Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Instant Reply ("Processor" or "we") and you ("Controller" or "you") and governs the processing of Personal Data in connection with your use of our Services. This DPA complies with the EU General Data Protection Regulation (GDPR), UK GDPR, UAE Data Protection Law, and other applicable data protection laws.

1. DEFINITIONS

In this DPA, the following terms have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller in connection with the Services.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Data Subject" means the individual to whom Personal Data relates.
• "Controller" means you, the entity that determines the purposes and means of processing Personal Data.
• "Processor" means Instant Reply, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party appointed by the Processor to process Personal Data.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, UK GDPR, CCPA, and UAE Data Protection Law.
• "Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. SCOPE AND APPLICABILITY

2.1 Scope

This DPA applies to all Personal Data that the Processor processes on behalf of the Controller through the Services, including End User data (messages, contact information, conversation metadata) collected through our omnichannel inbox platform.

2.2 Roles and Responsibilities

The Controller is responsible for:

• Determining the purposes and means of processing Personal Data
• Ensuring lawful bases exist for all processing activities
• Providing Data Subjects with appropriate privacy notices
• Obtaining necessary consents from Data Subjects

The Processor is responsible for:

• Processing Personal Data only on documented instructions from the Controller
• Implementing appropriate technical and organizational security measures
• Assisting the Controller in meeting its obligations under Data Protection Laws
• Notifying the Controller of Security Incidents without undue delay

3. PROCESSING INSTRUCTIONS

3.1 Processing Authority

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to process by applicable law (in which case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law).

3.2 Nature and Purpose of Processing

The Processor will process Personal Data to:

• Provide the omnichannel inbox platform Services
• Facilitate message routing and conversation management across channels
• Store and retrieve conversation data as directed by the Controller
• Provide analytics and reporting features
• Integrate with third-party platforms (Instagram, WhatsApp, Facebook, TikTok, Reddit)

3.3 Duration of Processing

Processing will occur for the duration of the Services agreement. Upon termination, the Processor will delete or return Personal Data as specified in Section 12.

3.4 Types of Personal Data

The Processor may process the following categories of Personal Data:

• Contact information (names, email addresses, phone numbers, social media handles)
• Message content (text, images, attachments, voice messages)
• Communication metadata (timestamps, read receipts, delivery status)
• Platform identifiers (Instagram user IDs, WhatsApp numbers, Facebook IDs)
• Any custom data fields created by the Controller

3.5 Categories of Data Subjects

Data Subjects include End Users (customers, prospects, or other individuals) who interact with the Controller through the platform's messaging channels.

4. SECURITY MEASURES

4.1 Technical and Organizational Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls with multi-factor authentication
• Role-based access control (RBAC) and principle of least privilege
• Logging and monitoring of access to Personal Data
• Intrusion detection and prevention systems
• Regular backups with geographic redundancy
• Secure software development lifecycle (SDLC)
• Employee security training and background checks

4.2 Security Documentation

Upon request, the Processor will provide the Controller with reasonable information regarding its security measures, subject to confidentiality obligations.

5. SUB-PROCESSORS

5.1 Authorization to Use Sub-processors

The Controller authorizes the Processor to engage Sub-processors to process Personal Data. The Processor shall enter into written agreements with Sub-processors imposing data protection obligations substantially similar to those in this DPA.

5.2 Current Sub-processors

The Processor currently uses the following Sub-processors:

• Amazon Web Services (AWS) - Cloud infrastructure and storage
• DigitalOcean - Additional cloud infrastructure
• Redis Labs - Database caching services
• Stripe - Payment processing
• SendGrid - Email delivery services

5.3 Changes to Sub-processors

The Processor will provide the Controller with at least 30 days' prior notice of any new Sub-processor. If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties will work together in good faith to find a resolution. If no resolution is found, the Controller may terminate the agreement without penalty.

5.4 Processor Liability

The Processor remains fully liable to the Controller for the performance of Sub-processors' obligations under this DPA.

6. DATA SUBJECT RIGHTS

6.1 Assistance with Data Subject Requests

The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection). The Processor shall not respond to such requests except on the Controller's documented instructions or as required by law.

6.2 Technical Assistance

The Processor shall provide reasonable technical assistance to enable the Controller to respond to Data Subject requests, including by providing tools within the platform for data export, rectification, and deletion. The Processor may charge reasonable fees for assistance beyond what is provided through the standard platform features.

7. SECURITY INCIDENTS

7.1 Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Security Incident, and in any event within 72 hours of discovery. The notification shall include:

• Description of the nature of the Security Incident
• Categories and approximate number of Data Subjects affected
• Categories and approximate volume of Personal Data records affected
• Likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident and mitigate harm

7.2 Cooperation

The Processor shall cooperate with the Controller and provide reasonable assistance in investigating and responding to the Security Incident, and shall take reasonable steps to remediate the cause of the Security Incident.

7.3 No Admission of Liability

Notification of a Security Incident under this section shall not be construed as an admission of fault or liability by the Processor.

8. DATA PROTECTION IMPACT ASSESSMENTS AND PRIOR CONSULTATION

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to conduct under Data Protection Laws, to the extent such assistance relates to the processing of Personal Data by the Processor.

The Processor may charge reasonable fees for assistance that requires significant time or resources beyond standard platform operations.

9. DELETION OR RETURN OF PERSONAL DATA

9.1 Upon Termination

Upon termination of the Services agreement, the Processor shall, at the Controller's choice and within 30 days of termination:

• Delete all Personal Data processed on behalf of the Controller, or
• Return all Personal Data to the Controller in a commonly used, machine-readable format

9.2 Exceptions

The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor ensures the confidentiality of such Personal Data and only processes it as necessary to comply with legal obligations.

9.3 Backups

Personal Data may persist in backup systems for up to 90 days after deletion. Backup data is encrypted and accessible only for disaster recovery purposes.

10. AUDITS AND COMPLIANCE

10.1 Audit Rights

Upon reasonable advance notice (at least 30 days), the Controller may audit the Processor's compliance with this DPA, no more than once per year, unless required by supervisory authority or following a Security Incident. Audits shall be conducted during business hours and shall not unreasonably interfere with the Processor's operations.

10.2 Documentation

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA, including:

• Security certifications (SOC 2, ISO 27001, or equivalent)
• Security policies and procedures
• Audit reports from independent third-party auditors

10.3 Costs

The Controller shall bear all costs associated with audits, including reasonable fees for the Processor's time and resources, except in cases where the audit reveals material non-compliance by the Processor.

11. INTERNATIONAL DATA TRANSFERS

11.1 Transfer Mechanisms

Where the Processor transfers Personal Data to countries outside the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, it shall ensure appropriate safeguards are in place, including:

• European Commission-approved Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission or equivalent authorities
• Other legally valid transfer mechanisms approved by supervisory authorities

11.2 Standard Contractual Clauses

To the extent required by Data Protection Laws, the parties agree to be bound by the European Commission's Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries (Module Two: Controller to Processor), as updated from time to time.

12. CONFIDENTIALITY

12.1 Personnel

The Processor shall ensure that all personnel authorized to process Personal Data are subject to confidentiality obligations (whether contractual or statutory) and receive appropriate training on data protection.

12.2 Access Limitations

The Processor shall ensure that access to Personal Data is limited to personnel who require access to perform their duties under the Services agreement.

13. TERM AND TERMINATION

13.1 Term

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.

13.2 Survival

Sections relating to deletion of Personal Data, confidentiality, audits, and limitation of liability shall survive termination of this DPA.

14. LIMITATION OF LIABILITY

Each party's liability arising out of or related to this DPA shall be subject to the limitation of liability provisions in the Terms of Service. Nothing in this DPA shall limit either party's liability for:

• Violations of Data Protection Laws
• Breaches of confidentiality obligations
• Fraud, willful misconduct, or gross negligence

15. GOVERNING LAW

This DPA shall be governed by the same governing law provisions as the Terms of Service.

16. AMENDMENTS

The Processor may amend this DPA to reflect changes in Data Protection Laws or the Processor's data processing practices. Material changes will be communicated to the Controller with at least 30 days' advance notice. Continued use of the Services after such changes constitutes acceptance.