Reply Data Processing Agreement
Last Modified: March 14, 2023
Previous Version: Reply.io Data Processing Agreement v1.1 as of July 6, 2022
1. This Data Processing Agreement (this “DPA”) supplements the Reply Terms of Service (the “Terms”),, as updated from time to time, and constitutes an integral part of the Terms.
2. Unless otherwise defined in this DPA, all terms used in this DPA shall have the meanings given to them in the Terms.
3. This DPA sets out the terms on which we will process Your Data, as defined below when providing the Services to you.
4. The purpose of this DPA is to comply with the requirements of the Applicable Data Protection Legislation, as defined below.
a. The following terms used in this DPA will have the meanings given to them below:
“Applicable Data Protection Legislation” means the applicable data protection legislation that may be updated from time to time, which may include the GDPR, CCPA, etc.
“CCPA” means California Consumer Privacy Act of 2018 which may be amended from time to time.
“Data Protection Audit” has the meaning given to it in section 9 below.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as may be amended from time to time.
“Instructions” means your explicit instructions to us regarding specific activities with respect to Your Data.
“Security Incident” means a breach of our security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Your Data.
“Sub-Processor” means a sub-processor engaged by us in order to delegate certain processing activities with respect to the personal data.
“SCC” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj. Only Modules 2 and 3 shall apply depending on your role (controller or processor) and, unless otherwise stated in Exhibit B hereto, no optional clauses shall apply.
“Your Data” means any personal data related to data subjects uploaded to the Services by you.
b. The terms “business”, “controller”, “data exporter”, “data importer”, “data subject”, “personal data”, “personal information”, “personal data breach”, “processing”, “process”, “processor”, “service provider” shall have the same meaning as in and be inclusive of similar concepts under the Applicable Data Protection Legislation and may be lowercase or capitalized herein.
2. Data Processing
a. Scope. This DPA applies when and if you use the Services and upload Your Data to the Services.
A. When you use the Services and upload Your Data, we act as a processor (service provider) and you act either as a controller (business) or processor (service provider).
B. If you are a controller (business), you determine the purposes and scope of processing and instruct us how to process Your Data. Specifically, you will provide or make available to us the specific purposes, duration and nature of such collection being described in this DPA.
C. If you are a processor (service provider), the respective controller(s) (business(es)) determine(s) the purposes and scope of processing and you instruct us how to process Your Data. Specifically, you will provide or make available to us the specific purposes, duration and nature of such collection being described in this DPA.
D. You retain control of Your Data and remain responsible for compliance with your obligations under the Applicable Data Protection Legislation and for the Instructions you give to us, while we will process Your Data as described in this DPA or the respective Instructions.
c. Our Responsibilities. While processing Your Data, we will comply with our obligations established in the Applicable Data Protection Legislation. In addition to our obligations under this DPA, we also declare and agree as follows:
A. We will process Your Data only to the extent and in such a manner as is necessary for the provision of the Services and in accordance with the Applicable Data Protection Legislation and this DPA.
B. We will not sell (as defined in the CCPA) Your Data.
C. We will not retain, use, or disclose Your Data (i) for any purpose other than for the specific purpose of providing the Services, (ii) outside of the direct business relationship between you and us, or (iii) as otherwise prohibited by Applicable Data Protection Legislation.
D. We will not combine Your Data with other personal data that we receive from, or on behalf of, another person, or collect from our own interactions, except where expressly required to perform the Services.
E. We will notify you if we determine that we can no longer meet our obligations under Applicable Data Protection Legislation and allow you to take reasonable and appropriate steps to remediate unauthorized processing of Your Data.
d. Your Responsibilities.
A. You represent and warrant that you have taken all the required measures to ensure that we and our sub-processors may lawfully process Your Data in accordance with this DPA and the Applicable Data Protection Legislation.
B. You shall ensure that any and all privacy notices required under the Applicable Data Protection Legislation have been given to the applicable data subjects.
C. Upon redirection by us of requests made by data subjects or the authorities empowered under the Applicable Data Protection Legislation, you will respond to the requests concerning Your Data or provide us with the relevant instruction on responding to such requests.
D. You shall immediately notify us of any inquiries by any governmental or regulatory body or law enforcement authority about us, the Services or our processing of Your Data.
e. Processing Details.
A. Subject matter. The subject matter of the data processing under this DPA is Your Data.
B. Duration. Subject to the applicable law or a valid and binding order of a governmental body, the duration of the data processing is determined by you.
C. Purpose. The purpose of the data processing under this DPA is the provision of the Services.
D. Nature of the processing. Collection, verification, validation, storage, structuring, adaptation, and such other activities as available within the Services and/or initiated by you.
E. Type of data. This includes Your Data, which may include, for example, full name, email address, phone number, and position.
F. Categories of data subjects. The data subjects are any natural persons whose personal data is uploaded by you to the Services.
G. Frequency of transfer. On a continuous basis, in accordance with your use of the Services.
f. Compliance. We and you will comply with all applicable and binding laws, rules, and regulations, in relation to the performance of this DPA, including the Applicable Data Protection Legislation. We will reasonably assist you with your obligations under the Applicable Data Protection Legislation, including your obligations to respond to requests from data subjects.
Subject to the applicable law, including the Applicable Data Protection Legislation, and the Terms, we will act and process Your Data upon your Instructions. The Instructions are outlined in this DPA and may be provided via the Services functionality. Additional Instructions outside the scope of the Instructions above, if any, may require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such Instructions. If, in our opinion, your Instructions infringe the Applicable Data Protection Legislation, we will immediately inform you of the same, in which case, you are entitled to withdraw or modify the respective Instructions.
a. Permitted Use and Disclosure. We will not use or disclose Your Data to any third party except (i) upon your Instructions, (ii) as outlined in this DPA or Terms, (iii) as necessary to maintain or provide the Services, or (iv) as necessary to comply with the applicable law or a valid and binding order of a governmental body (such as a subpoena or court order).
b. Required Disclosure. If a governmental body sends us a demand for Your Data, we will attempt to redirect the governmental body to request that data directly from you. As part of this effort, we may provide your basic contact information to the governmental body. If compelled to disclose Your Data to a governmental body, then we will give you reasonable notice of the demand to allow you to seek a protective order or another appropriate remedy unless we are legally prohibited from doing so.
c. Personnel. We restrict our personnel from processing Your Data without our authorization. We impose appropriate contractual obligations upon our personnel, including relevant obligations regarding confidentiality, data protection, and data security.
a. Security Measures. We have implemented and will maintain reasonably necessary technical and organizational measures to protect the confidentiality, integrity and availability of Your Data. This includes (i) information security measures, (ii) physical security measures, (iii) measures to control access rights for our personnel and contractors, and (iv) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by us. Security measures may be updated by us from time to time. Particular security [measures are provided in Exhibit B hereto OR that apply with respect to Your Data processing will be provided to you upon request].
b. Personnel Requirements. We take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable law on all of our personnel who have access to Your Data. We also ensure that our personnel:
A. are informed of the confidential nature of Your Data and are bound by confidentiality obligations and use restrictions in respect of Your Data;
B. have undertaken training on the Applicable Data Protection Legislation relating to handling Your Data and how it applies to their particular duties; and
C. are aware of both of our duties and their personal duties and obligations under the Applicable Data Protection Legislation and this DPA.
c. Confirmation. By using the Services and uploading Your Data, you hereby certify that, after your assessment of the Applicable Data Protection Legislation and the technical and organizational measures implemented by us, we adequately protect Your Data as contemplated herein against accidental or unlawful destruction, loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against other forms of unlawful or unauthorized processing.
a. General. You hereby provide us with general authorization to use sub-processors to provide processing activities on Your Data on your behalf in accordance with this Section. The list of sub-processors is provided in Exhibit A hereto and if we change the list, we will update Exhibit A accordingly.
b. Objection. If you object to the engagement of a specific sub-processor and provide legitimate reasons for the objection, we may:
A. cease using the respective sub-processor with regard to Your Data (if this will not jeopardize the provision or quality of the Services); or
B. taking into account the costs and state of the art, consider providing another sub-processor; or
If the above is not possible or feasible, you may cease using the Services involving the respective sub-processor’s engagement.
c. Sub-processors. Where we engage a sub-processor, we will:
A. restrict the sub-processor’s access to Your Data only to what is necessary to provide or maintain the respective activities and prohibit the sub-processor from accessing Your Data for any other purpose;
B. enter into a written agreement with the sub-processor and, to the extent that the sub-processor performs the same data processing services provided by us under this DPA, we will impose on the sub-processor substantially the same contractual obligations that we have under this DPA; and
C. remain responsible for the sub-processor’s compliance with obligations under this DPA and for any sub-processor’s acts or omissions that cause us to breach any of our obligations under this DPA.
a. General. Taking into account the nature of the processing, we will assist you in fulfilling your obligations to respond to data subjects’ requests under the Applicable Data Protection Legislation. If a data subject makes a request to us, we will promptly forward such request to you once we have identified that the request is from a data subject for whom you are responsible. You hereby authorize us to respond on your behalf to any data subject who makes a request to us, to confirm that we have forwarded the request to you.
b. Notification. Unless otherwise prohibited by law or a legally binding order of a governmental or regulatory body or law enforcement authority, we will notify you of any request for the disclosure of Your Data by such a body or authority.
8. Security Incident
a. General. We will notify you of a confirmed Security Incident without undue delay after becoming aware of it and we will take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from it.
b. Assistance. To enable you to notify the Security Incident to the appropriate government authorities or data subjects (as applicable) and mitigate it, we will cooperate with and assist you by including in the notification under clause 8(a) above such information about the Security Incident as we are able to disclose to you, taking into account the nature of the processing, the information available to us, and any restrictions on disclosing the information, such as confidentiality.
c. Your Responsibilities. You are solely responsible for determining whether to provide notice of the Security Incident to any data subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or at your discretion, including the contents and delivery method of the notice, and whether to offer any type of remedy to the affected data subjects, including the nature and extent of such remedy.
d. No Acknowledgement. Our obligation to report or respond to a Security Incident under this section 8 is not and will not be construed as an acknowledgment by us of any of our fault or liability with respect to the Security Incident.
e. Notification Means. Notification of the Security Incidents, if any, will be delivered to you by any means we select, including via email. It is your sole responsibility to ensure that you maintain accurate contact information with us and secure transmission at all times.
f. Unsuccessful Security Incident. You agree that an unsuccessful Security Incident will not be subject to this section 8. An unsuccessful Security Incident is one that results in no unauthorized access to Your Data or to any of our equipment or facilities storing Your Data and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or similar incidents.
g. Expenses. Unless the respective Security Incident arose due to our fault, we reserve the right to require you to cover all reasonable expenses incurred by us in the course of our performance of this section 8.
9. Audits, Assessments, and Consultations
A. At your written request, and provided that we have an applicable non-disclosure agreement in place, we will contribute to audits conducted by you or a nominated third party so that you can reasonably verify our compliance with our obligations under this DPA (the “Data Protection Audit”).
B. If you choose to conduct the Data Protection Audit, you have the right to request or mandate the Data Protection Audit on your own behalf and in accordance with this DPA.
C. The Data Protection Audit shall be conducted no more than once during any twelve-month period and shall be conducted during normal business hours with reasonable duration, and not to interfere with our operations.
D. No Data Protection Audit shall involve access to any data relating to any other our client or to systems or facilities not involved in the processing of Your Data and in no event shall the Data Protection Audit cause us to violate our confidentiality obligations to any third party.
E. You shall be responsible for all costs and expenses relating to the Data Protection Audit conducted under this section 9, including for any time we dedicate to such Data Protection Audit at our then-current rates, which will be provided to you upon request of the Data Protection Audit.
b. Assessment and Consultation. Taking into account the nature of the processing and the information available to us, we will assist you in complying with your obligations in respect of data protection impact assessments and prior consultation with data protection authorities, by providing the reasonably necessary information.
a. Transfer Impact Assessment. Taking into account the nature of the processing and the information available to us, we will assist you in complying with your obligations in respect of transfer impact assessment, by providing the reasonably necessary information.
b. Processing Locations. As a general rule, we process personal data in the United States of America, which jurisdiction may not provide the same level of privacy and data protection as other jurisdictions, such as the European Economic Area, United Kingdom, or Switzerland.
c. SCC. For transfers of Your Data from the European Economic Area, United Kingdom, or Switzerland, the SCC is incorporated herein and completed as set forth in and subject to Exhibit B, as an appropriate safeguard. When you are acting as a controller, Module 2 of the SCC will apply to the respective transfer. When you are acting as a processor, Module 3 of the SCC will apply to the respective transfer. Taking into account the nature of the processing, you agree that it is unlikely that we will know the identity of your respective controller(s) because we may have no direct relationship with your respective controller(s) and, therefore, you will fulfill our obligations to your respective controller(s) under Module 3 of the SCC.
d. Additional Terms. Additional Terms to the SCC (if and to the extent the SCC applies):
A. Conflict. In the event of any conflict or inconsistency between this DPA and the SCC, the SCC shall prevail.
B. Docking Clause. The optional Clause 7 of the SCC shall not apply.
C. Security of Processing. You are solely responsible for making an independent determination as to whether the technical and organizational measures set forth in this DPA meet your requirements and you agree that (taking into account the state of art, the costs of implementation, and the nature, scope, context and purposes of the processing of Your Data as well as the risks to individuals) the security measures and policies implemented and maintained by us provide a level of security appropriate to the risk with respect to Your Data.
D. Audits. The audits described in the SCC shall be carried out in accordance with this DPA.
E. Sub-processors. Pursuant to the SCC, we have your general authorization for the engagement of sub-processor(s). Appointment and notification of sub-processors shall be carried out in accordance with this DPA.
F. Data Subject Rights. Pursuant to the SCC, data subject rights shall be carried out in accordance with this DPA.
G. Liability. Pursuant to the SCC, our liability shall be subject to the Terms.
H. Court-review safeguard. If we receive demands from governmental authorities for data access to Your Data, to the extent we conclude there are reasonable grounds to consider that the request is unlawful, we shall use commercially reasonable legal mechanisms to challenge such demands as well as any non-disclosure provisions attached thereto.
I. Notice of demand. To the extent legally permissible, we shall promptly notify you if we receive demands for data access through the national security process for data related to you or the Customer Data provided by you, and we shall make all reasonable legal efforts to refrain from providing data until you have had an opportunity to challenge such demands.
C. Certification of Deletion. The certification of deletion of Your Data that is described in the SCC shall be provided by us to you only upon your written request.
K. Annexes. The contents of Annexes to the SCC are provided in Exhibit B attached hereto.
L.Data Exports from the United Kingdom and Switzerland under the SCC. In the case of any transfers of Your Data from the United Kingdom that is exclusively subject to the United Kingdom Data Protection Laws and Regulations (the “UK Data Protection Laws”), and/or in case of any transfers of Your Data from Switzerland that is exclusively subject to the Swiss Data Protection Laws and Regulations (the “Swiss Data Protection Laws”), then general and specific references or obligation in the SCC to the GDPR or EU or Member State Law shall refer to the equivalent reference in either the UK Data Protection Laws or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by the Swiss Data Protection Laws, the SCC also applies to the transfer of information relating to an identifiable legal entity where such information is protected similarly as personal data under the Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity. In respect of data transfers governed by the UK Data Protection Laws, by entering into this DPA, we and you are hereby deemed to have entered the United Kingdom Information Commissioner’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0 as of 21 March 2022), which are completed as follows:
- Table 1: the parties’ details and key contacts are set forth in Exhibit B attached hereto.
- Table 2: the Approved Standard Contractual Clauses referenced in Table 2 shall be the SCC as set forth in Clause 10(c) of this DPA.
- Table 3: Annexes 1A, 1B, II and III are as set forth in Exhibit B attached hereto.
- Table 4: We may end the UK Standard Contractual Clauses as set out in Section 19.
- Subject to the terms of this DPA, by entering into this DPA, the parties are deemed to be signing the UK Standard Contractual Clauses.
11. Return and Destruction
Subject to the requirements of the applicable legislation and the terms and conditions of the Terms, we will cease processing and return and/or delete Your Data when you (i) request the same or (ii) do the same by using the Services functionality, if available.
12. Term, Termination, and Suspension
a. Term. This DPA will continue in force until the termination of the Terms.
b. Suspension and Termination. If a change in the Applicable Data Protection Legislation prevents either you or us from fulfilling all or part of this DPA, we and/or you will suspend the processing of Your Data until that processing complies with the new requirements. If we and/or you are unable to bring Your Data processing into compliance with the Applicable Data Protection Legislation within one (1) month, either we or you may terminate the Terms on written notice. You agree that termination of the Terms is your sole remedy in such a situation.
b. Conflict. Except as supplemented by this DPA, the Terms will remain in full force and effect. Unless otherwise expressly prescribed herein, if there is a conflict between the Terms and this DPA, the terms of this DPA will control with respect to the terms of processing Your Data.
c. SCC. In the cases explicitly outlined herein, this DPA incorporates the SCC by reference. Unless otherwise explicitly prescribed herein, nothing in this DPA varies or modifies the SCC.
We currently engage the following sub-processors:
Name: Microsoft, Inc. and Microsoft Ireland Operations Limited.
Addresses: One Microsoft Way Redmond Washington, 98052-6399, USA, and South County Business Park, One Microsoft Place, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland.
Contact person: Microsoft EU Data Protection Officer, +353 (1) 706-3117.
Description: Microsoft Azure Cloud used by us to store and process all the data covered by this DPA in secure locations on Azure servers. This includes, but is not limited to, storing, deleting, validating, and transferring data.
Name: Google, Inc. and Google Ireland Limited.
Addresses: 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA and Gordon House, 4 Barrow Street, Dublin, D04 E5w5, Co Dublin, Ireland.
Contact person: Emil Ochotta, https://support.google.com/cloud/contact/dpo.
Description: Google is processing contact and email address information in order to send emails via Google/GSuite servers that we use, as well as contact information needed to book meetings via Reply’s integration with Google Calendar. These can originate from Reply to Google and are sent using API.
Name: Cloudflare, Inc.
Address: 101 Townsend St, San Francisco, CA 94107, USA.
Contact person: +1 (650) 319-8930, email@example.com.
Description: Cloudflare is used as a gateway for traffic between end-user browser and us applications via encrypted https connection. Cloudflare does not directly process data but still can be a point to consider.
Name: Twilio, Inc.
Address: 25 N Wall Quay, North Wall, Dublin 1, D01 H104, Ireland.
Contact person: firstname.lastname@example.org.
Description: Twilio is processing phone numbers in order to provide Cloud Call and phone validation services for our customers/users as well as contacts’ first/last name or other custom variables in which the customer/user will need to use for SMS messaging.
Name: Cobisi Research TM, Inc.
Address: 35 Via Prima Strada, Padova, Veneto, 35129, Italy.
Contact person: Efran Cobisi.
Description: Verifalia is a third party email validation provider used by us to process emails (only) to validate them for deliverability purposes on a request basis (as needed).
Name: OpenAI Inc.
Address: 3180 18th Street Suite 100 San Francisco, CA 94110, United States.
Contact person: email@example.com.
Description: OpenAI is processing portions of texts/emails created within the Services (the Reply platform) in order to enrich them with AI capabilities which can include personal data such as first name, last name, or other custom variables that our customers/users decide to include in such texts.
Name: TexAu LLC.
Address: 209/210, Building No. 4, Sector 5, Opp. MBMC Office, Mira Road – East, Thane – 401107.
Contact person: Vikesh Tiwari, firstname.lastname@example.org.
Description: Sync replies from LinkedIn and sends messages or connection requests to LinkedIn contacts. TexAu is a powerful automation tool that enables users to extract data from various sources, automate tasks and workflows, and integrate with different applications. It simplifies the process of data scraping, data enrichment, lead generation, and social media automation.
Annex I (Details of the Processing Activities and Transfer)
A. List of Parties
Contact person’s name, position and contact details: […].
Activities relevant to the data transferred under these Clauses: The activities specified in Clause 2(e) of the DPA.
Signature and date: Subject to the DPA, by using the Services to transfer Your Data to us, the data exporter will be deemed to have signed the Standard Contractual Clauses.
Role (controller / processor): Controller or Processor (as the case may be).
Contact person’s name, position and contact details: […].
Activities relevant to the data transferred under these Clauses: The activities specified in Clause 2(e) of the DPA.
Signature and date: Subject to the DPA, by receiving Your Data within the Services, the data importer will be deemed to have signed the Standard Contractual Clauses.
Role (controller / processor): Processor
B. Description of Transfer
1. Categories of data subjects whose personal data is transferred: Categories of data subjects are specified in Clause 2(e) of the DPA.
2. Categories of personal data transferred: Categories of personal data are described in Clause 2(e) of the DPA.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The data exporter is not likely to include sensitive personal data in the personal data described in Clause 2(e) of the DPA.
4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous, depending on Data exporter’s use of the Services.
5. Nature of the processing: The nature of the processing is described in Clause 2(e) of the DPA.
6. Purpose(s) of the data transfer and further processing: To provide the Services functionality.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As outlined in Clause 2(e) of the DPA.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: The subject matter, nature and duration of the processing are described in Clause 2(e) of the DPA.
C. Competent Supervisory Authority
The competent supervisory authority is the supervisory authority where (i) the Data exporter is incorporated, if the Data exporter is incorporated in an EU Member State, or (ii) the Data exporter’s establishment is located, if the Data exporter is incorporated not in an EU Member State, but has an establishment in an EU Member State, or (iii) the Data exporter’s EU representative is located, if the Data exporter is incorporated not in an EU Member State and has no establishment in an EU Member State.
Where the data exporter is established in Switzerland or falls within the territorial scope of application of the Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by the Swiss Data Protection Laws and Regulations.
Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of the UK Data Protection Laws and Regulations, the Information Commissioner’s Office shall act as the competent supervisory authority insofar as the relevant data transfer is governed by the UK Data Protection Laws and Regulations.
Annex II (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data)
The technical and organizational measures as well as the scope and the extent of the assistance required to respond to data subjects’ requests, are described in the DPA. The technical and organisational measures that the data importer will impose on sub-processors are described in the DPA.
Annex III (List of Sub-processors)
The sub-processors are listed in Exhibit A to the DPA above.