ReplyArcReplyArc
Get started
LEGAL · DPA

Data Processing Agreement.

The controller-to-processor data-handling commitments ReplyArc makes — subject matter, security measures, breach notification, transfers.

Version: v0.1 — published 2026-05-26. Pending legal review for any jurisdiction-specific schedules.

ReplyArc does not currently hold SOC 2, ISO 27001, or any formal data-protection regulatory certification. This DPA describes the operational data-handling commitments we agree to with controllers; it is not a representation that ReplyArc has been independently audited against any specific regulatory framework.

How to execute

The countersignable DPA — including the standard contractual clauses, Annex I (parties), Annex II (security measures), and Annex III (subprocessors) — is available on request to privacy@replyarc.com or by booking the install call. We typically counter-sign within two business days.

What follows is the substantive text of that DPA so controllers can review it before executing.

1. Subject matter and duration

The subject matter of the processing is the provision of the ReplyArc platform — a multi-tenant outbound communications, lead-management, and AI-assisted reply service — to the Controller. The duration of processing equals the term of the Controller's active subscription plus a 30-day post-termination data return / erasure window described in Section 12.

2. Nature and purpose of processing

The Processor processes Personal Data on behalf of the Controller for the following purposes only:

  1. operating the ReplyArc service,
  2. authenticating end-users,
  3. routing messages between the Controller's connected channels (Slack, Unipile-bridged providers, email),
  4. generating AI-assisted draft replies using credentials supplied by the Controller (BYOK), and
  5. producing aggregated, non-identifying telemetry necessary to operate the platform.

3. Categories of Personal Data

The categories of Personal Data processed are limited to: identity data (name, email, role), authentication data (hashed passwords, session tokens), workspace metadata (organisation name, member list), connected-channel credentials (encrypted at rest using Fernet), message metadata (subject line, timestamps, source), AI provider credentials (encrypted at rest), and server-side activity events (HTTP method, path, status code, hashed IP and user-agent fingerprints — never request or response bodies).

4. Categories of data subjects

  • The Controller's employees and authorised end-users of the ReplyArc workspace.
  • External recipients whose contact details the Controller uploads as leads or recipients.
  • Participants in inbound message threads (reply senders) whose identifiers reach the platform via channel webhooks.

5. Subprocessors

The Controller authorises the Processor to engage the subprocessors listed at /legal/subprocessors. Changes to that list are notified per Section 11.

6. Security measures (Annex II)

The Processor implements appropriate technical and organisational security measures including, at minimum:

  • Encryption at rest — Fernet symmetric encryption for all secret credentials (Slack bot tokens, AI provider API keys, webhook signing secrets); database volume-level encryption provided by the database host.
  • Encryption in transit — TLS 1.2+ enforced on all internet-facing endpoints; HSTS preload-eligible.
  • Role-based access control — 5-tier RBAC (OWNER / ADMIN / MEMBER / VIEWER / CLIENT) enforced server-side on every authenticated request.
  • Activity-event retention cap — server-side activity events automatically purged after 90 days, scheduled 03:00 UTC daily.
  • Webhook signing — all outbound webhooks signed with HMAC-SHA256 using a per-subscription secret; constant-time signature verification.
  • Audit logging — administrative actions (role changes, integration installs, secret rotations) logged to the activity-event store.

7. Personal data breach notification

The Processor shall notify the Controller of any confirmed Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware of it. The notification shall describe (a) the nature of the breach, (b) the categories and approximate number of data subjects affected, (c) likely consequences, and (d) measures taken or proposed to address the breach and mitigate its possible adverse effects.

8. Data subject rights — SAR + erasure

The Processor assists the Controller in fulfilling data subject requests by providing the following endpoints:

  • Subject Access Request (SAR) exportGET /api/users/me/sar-export returns a streaming JSON archive of the data subject's account, consent state, and all activity events.
  • Erasure — verified erasure requests are executed within thirty (30) days of receipt; cascade-delete on users.id removes all associated activity events, draft history, style examples, and consent records.

9. Audit rights

The Controller may, upon thirty (30) days' written notice and no more than once per calendar year, review the Processor's adherence to this DPA by submitting a written security questionnaire, which the Processor will complete within thirty (30) days. The Processor does not currently maintain a third-party security audit report; if one becomes available the Processor will share the most recent version on request. On-site audits require mutual agreement and may incur reasonable fees.

10. International transfers

Where Personal Data is transferred outside the European Economic Area, the parties rely on the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) Module Two (Controller-to-Processor), incorporated by reference into this DPA. The Processor implements supplementary technical and organisational measures (encryption at rest, encryption in transit, access controls) commensurate with the categories of data processed.

11. Subprocessor changes (notice + objection window)

The Processor shall notify the Controller at least thirty (30) days in advance of engaging any new subprocessor or replacing an existing one. Within fifteen (15) days of such notice the Controller may object on reasonable data-protection grounds; if the parties cannot agree on a mitigation the Controller may terminate the affected service component without penalty for the unused portion.

12. Erasure on termination

Upon termination of the Controller's subscription, the Processor shall, at the Controller's election, return all Personal Data via SAR export or delete it within thirty (30) days. Backups are overwritten in accordance with the Processor's standard rotation schedule (no longer than ninety (90) days).

13. Governing law and jurisdiction

Governing law and jurisdiction are completed in the countersigned Annex I to match the Controller's primary place of business or as otherwise negotiated.

Request the countersignable DPA

Email privacy@replyarc.com with your legal entity name and address, or mention the DPA on your install call. We will return the executed DPA with the relevant annexes within two business days.

Questions? Email privacy@replyarc.com.ReplyArc · /legal/dpa