Replofy
Contract addendum

Data Processing Agreement

This DPA defines how Replofy processes Customer Personal Data, what security measures apply, how subprocessors are managed, how incidents are handled, and how data is returned or deleted when the service ends.

Applies to

Customers acting as controllers or processors that submit personal data into Replofy and require Article 28 processor terms.

Document summary

Article 28 processor terms for customers that use Replofy to process personal data on their behalf.

Article 28-style controller-processor commitments
Concrete subprocessor notification and objection flow
Annexes for processing details, security measures, and subprocessor register
Section 01

1. Scope, incorporation, and roles

This Data Processing Agreement ("DPA") forms part of the agreement between Replofy AI Inc. ("Replofy") and the customer identified in the applicable Order Form or subscription record ("Customer"). It applies when Replofy processes personal data on behalf of Customer while providing the Replofy service.

For Customer Personal Data submitted into the hosted service, Customer acts as the controller or instructing processor and Replofy acts as the processor. This DPA does not apply to data for which Replofy acts as controller, such as website visitor data, billing-contact data, or direct communications with Replofy.

Execution
This DPA is incorporated by reference when a customer signs an Order Form or accepts Replofy terms that expressly reference this DPA.
Section 02

2. Annex I - processing details

ItemDescription
Subject matterProvision of a hosted, multi-tenant customer support platform, knowledge base, workflow engine, widget, and connected channel integrations.
DurationFor the subscription term, then handled under the return-or-deletion workflow described in this DPA. The current target is up to 30 days for primary-system return or deletion and up to 90 additional days for managed backup expiry, unless law requires longer retention.
Nature of processingCollection, organization, storage, retrieval, indexing, search, transmission, drafting, ticket routing, workflow execution, and deletion under Customer instructions.
PurposeProvide the Replofy service, including support operations, knowledge retrieval, AI-assisted drafting, autonomous workflows enabled by Customer, and connected channel synchronization.
Data subjectsCustomer personnel, customer end users, prospects, leads, website visitors, support contacts, and other individuals whose data Customer submits into Replofy.
Data categoriesContact details, ticket content, conversation history, attachments, knowledge-base uploads, integration metadata, device and log data, and other customer-configured support records.
Sensitive dataCustomer must not submit special-category or similarly sensitive regulated data unless the parties agree in writing on the relevant controls and permitted use case.
Section 03

3. Customer instructions and Customer responsibilities

Replofy will process Customer Personal Data only on documented Customer instructions, including the customer-facing configuration choices made in the product, the master contract, and this DPA, unless applicable law requires another action. If applicable law requires Replofy to process Customer Personal Data beyond Customer instructions, Replofy will inform Customer before doing so unless that law prohibits notice on important grounds of public interest. Replofy will also notify Customer without undue delay if it believes a Customer instruction infringes applicable data protection law.

Customer is responsible for:

  • providing accurate instructions and using the service in a lawful manner;
  • ensuring it has a lawful basis and necessary notices for data it uploads or syncs into Replofy;
  • configuring user roles, workflow rules, channels, and knowledge content appropriately for its use case; and
  • deciding whether AI-assisted or autonomous response features should be enabled for a specific workflow.
Section 04

4. Replofy processor obligations

Replofy will:

  • process Customer Personal Data only on documented Customer instructions;
  • ensure personnel and contractors with access to Customer Personal Data are bound by confidentiality obligations;
  • maintain appropriate technical and organizational measures for the service, including tenant isolation, authenticated access paths, audit logging, and security monitoring;
  • assist Customer, by appropriate technical and organizational measures and taking into account the nature of processing and the information available to Replofy, with data subject requests under Articles 15 through 22 and obligations under Articles 32 through 36 where applicable;
  • make available information reasonably necessary to demonstrate compliance with this DPA; and
  • return or delete Customer Personal Data as described in this DPA at the end of the service relationship.
Section 05

5. Annex II - security measures

Control areaCurrent baseline
Access controlWorkspace access is authenticated and scoped by organization membership and role. Tenant data access is mediated through tenant-aware RPCs and MCP tools rather than direct client queries to tenant schemas.
Tenant isolationCustomer workspaces are designed around a schema-per-tenant model to reduce cross-tenant exposure and to keep operational data separated by organization.
Transmission securityCustomer access and connected integrations use encrypted HTTPS or provider-supported secure transport. OAuth-based connections are used for Gmail and similar supported integrations.
Secrets and tokensIntegration secrets and certain OAuth tokens rely on provider-managed storage protections, scoped service access, and operational access controls. Replofy does not store customer Google passwords.
Logging and auditabilityThe service maintains audit trails and operational logs for workspace actions, queue processing, workflow execution, and administrative changes.
Application safeguardsPrompt-hardening, bounded runtime settings, forbidden-topic controls, length limits, and internal-only tool boundaries are used to reduce, not eliminate, unsafe AI output paths.
Availability and resilienceReplofy relies on managed cloud infrastructure providers for runtime hosting, database durability, and recovery capabilities. Availability commitments are addressed separately in the SLA when applicable.
Review and maintenanceReplofy reviews and updates security measures as the service, infrastructure, and threat environment change, and may supplement this Annex through later security documentation or contractual updates.
Section 06

6. Subprocessors and subprocessor changes

Customer authorizes Replofy to use the Replofy subprocessors listed below, subject to the notice process in this section.

SubprocessorPurposeTypical data involved
SupabaseManaged PostgreSQL, authentication, storage, realtime, and Edge Function infrastructureWorkspace data, account data, files, tokens, and operational metadata
Google CloudCloud Run and supporting application infrastructure for AI and API servicesTicket content, email content, knowledge retrieval context, logs, and service metadata
Google-hosted AI servicesModel inference and retrieval services used in customer-configured AI workflowsCustomer prompts, approved knowledge context, and service metadata required for the configured workflow
Customer-enabled third-party services
Customer-selected integrations such as Gmail or other third-party services enabled by Customer may also receive or return Customer Personal Data under Customer's configuration. Those services are governed by the relevant third-party terms and are not treated as additions to Replofy's general subprocessor list solely because a customer enables them.
Change management
Replofy will provide at least 30 days notice by email or in-product notice to the administrative contact associated with the workspace before adding or replacing a Replofy subprocessor that materially affects Customer Personal Data. Customer may object on reasonable data-protection grounds within 15 days of notice. If the parties cannot resolve the objection before the change becomes effective, either party may terminate the affected service scope without penalty.

Replofy will impose the same data protection obligations on each subprocessor that apply to Replofy under this DPA and remains responsible to Customer for each subprocessor's performance of those obligations to the extent required by applicable law.

Section 07

7. Incidents, assistance, and international transfers

Replofy will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and, where feasible, will aim to provide initial notice within 48 hours. Replofy will provide known details about the nature of the incident, affected data categories, likely consequences, and containment or remediation steps as they become available.

Replofy will assist Customer, taking into account the nature of processing and the information available to Replofy, with breach notification, DPIA support, prior consultation requests, and data subject requests under Articles 15 through 22 and 32 through 36.

Where Customer Personal Data is transferred internationally, Replofy will do so only under documented Customer instructions or as necessary to provide the agreed service in compliance with Chapter V of the GDPR. Replofy will rely on recognized transfer mechanisms, including adequacy decisions and standard contractual clauses, together with supplemental measures where appropriate, and will provide relevant transfer information on request.

Section 08

8. Return, deletion, audits, and precedence

At Customer's choice, Replofy will return Customer Personal Data or delete it at the end of the service relationship, except where retention is required by law. The operational baseline is deletion or return targeted within 30 days after termination, with managed backups typically expiring within up to 90 additional days.

Customer may request reasonable information necessary to verify compliance with this DPA. Customer or its independent mandated auditor may conduct a reasonable audit or inspection of Replofy's compliance with this DPA on advance written notice, subject to confidentiality, security, and proportionality safeguards that do not unreasonably disrupt service operations or expose other customers' data. Replofy may supplement that audit process with current security documentation, subprocessor disclosures, and written responses, but those materials do not replace the audit right.

If this DPA conflicts with the general Terms of Service, this DPA controls solely for matters involving the processing of Customer Personal Data.

Legal questions

Contact Replofy for procurement, privacy, or security review.

Contact us