Data Processing Agreement

Terms such as personal data, processing, controller, processor, data subject, and personal data breach have the meanings given by applicable data protection law.

For Customer Personal Data processed under this DPA, Customer is the controller or processor responsible for the processing instructions, and ReplyLayer acts as Customer's processor or subprocessor, as applicable.

This DPA applies only to the extent ReplyLayer processes personal data on behalf of Customer as part of providing the Service. It does not apply where ReplyLayer acts as an independent controller, such as for its own account administration, billing, security operations, fraud prevention, legal compliance, or business records about its direct relationship with Customer.

Customer instructs ReplyLayer to process Customer Personal Data as necessary to provide the Service, in accordance with the Main Agreement, Customer's use of product features, Customer's documented support requests, and this DPA.

The subject matter, duration, nature, purpose, and categories of processing are described in Annex 1. In general, ReplyLayer processes Customer Personal Data for the duration of the Main Agreement and for any limited period needed afterward to complete deletion, return, backup rotation, legal retention, or other obligations described in the Main Agreement, this DPA, or applicable law.

ReplyLayer will:

• process Customer Personal Data only on Customer's documented instructions, unless required to do otherwise by applicable law;
• ensure persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations;
• implement appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Annex 2;
• not sell Customer Personal Data or use it for cross-context behavioral advertising;
• not use Customer Personal Data for ReplyLayer's own marketing purposes; and
• notify Customer if, in ReplyLayer's opinion, a processing instruction violates applicable data protection law, unless prohibited from doing so by law.

Customer acknowledges that use of the Service may include automated safety scanning, sanitization, quarantine, blocking, suppression, rate limiting, storage of full original email payloads, safety-check audit records, and other operational controls described in the Main Agreement and product documentation.

Customer is responsible for:

• having a valid legal basis for the collection and processing of Customer Personal Data;
• providing any required notices to data subjects and obtaining any required consents;
• using the Service in compliance with applicable law and the Main Agreement;
• ensuring that its instructions to ReplyLayer are lawful; and
• responding to data subject requests unless applicable law requires ReplyLayer to respond directly.

ReplyLayer will maintain appropriate technical and organizational measures taking into account the nature of the processing, the state of the art, the costs of implementation, and the risks to data subjects. A summary of current measures appears in Annex 2.

ReplyLayer maintains an internal access policy that constrains operator access to Customer Personal Data to enumerated permitted reasons and is reviewed at least annually. The policy is available to Customer on reasonable request, subject to confidentiality obligations.

Customer understands that no security measure is perfect and that the Service includes risk-reduction controls rather than a warranty of zero incidents.

Customer grants ReplyLayer a general authorization to engage subprocessors. ReplyLayer will impose data protection obligations on subprocessors that are no less protective than the obligations in this DPA, to the extent applicable to the services they provide.

ReplyLayer's current subprocessors are listed in Annex 3. ReplyLayer may update its subprocessors from time to time. For material new subprocessors that process Customer Personal Data, ReplyLayer will provide notice by updating its published list, the dashboard, or other reasonable means before or around the time the change takes effect.

If Customer reasonably objects to a new subprocessor on data protection grounds, the parties will work in good faith to address the concern. If no reasonable resolution is available, Customer may stop using the affected portion of the Service or terminate the affected Services in accordance with the Main Agreement.

Taking into account the nature of the processing, ReplyLayer will provide reasonable assistance to Customer in responding to requests from data subjects to exercise their rights under applicable data protection law, using appropriate technical and organizational measures where reasonably feasible.

The Service already includes certain self-service tools, such as account export and account deletion. Customer remains responsible for determining how to respond to requests relating to Customer's own mailbox workflows and communications with its recipients.

Taking into account the nature of the processing and the information available to ReplyLayer, ReplyLayer will provide reasonable assistance to Customer with Customer's obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation where required by applicable law.

If ReplyLayer becomes aware of a confirmed personal data breach affecting Customer Personal Data, ReplyLayer will notify Customer without undue delay and provide available information reasonably necessary for Customer to understand the incident and meet its own legal obligations.

Where Customer is subject to litigation, regulatory investigation, or other legal process requiring the identification, preservation, collection, or production of electronically stored information processed through the Service (eDiscovery), ReplyLayer will provide reasonable cooperation and assistance, including making available standard data exports, search-filtered message sets, audit logs, and metadata within the capabilities of the Service's self-service tools.

eDiscovery assistance beyond what is available through the Service's standard self-service export and search tools — such as custom data extractions, format conversions for litigation-review platforms, litigation-specific filtering, forensic-grade collections, custodian-level segregation, or testimony and declarations — may be provided at ReplyLayer's then-current professional services rates. ReplyLayer will provide a scope estimate and fee schedule before commencing non-standard eDiscovery work unless emergency circumstances require immediate action, in which case ReplyLayer will notify Customer of applicable fees as soon as practicable. For standard eDiscovery requests that can be fulfilled through the Service's existing export functionality, ReplyLayer will use commercially reasonable efforts to respond within ten (10) business days of receiving a written request with sufficient detail.

ReplyLayer will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Customer may request additional information relevant to Article 28 compliance.

If the information made available by ReplyLayer is not sufficient, Customer may conduct an audit of ReplyLayer's relevant processing activities no more than once per 12-month period, on at least 30 days' prior written notice, during normal business hours, and in a manner that avoids unreasonable disruption to ReplyLayer's business, systems, and other customers. Audits must be limited to matters relevant to Customer's processing under this DPA and are subject to reasonable confidentiality restrictions, remote review preference where appropriate, and Customer bearing its own audit costs.

On termination or expiration of the Main Agreement, ReplyLayer will delete or return Customer Personal Data in accordance with the Main Agreement, this DPA, and Customer's use of available export functionality, unless retention is required by applicable law.

Customer acknowledges that ReplyLayer's production systems include a 30-day account-deletion grace period before permanent deletion, that some data may remain in encrypted backups for a limited time after deletion, and that certain database audit or access records may be retained where legally permitted and no longer directly identify a person after deletion. Customer also acknowledges that safety-scanning and related quality-control audit records may contain limited Customer Personal Data, such as input hashes, limited previews with personal information removed, safety-check results, or model-generated excerpts, and are retained for a limited period, currently targeted at no more than 90 days, unless legal hold, incident response, abuse investigation, litigation, or another valid preservation basis applies.

Notwithstanding the foregoing, ReplyLayer may retain Customer Personal Data beyond the standard deletion timelines where a legal hold, litigation preservation obligation, law enforcement request, regulatory demand, or other legal requirement applies. Where available under Customer's plan, Customer may also place a legal hold on its own account through the Service's Legal Hold feature to prevent automated purging of its data during the hold period. Data subject to a legal hold will be retained until the applicable hold is released. ReplyLayer will notify Customer if ReplyLayer places a system-level legal hold on Customer's data, unless prohibited from doing so by law or legal process.

Customer is solely responsible for placing, managing, and releasing legal holds on its own account when Customer's legal obligations require preservation. ReplyLayer is not responsible for any spoliation, sanctions, adverse inferences, or penalties resulting from Customer's failure to use the Legal Hold feature where available under Customer's plan, or to otherwise preserve electronically stored information that Customer is required to retain.

ReplyLayer currently processes and stores Customer Personal Data in the United States. ReplyLayer does not currently offer EU or other regional data residency or localization for customer email content, metadata, or account information.

To the extent Customer Personal Data subject to the GDPR, UK GDPR, Swiss data protection law, or similar transfer restrictions is transferred to the United States or another jurisdiction that requires a transfer mechanism, the parties agree that the applicable transfer mechanism in Annex 4 is incorporated into this DPA by reference.

To the extent applicable, ReplyLayer will act as a service provider or contractor and will not retain, use, or disclose Customer Personal Data except as permitted by the Main Agreement, this DPA, or applicable law. ReplyLayer will not sell Customer Personal Data or share it for cross-context behavioral advertising.

ReplyLayer will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer, and will not combine Customer Personal Data with personal data received from other sources except as permitted by applicable U.S. state privacy laws.

This DPA is subject to the liability limitations and exclusions in the Main Agreement unless applicable law requires otherwise. Nothing in this DPA expands either party's liability beyond what is set out in the Main Agreement except to the extent prohibited by law.

Subject matter: provision of ReplyLayer's mailbox, routing, message handling, safety-screening, API, CLI, MCP, and dashboard services.

Duration: the term of the Main Agreement, plus any limited period needed for deletion, return, backups, legal retention, and operational wind-down.

Nature of processing: collection, receipt, organization, storage, sanitization, analysis, transmission, access, deletion, and other processing needed to provide the Service.

Purpose: operating customer mailbox workflows, delivering and receiving email, applying inbound and outbound safety controls, providing account features, and maintaining platform security and reliability.

Categories of data subjects: Customer personnel and users, Customer's mailbox correspondents, message senders and recipients, support contacts, and other individuals whose personal data appears in Customer Personal Data.

Categories of personal data: contact information, account identifiers, mailbox addresses, message metadata, message content, sanitized message content, full original message payloads (raw MIME) that may contain names, email addresses, routing headers, signatures, and other identifiers, attachment metadata, delivery events, suppression data, safety-check audit records, security and audit logs, and other personal data Customer chooses to process through the Service.

Sensitive data: Customer must not use the Service for special-category or other regulated data unless separately agreed in writing.

• logical tenant isolation in production systems, including row-level protections for application paths;
• role-based access controls and authentication controls for dashboard and API access;
• HTTPS for public endpoints and encrypted private-network transport between internal services;
• managed encryption at rest for primary database and object storage through infrastructure providers;
• safe-view defaults that expose sanitized message content rather than raw MIME in standard dashboard/API views;
• append-only audit records for certain administrative and content-access events;
• retention limits and account-linked deletion controls for safety-check audit records;
• operational monitoring, rate limits, circuit breakers, and abuse-detection controls; and
• subprocessor management and contractual confidentiality obligations.

Subprocessors that may handle Customer email content:

• Mailgun Technologies, Inc. (Sinch) — email routing, delivery, and event handling — United States
• Cloudflare, Inc. — content delivery network, DNS, and secure object storage for raw MIME, attachments, derived previews, and safety-check audit records — United States / global infrastructure
• Railway Corporation — application hosting and managed database services — United States
• xAI Corp. — artificial intelligence and machine learning inference, engaged as a cross-vendor fallback for content scanning, appeal review, and spam-review/abuse-alert summarization when the corresponding self-hosted model is unavailable or at capacity — United States
• widdix GmbH (attachmentAV) — inbound attachment virus and malware scanning — attachment content transmitted for analysis, not retained after scanning — Germany
• Google LLC (Web Risk) — inbound URL reputation lookups — only SHA-256 hash prefixes of URLs from inbound messages are transmitted (typically the first 4 bytes of the hash); full URLs and full hashes are never sent in plaintext — United States

Providers that handle account or platform data but are not used as email-content scanning subprocessors:

• Google LLC — optional sign-in authentication — no customer email content access through ReplyLayer
• GitHub, Inc. (Microsoft Corporation) — optional sign-in authentication — no customer email content access through ReplyLayer
• Stripe, Inc. — payment processing, subscription billing, invoicing, and tax calculation — receives billing email, payment instrument data (card last-4, billing address, tax ID), and subscription/invoice records — no customer email content access — United States

For transfers of Customer Personal Data from the European Economic Area to ReplyLayer in the United States that require a transfer mechanism, the parties incorporate the European Commission's Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914, Module Two (controller to processor), completed as follows:

• Exporter: Customer
• Importer: ReplyLayer LLC
• Module: Module Two (controller to processor), or Module Three where Customer acts as a processor and ReplyLayer acts as a subprocessor
• Clause 7 (Docking Clause): included
• Clause 9 (Use of subprocessors): Option 2, general written authorization
• Clause 11 (Redress): optional language not included unless required by law
• Clause 17 (Governing law): Ireland, to the extent required for SCC validity
• Clause 18 (Forum and jurisdiction): courts of Ireland, to the extent required for SCC validity
• Annex I, II, and III of the SCCs are satisfied by Annexes 1, 2, and 3 of this DPA

For restricted transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs, with this DPA and the incorporated SCCs providing the underlying details. For transfers subject to Swiss law, references to the GDPR and EU member states are interpreted as including the Swiss Federal Act on Data Protection and Switzerland where required.

If a different transfer mechanism becomes required or more appropriate under applicable law, the parties will work in good faith to implement it.