Data Processing Addendum

Last updated April 19, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between ReplyFront ("Processor") and the customer ("Controller") for the provision of the Service. It governs the processing of personal data submitted to the Service. Capitalized terms not defined here have the meaning given in the EU General Data Protection Regulation 2016/679 ("GDPR") and, where applicable, the UK GDPR.

1. Roles & subject matter

The Controller is the data controller of Customer Data; ReplyFront acts as data processor and processes personal data only on documented instructions from the Controller. The subject matter and duration of the processing are set out in the main agreement.

2. Categories of data subjects & data

  • Data subjects: end customers of the Controller's storefront, the Controller's employees and contractors with access to the dashboard.
  • Categories of data: contact details (name, email, phone), conversation transcripts, order and product references, IP addresses, browser metadata, customer attributes the Controller chooses to attach.

3. Processor obligations

ReplyFront will:

  • Process personal data only on the Controller's documented instructions, including transfers to third countries.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Annex II below).
  • Engage sub-processors only with the Controller's authorisation (general written authorisation per Section 5).
  • Assist the Controller in responding to data subject requests and in fulfilling its security and breach-notification obligations.
  • At the Controller's choice, delete or return all personal data after the end of the provision of services, unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Security measures (Annex II summary)

  • TLS 1.2+ in transit; AES-256-GCM at rest for secrets.
  • Argon2id password hashing.
  • Role-based access control with audit logging for all administrative actions.
  • Network isolation between web, worker, and database tiers.
  • Daily encrypted backups; 30-day retention; periodic restore tests.
  • Vulnerability scanning, dependency monitoring, and timely patching.
  • Incident response plan and breach notification within 72 hours of awareness.

5. Sub-processors

The Controller authorises ReplyFront to engage the sub-processors listed at /legal/subprocessors. ReplyFront will (a) impose on each sub-processor data-protection obligations no less protective than those in this DPA, and (b) remain liable for the sub-processor's compliance. ReplyFront will notify the Controller at least 30 days in advance of any intended changes via the sub-processors page; the Controller may object on reasonable grounds.

6. International transfers

Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module Two) and, where applicable, the UK International Data Transfer Addendum apply and are incorporated by reference.

7. Audits

ReplyFront will provide written responses to reasonable security questionnaires and, on request, summary reports of independent audits or certifications. Onsite audits are not permitted; remote audits may be conducted no more than once per year and with at least 30 days' notice, at the Controller's expense.

8. Data subject rights & breach notification

ReplyFront will, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights. ReplyFront will notify the Controller of a personal data breach without undue delay (and in any event within 72 hours) of becoming aware of it.

9. Term & termination

This DPA takes effect on the date the underlying agreement begins and continues until all personal data is deleted or returned per Section 3.

10. Order of precedence

In the event of a conflict between this DPA and the main agreement with respect to the processing of personal data, this DPA prevails.

To execute this DPA, Controllers may sign electronically by accepting the Service's Terms or by emailing a signed copy to [email protected].

Contact

Questions about this document? Email [email protected]. For data subject requests, write to [email protected].