may
terminate the affected service component without penalty for the unused portion.

## 12. Erasure on Termination

Upon termination of the Controller's subscription, the Processor shall, at the
Controller's election, return all Personal Data via SAR export or delete it
within thirty (30) days. Backups are overwritten in accordance with the
Processor's standard rotation schedule (no longer than ninety (90) days).

## 13. Governing Law and Jurisdiction

This DPA is governed by {GOVERNING_LAW_JURISDICTION}. The parties submit to the
exclusive jurisdiction of the courts of {COURT_VENUE} for any dispute arising
out of or in connection with this DPA, without prejudice to any mandatory
jurisdiction conferred on Data Subjects under applicable data-protection law.

## 14. Signatures

   - **Controller:** __________________________________  Date: __________________
   - **Processor:** __________________________________  Date: __________________

*End of Data Processing Agreement.*