Data Processing Agreement
Replyful AB · Last updated: May 2026
1. Parties
This Data Processing Agreement ("DPA") is between you (the "Controller") and Replyful AB, org.nr 559554-2035 (the "Processor").
This DPA applies automatically when you use Replyful and we process personal data on your behalf. It supplements our Terms of Service.
2. Scope
You are the data controller for personal data your end-users provide through Replyful (chat conversations, emails, form submissions). We process this data solely to provide the service to you.
3. Data we process
Categories of data subjects
Your customers and end-users who interact with your Replyful-powered support channels.
Personal data processed
| Data type | Purpose |
|---|---|
| Name, email address | Conversation handling, email support |
| IP address, browser language | Session management, spam prevention |
| Chat and email message content | Providing the support service |
| File attachments | Message delivery |
| Conversation metadata (timestamps, status) | Routing, analytics, AI responses |
4. Our obligations
- Process personal data only on your documented instructions and as necessary to provide the service
- Ensure that people authorized to process the data are bound by confidentiality
- Not use personal data for any purpose other than providing the service
- Assist you in responding to data subject requests (access, deletion, portability)
- Delete all personal data at the end of the service relationship, at your choice
5. Security measures
We implement appropriate technical and organizational measures to protect personal data:
- Encryption in transit: TLS for all data in transit
- Encryption at rest: Customer data is stored in an encrypted database. Sensitive credentials (API keys, webhook secrets, email signing keys) receive an additional AES-256 application-layer encryption before they reach the database.
- Access control: Role-based permissions. All data queries are scoped to your organization — your data is never accessible to other customers
- Personnel: EU/EEA-only operations team. Multi-factor authentication is required on every employee account. Employees receive only the access their role requires, and access is revoked when no longer required.
- Endpoint security: Operator devices use full-disk encryption.
- Secure development: Automated dependency updates. Tenant isolation (org-scoping) is verified by an automated test suite that runs on every code change.
- Infrastructure: EU hosting
- Backups: Encrypted daily backups retained for 7 days and weekly backups retained for 30 days, stored in the EU.
- Logging: Application logs do not contain customer message bodies in normal operations
- Monitoring and incident detection: Automated error tracking and alerting; breach notification within 72 hours (see Section 9).
6. Sub-processors
We use the following sub-processors to provide the service. We maintain contracts with appropriate data protection terms with each.
| Sub-processor | Purpose | Personal data transferred | Location |
|---|---|---|---|
| Amazon Web Services (SES, S3, Bedrock) | Email delivery, file storage, AI inference | Email contents and recipients (SES); file attachments, assets (logos, profile pictures etc) (S3); AI processing (Bedrock); | Frankfurt, EU |
| Google Cloud (Vertex AI) | AI inference and text embeddings | Conversation text and knowledge-base content for inference and embedding generation | EU |
| Railway | Application hosting, primary database | All customer data (primary database) | Amsterdam, EU |
| Cloudflare | CDN, TLS termination, DDoS protection for proxied subdomains | HTTP request metadata (IP address, request headers) and request and response bodies for traffic to proxied subdomains. TLS is terminated at the Cloudflare edge before forwarding to our EU origin. Customer data is not stored at the Cloudflare edge. | Global edge network (US headquartered, SCCs apply) |
| WorkOS | Authentication for Replyful operators (SOC 2 Type II + ISO 27001 certified) | Operator name, email address, authentication metadata. No end-customer data. | US (SCCs apply) |
| Stripe | Payment processing | Billing contact name, email, billing address, payment-method tokens. No end-customer data. | US (SCCs apply) |
| Sentry | Error monitoring | Stack traces and request metadata. No message bodies. | Frankfurt, EU |
| PostHog | Product analytics | Analytics events from Replyful's public website. | Frankfurt, EU |
We will notify you at least 30 days in advance before adding a new sub-processor. If you object, you may terminate the affected service before the new sub-processor begins processing.
Our AI sub-processors commit that customer data is not used to train foundation models and is not shared with the underlying model providers. Google states this for Vertex AI in Google Cloud Service Terms, Section 18. AWS states for Amazon Bedrock that "inputs and outputs are never shared with model providers or used to train base models" (Bedrock security and privacy).
7. International data transfers
Our primary infrastructure is located in the EU (Frankfurt and Amsterdam). Where data is transferred outside the EU/EEA (WorkOS, Stripe, Cloudflare edge), we rely on EU Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.
WorkOS and Stripe publish their own Transfer Impact Assessments and SCCs at workos.com/legal/data-processing-addendum and stripe.com/legal/dpa. We rely on those, together with the limited scope of data transferred (operator account data and billing data only, no end-customer content), as our transfer assessment for these sub-processors.
For traffic proxied through Cloudflare we rely on Cloudflare's customer DPA and SCCs, published at cloudflare.com/cloudflare-customer-dpa and cloudflare.com/cloudflare-customer-scc.
8. Data subject rights
If your end-users exercise their rights under GDPR (access, rectification, erasure, portability, objection), we will assist you in fulfilling those requests. Contact us at [email protected] and we will respond within 5 business days.
9. Data breach notification
If we become aware of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of it. The notification will include:
- The nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences
- The measures taken or proposed to address it
10. Data retention and deletion
- During the service: You control retention. Each channel has a configurable retention period — once the period expires, the personal data in those conversations is permanently and irreversibly removed.
- After termination: When your organization is removed, we delete all org data within 30 days; you may request earlier deletion at any time. Deleted data ages out of all backups within a further 30 days.
- Exceptions: Data required by law (e.g. invoices under Swedish accounting law) is retained for the legally required period.
11. Audits
On request, we will provide you with information necessary to demonstrate compliance with this DPA. This includes documentation of our security measures and sub-processor agreements.
12. Security testing and certifications
We run continuous automated security scanning of the production environment (Detectify, OWASP ZAP, Cloudflare). Findings are triaged and remediated by the engineering team. Replyful does not currently hold an external SOC 2 or ISO 27001 certification; this is on our roadmap. Our authentication sub-processor (WorkOS) is SOC 2 Type II and ISO 27001 certified, and our infrastructure sub-processors (AWS, Google Cloud) maintain ISO 27001, SOC 1/2/3 and equivalent certifications.
13. Liability
Each party is liable for its own obligations under GDPR. Our total liability under this DPA is subject to the limitations set out in our Terms of Service.
14. Term
This DPA is effective for as long as you use Replyful. It automatically terminates when your service agreement ends, subject to the data deletion obligations above.
15. Contact
For questions about this DPA or to exercise any rights under it:
Replyful AB
Email: [email protected]
This DPA is effective as of May 2026.