Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between ReplAiChat, Inc. ("Processor") and the customer ("Controller") and applies to the processing of personal data subject to the GDPR or comparable laws.

1. Roles

Controller determines the purposes and means of processing. Processor processes personal data on the Controller's documented instructions in connection with the Service.

2. Scope of processing

• Subject matter — provision of the ReplAiChat chatbot platform.
• Duration — for the term of the agreement plus retention periods stated in our Privacy Policy.
• Categories of data subjects — Controller's end users and visitors who interact with the chatbot.
• Categories of personal data — contact details, message content, technical identifiers.

3. Sub-processors

Controller authorizes Processor to engage sub-processors. A current list is available on request and we will provide notice of new sub-processors before they are engaged.

4. Security

Processor maintains technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, audit logging, and regular penetration testing.

5. International transfers

Where data is transferred outside the EEA, the parties incorporate the EU Standard Contractual Clauses (Module Two) by reference.

6. Data subject requests

Processor will assist Controller in responding to data subject requests through the features available in the Service and through reasonable cooperation.

7. Audits

Processor will provide information necessary to demonstrate compliance and allow audits subject to reasonable confidentiality and notice requirements.

8. Return and deletion

On termination, Controller may export its data within 30 days. Thereafter, Processor will delete personal data within 90 days, except where retention is required by law.

9. Contact

Questions about this DPA: dpo@replaichat.app.