Data Processing Agreement

1. DEFINITIONS

In this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given to them in the Principal Agreement or the GDPR, as applicable.

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by REPLR on behalf of the Controller in connection with the Service.
• "Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.
• "Sub-processor" means any third party engaged by REPLR to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. SCOPE AND DETAILS OF PROCESSING

2.1 Subject Matter. REPLR processes Personal Data as necessary to provide the Service as described in the Principal Agreement, including AI conversation processing, memory and personality features, voice processing, and analytics.

2.2 Duration. Processing continues for the duration of the Principal Agreement and for such additional period as may be necessary to complete deletion of Personal Data in accordance with this DPA.

2.3 Nature and Purpose. The nature of processing includes collection, storage, retrieval, use, transmission, and deletion of Personal Data for the purpose of providing AI companion services, conversation memory, analytics, and related features.

2.4 Categories of Data Subjects. End users of the Controller's Client Application or REPLR account who interact with the Service.

2.5 Types of Personal Data. Account information (email, display name), conversation content (messages, voice transcripts), usage data (message counts, feature usage), and such other Personal Data as may be submitted by Data Subjects through the Service.

3. OBLIGATIONS OF THE PROCESSOR

REPLR shall:

• Process Personal Data only on documented instructions from the Controller (which include the Principal Agreement and this DPA), unless required to do so by applicable law, in which case REPLR shall inform the Controller of that legal requirement before processing (unless prohibited by law from doing so)
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 5
• Comply with the conditions for engaging Sub-processors set forth in Section 6
• Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligations to respond to Data Subject requests
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 through 36 of the GDPR, taking into account the nature of processing and the information available to REPLR
• At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires retention
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to Section 7

4. OBLIGATIONS OF THE CONTROLLER

The Controller shall:

• Comply with its obligations under applicable data protection laws with respect to its use of the Service and its processing instructions to REPLR
• Ensure that it has a lawful basis for providing Personal Data to REPLR for processing
• Be responsible for the accuracy, quality, and legality of Personal Data provided to REPLR
• Provide all notices to and obtain all consents from Data Subjects as required by applicable law

5. SECURITY MEASURES

REPLR implements and maintains the following technical and organizational security measures:

• Encryption in Transit: All data transmitted between clients and REPLR servers is encrypted using TLS 1.2 or higher
• Encryption at Rest: Databases are encrypted at rest using AES-256 encryption
• Authentication: Passwords are hashed using bcrypt with appropriate cost factors. API access is authenticated via cryptographically generated tokens
• Access Controls: Access to production systems is restricted to authorized personnel on a need-to-know basis with multi-factor authentication
• Data Minimization: IP addresses used for analytics are hashed (SHA-256) before storage. Guest sessions collect no personally identifiable information
• Monitoring: Systems are monitored for security events and anomalous activity
• Incident Response: REPLR maintains an incident response plan for identifying, containing, and remediating security incidents

6. SUB-PROCESSORS

6.1 Authorized Sub-processors. The Controller provides general written authorization for REPLR to engage Sub-processors. The current list of Sub-processors is:

6.2 Changes. REPLR shall notify the Controller at least fourteen (14) days prior to adding or replacing a Sub-processor, providing the Controller an opportunity to object. If the Controller objects on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected portion of the Service.

6.3 Sub-processor Obligations. REPLR shall impose on each Sub-processor data protection obligations no less protective than those set forth in this DPA. REPLR remains fully liable to the Controller for the performance of each Sub-processor's obligations.

7. AUDITS

7.1 Right to Audit. The Controller may, upon thirty (30) days' written notice and no more than once per calendar year, audit REPLR's compliance with this DPA. Audits shall be conducted during normal business hours, subject to reasonable confidentiality requirements, and shall not unreasonably interfere with REPLR's operations.

7.2 Alternative. In lieu of an on-site audit, REPLR may, at its discretion, provide the Controller with: (a) a summary of relevant security certifications or audit reports (e.g., SOC 2 Type II, if available); or (b) written responses to the Controller's reasonable audit questions.

8. DATA BREACH NOTIFICATION

8.1 Notification. REPLR shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Data Breach affecting Personal Data processed under this DPA.

8.2 Content. Such notification shall include, to the extent available: (a) a description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the Data Breach; (c) the measures taken or proposed to address the Data Breach and mitigate its effects; and (d) the contact point for further information.

8.3 Cooperation. REPLR shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

9. INTERNATIONAL DATA TRANSFERS

REPLR is based in the United States. To the extent that Personal Data originating from the European Economic Area, United Kingdom, or Switzerland is transferred to the United States, such transfers are made pursuant to the EU-U.S. Data Privacy Framework (where applicable) or the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference. The Controller's acceptance of this DPA constitutes execution of the Standard Contractual Clauses, with REPLR as the data importer and the Controller as the data exporter.

10. TERMINATION AND DATA DELETION

Upon termination of the Principal Agreement, REPLR shall, at the Controller's election and within thirty (30) days of written request: (a) return all Personal Data to the Controller in a commonly used, machine-readable format; or (b) securely delete all Personal Data and certify such deletion in writing. Notwithstanding the foregoing, REPLR may retain Personal Data to the extent and for the duration required by applicable law, provided that such retained data remains subject to the confidentiality and security obligations of this DPA.

11. LIABILITY

Each party's liability under this DPA is subject to the limitations of liability set forth in the Principal Agreement. Nothing in this DPA limits either party's liability to Data Subjects under applicable data protection law.

12. GOVERNING LAW

This DPA shall be governed by the laws specified in the Principal Agreement, except to the extent that applicable data protection law requires otherwise (e.g., GDPR-related claims shall be governed by the law of the applicable EU/EEA Member State).

13. CONTACT

For questions about this DPA, contact our Data Protection Officer at privacy@replr.ai or legal@replr.ai.