NEWNew: connect Notion, Confluence, Zendesk, Intercom, Google Drive, SharePoint and more — bring your existing knowledge into Replai in minutes. Learn more

Data Processing Agreement

Our GDPR Article 28 terms for processing end-user personal data on behalf of business customers.

Last updated: 17 June 2026Draft — pending legal review

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Controller") and Replai ("Processor") and applies where Replai processes personal data on the Controller's behalf.

1. Roles, precedence, and duration

1.1 The Controller determines the purposes and means of processing; the Processor processes only on the Controller's behalf.

1.2 In case of conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails.

1.3 This DPA lasts for the duration of the subscription and for as long as the Processor processes personal data on the Controller's behalf.

2. Scope and instructions

2.1 The Processor processes personal data only on the Controller's documented instructions, including those in this DPA and the Controller's use of the Service, unless required otherwise by EU or Member State law (in which case it will inform the Controller unless legally prohibited).

2.2 The subject-matter, nature, purpose, data categories, and data subjects are set out in Annex 1.

2.3 The Processor will inform the Controller if, in its opinion, an instruction infringes data-protection law.

3. Confidentiality

The Processor ensures that persons authorised to process the personal data are bound by confidentiality.

4. Security (Art. 32)

The Processor implements appropriate technical and organisational measures, set out in Annex 2.

5. Sub-processors

5.1 The Controller gives a general authorisation for the Processor to engage sub-processors.

5.2 The current sub-processors are listed in the public Sub-processors list.

5.3 The Processor will give at least 30 days' prior notice of intended additions or replacements, and the Controller may object on reasonable data-protection grounds.

5.4 The Processor imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains liable for their performance.

6. International transfers

Where personal data is transferred outside the EEA, the Processor uses an approved safeguard, including the Standard Contractual Clauses (SCCs) referenced in Annex 3.

7. Assistance to the Controller

Taking into account the nature of processing and information available, the Processor will assist the Controller in responding to data-subject requests and with its obligations under Art. 32–36 (security, breach notification, data-protection impact assessments, and prior consultation).

8. Personal-data breach

The Processor will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal-data breach affecting the Controller's data, with the information reasonably available.

9. Return or deletion

On termination, at the Controller's choice, the Processor will return or delete the personal data and existing copies, unless retention is required by law. Timing is set in Annex 1 and aligned with the Terms of Service.

10. Audit

The Processor will make available information necessary to demonstrate compliance with Art. 28 and allow and contribute to audits, including inspections, by the Controller or an auditor it mandates, subject to reasonable confidentiality and security conditions.

Annex 1 — Details of processing

  • Subject-matter: provision of the AI customer-support Service.
  • Nature and purpose: receiving, storing, indexing, and processing end-user conversation data and connected knowledge sources to generate support responses and enable human handoff.
  • Duration: the subscription term plus the deletion/return period (30 days).
  • Categories of data subjects: the Controller's end users and Authorised Users.
  • Categories of personal data: identifiers and contact data, conversation content, and any other data the Controller chooses to submit. The Controller must not submit special-category data except under the conditions in the Acceptable Use Policy.

Annex 2 — Technical and organisational measures

[To be completed — e.g. encryption in transit and at rest, access controls, tenant isolation, logging, backups, vulnerability management, personnel training.]

Annex 3 — Sub-processors and transfer safeguards

See the Sub-processors list. Transfer safeguard: SCCs [+ specify modules and supplementary measures].