Data Processing Agreement
This Data Processing Agreement (“DPA”) describes how InstantReply processes personal data on behalf of its business customers (“Customers”) in connection with the Service. It is designed to comply with the EU General Data Protection Regulation (GDPR) and equivalent data protection laws. This page is a public summary. Enterprise customers may request a countersigned DPA for their records.
Last updated: April 18, 2026
1. Roles and responsibilities
- Customer (Data Controller): the organization or individual that determines the purposes and means of processing personal data through the Service, including the conversation data, contact records, and any data imported into the platform.
- InstantReply (Data Processor): processes personal data on the Customer's behalf, only as instructed by the Customer and as necessary to provide the Service.
- Subprocessors:third-party services engaged by InstantReply to support the operation of the platform. We remain responsible for subprocessors' compliance with this DPA.
2. Data we process on your behalf
When you use InstantReply, we process the following categories of personal data as your processor:
- Contact identifiers: names, phone numbers, email addresses, and social media handles of your customers who message you through connected channels.
- Conversation content: the full text and attachments of messages exchanged between your team and your customers.
- CRM and tag data: labels, notes, and custom fields you assign to contacts within the platform.
- Usage metadata: timestamps, channel identifiers, and delivery statuses associated with conversations.
We do not use Customer Data for our own marketing or product development without explicit written consent.
3. Our obligations as processor
- Process personal data only on documented instructions from the Customer, including instructions provided through use of the Service.
- Ensure personnel authorized to process Customer Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures, including encryption at rest and in transit, access controls, and incident response procedures.
- Notify the Customer without undue delay (and in any case within 72 hours of becoming aware) of a personal data breach affecting Customer Data.
- Assist the Customer in responding to requests from data subjects exercising their rights (access, deletion, rectification, portability) to the extent possible given the nature of the processing.
- Delete or return all Customer Data upon termination of the Service, at the Customer's choice, within 30 days.
- Make available information reasonably necessary to demonstrate compliance with GDPR Article 28 obligations upon written request.
4. Technical and organizational measures
Our current security measures include:
- Encryption of data at rest and in transit (TLS 1.2+).
- Integration secrets (API keys, OAuth tokens) encrypted using AES-GCM with authentication tag verification.
- Row-level security and organization-scoped access controls enforced at the database level.
- Webhook signature verification and replay protection for inbound channel events.
- Multi-factor authentication available for all user accounts.
- Structured logging with automatic redaction of secret fields.
- CSRF protections for all browser-facing authenticated flows.
- Regular dependency updates and security patch management.
5. Subprocessors
We engage the following subprocessors. We will notify Customers of material changes to this list at least 14 days in advance by email or in-platform notice. Customers who object to a new subprocessor may terminate their subscription within that notice period.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, and real-time data storage | United States |
| Vercel | Frontend hosting, edge delivery, analytics, and performance monitoring | United States / Global CDN |
| Stripe | Payment processing and subscription management | United States |
| Google Analytics | Website analytics (marketing site only, not product/conversation data) | United States |
| Meta (Facebook) | WhatsApp Business API and Instagram messaging channel delivery | United States |
| Sentry | Error monitoring and performance tracing | United States |
6. International data transfers
Some of our subprocessors process data in the United States or other countries outside the EEA and UK. Where required by law, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the transfer mechanism. Copies of applicable SCCs are available on request.
7. Data subject rights assistance
As the data controller, you are responsible for responding to data subject requests from your customers. InstantReply will assist you by providing the technical means to search, export, correct, or delete personal data stored in the platform. For deletion requests that require action at the infrastructure level, contact us at privacy@instantreply.co.
8. Breach notification
In the event of a personal data breach affecting Customer Data, we will notify the affected Customer without undue delay and in any case within 72 hours of becoming aware of the breach. Notifications will be sent to the primary account email address and will include: the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach.
Need a countersigned DPA?
Enterprise customers and those operating under GDPR who require a countersigned DPA for their compliance records can request one. We will review and return a signed copy within 5 business days.
Request a signed DPA →