Data Processing Agreement
Replyful AB · Last updated: April 2026
1. Parties
This Data Processing Agreement ("DPA") is between you (the "Controller") and Replyful AB, org.nr 559554-2035 (the "Processor").
This DPA applies automatically when you use Replyful and we process personal data on your behalf. It supplements our Terms of Service.
2. Scope
You are the data controller for personal data your end-users provide through Replyful (chat conversations, emails, form submissions). We process this data solely to provide the service to you.
3. Data we process
Categories of data subjects
Your customers and end-users who interact with your Replyful-powered support channels.
Personal data processed
| Data type | Purpose |
|---|---|
| Name, email address | Conversation handling, email support |
| IP address, browser language | Session management, spam prevention |
| Chat and email message content | Providing the support service |
| File attachments | Message delivery |
| Conversation metadata (timestamps, status) | Routing, analytics, AI responses |
4. Our obligations
- Process personal data only on your documented instructions and as necessary to provide the service
- Ensure that people authorized to process the data are bound by confidentiality
- Not use personal data for any purpose other than providing the service
- Assist you in responding to data subject requests (access, deletion, portability)
- Delete all personal data at the end of the service relationship, at your choice
5. Security measures
We implement appropriate technical and organizational measures to protect personal data:
- Encryption in transit: TLS for all data in transit
- Encryption at rest: AES-256 encryption for sensitive data (API keys, credentials, email signing keys)
- Access control: Role-based permissions. All data queries are scoped to your organization — your data is never accessible to other customers
- Infrastructure: EU hosting with managed database backups
- Monitoring: Automated error tracking and alerting
6. Sub-processors
We use the following sub-processors to provide the service. We maintain contracts with appropriate data protection terms with each.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (SES, S3, Bedrock) | Email delivery, file storage, AI processing | Frankfurt, EU |
| Google Cloud (Vertex AI) | AI processing, text embeddings | Europe (west1) |
| Railway | Application hosting, database | Amsterdam, EU |
| WorkOS | Authentication | US (SCCs apply) |
| Stripe | Payment processing | US (SCCs apply) |
| Sentry | Error monitoring | Frankfurt, EU |
| PostHog | Product analytics | Frankfurt, EU |
We will notify you at least 30 days in advance before adding a new sub-processor. If you object, you may terminate the affected service before the new sub-processor begins processing.
7. International data transfers
Our primary infrastructure is located in the EU (Frankfurt and Amsterdam). Where data is transferred outside the EU/EEA (WorkOS, Stripe), we rely on EU Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.
8. Data subject rights
If your end-users exercise their rights under GDPR (access, rectification, erasure, portability, objection), we will assist you in fulfilling those requests. Contact us at [email protected] and we will respond within 5 business days.
9. Data breach notification
If we become aware of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of it. The notification will include:
- The nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences
- The measures taken or proposed to address it
10. Data retention and deletion
- During the service: You control retention. Each channel has a configurable retention period — conversations are automatically deleted after your chosen number of days.
- After termination: We delete all personal data within 30 days of your account ending. You may request earlier deletion at any time.
- Exceptions: Data required by law (e.g. invoices under Swedish accounting law) is retained for the legally required period.
11. Audits
On request, we will provide you with information necessary to demonstrate compliance with this DPA. This includes documentation of our security measures and sub-processor agreements.
12. Liability
Each party is liable for its own obligations under GDPR. Our total liability under this DPA is subject to the limitations set out in our Terms of Service.
13. Term
This DPA is effective for as long as you use Replyful. It automatically terminates when your service agreement ends, subject to the data deletion obligations above.
14. Contact
For questions about this DPA or to exercise any rights under it:
Replyful AB
Email: [email protected]
This DPA is effective as of April 2026.