Data Processing Agreement (DPA)

Written By Simon from Replaiy

Last updated About 1 month ago

Replaiy B.V.
Last updated: May 7, 2026
Version 1.0

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Replaiy B.V. ("Replaiy," "Processor") and the Customer ("Customer," "Controller") that has subscribed to Replaiy's Services. The DPA reflects the parties' agreement on the processing of personal data in accordance with the requirements of Regulation (EU) 2016/679 (the "GDPR").

By using the Services, the Customer enters into this DPA with Replaiy. The DPA is incorporated by reference into the Agreement. Where there is a conflict between the Agreement and this DPA in relation to the processing of personal data, this DPA prevails.

A signed counterpart of this DPA is available on request via legal@replaiy.ai.

2. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or in the GDPR. For clarity:

Controller β€” The Customer, who determines the purposes and means of the processing of personal data.

Processor β€” Replaiy, processing personal data on behalf of the Controller.

Sub-processor β€” Any third party engaged by Replaiy to process personal data on behalf of the Controller.

Personal Data β€” Any personal data processed by Replaiy on behalf of the Controller in connection with the Services.

Data Subject β€” An identified or identifiable natural person to whom the Personal Data relates, including Users and Leads.

SCCs β€” The Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914.

3. Roles of the Parties

The Controller and Processor acknowledge that, with respect to the processing of Personal Data carried out by Replaiy on behalf of the Customer in the course of providing the Services:

  • The Customer is the Controller.

  • Replaiy is the Processor.

  • Each Sub-processor is a sub-processor.

Replaiy acts as an independent Controller for processing related to its own business operations, including account administration, billing, security, and product analytics, as described in Replaiy's Privacy Policy.

4. Subject Matter and Duration

4.1 Subject Matter

The processing of Personal Data by Replaiy on behalf of the Controller in connection with the provision of the Services, including AI-assisted drafting and management of LinkedIn outreach and conversations.

4.2 Duration

The DPA applies for the duration of the Agreement and any period during which Replaiy continues to process Personal Data on behalf of the Controller after termination, until deletion or return of Personal Data in accordance with Section 12.

4.3 Nature and Purpose

The nature of the processing includes collection, storage, structuring, transmission, generation (via AI), retrieval, and deletion of Personal Data, for the purpose of enabling the Services as described in the Agreement.

4.4 Categories of Data Subjects

  • Users (Customer's employees, contractors, or representatives)

  • Leads (recipients of communications sent through the Services)

4.5 Categories of Personal Data

  • Identification and contact data (name, email, LinkedIn profile URL, headline, employer)

  • Communications data (messages drafted, sent, and received via the Services)

  • Technical data (IP address, device identifiers, usage logs)

  • Any other data the Controller chooses to submit through the Services

The Controller agrees not to submit special categories of personal data (Article 9 GDPR) through the Services.

5. Obligations of the Processor

Replaiy shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by Union or Member State law applicable to Replaiy.

  • Inform the Controller of any such legal requirement before processing, unless the law prohibits this.

  • Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

  • Implement appropriate technical and organizational measures as set out in Annex II.

  • Engage Sub-processors only in accordance with Section 7.

  • Assist the Controller with appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects (Articles 15–22 GDPR).

  • Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Replaiy.

  • Notify the Controller in accordance with Section 8 in the event of a Personal Data Breach.

  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits as set out in Section 11.

  • Immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

6. Obligations of the Controller

The Controller represents and warrants that:

  • It has a valid legal basis under the GDPR for the processing carried out via the Services.

  • It has provided all required information to Data Subjects, obtained any required consents, and complied with its own obligations under the GDPR.

  • Its instructions to Replaiy comply with applicable data protection law.

  • It has the right to transfer Personal Data to Replaiy for processing under this DPA.

  • It will not submit special categories of personal data through the Services.

  • It will fulfill its obligations as deployer of an AI system under the EU AI Act, including any disclosure obligations toward Leads.

7. Sub-processors

7.1 General Authorization

The Controller grants Replaiy general authorization to engage Sub-processors. The current list of Sub-processors is published in the Subprocessors page of our Help Center and forms Annex III to this DPA.

7.2 Notice of Changes

Replaiy will notify the Controller at least 30 days in advance of adding or replacing a Sub-processor. The Controller may object on reasonable, documented data protection grounds within this period by writing to legal@replaiy.ai. If the parties cannot agree on a resolution, the Controller may terminate the affected portion of the Services without penalty as its sole remedy.

7.3 Sub-processor Obligations

Replaiy enters into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA. Replaiy remains liable to the Controller for the performance of each Sub-processor's obligations.

8. Personal Data Breach

Replaiy will notify the Controller without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include, to the extent known at the time:

  • The nature of the breach, including categories and approximate number of Data Subjects and records affected.

  • The likely consequences of the breach.

  • The measures taken or proposed to address the breach and mitigate its effects.

Replaiy will provide reasonable assistance to enable the Controller to comply with its own notification obligations under Articles 33 and 34 GDPR.

9. Data Subject Rights

Taking into account the nature of the processing, Replaiy will assist the Controller by appropriate technical and organizational measures, insofar as possible, in responding to requests from Data Subjects exercising rights under Articles 15 to 22 GDPR.

Where Replaiy receives a request directly from a Data Subject relating to the Controller's Personal Data, Replaiy will not respond directly except to acknowledge receipt and, where appropriate, refer the Data Subject to the Controller.

10. International Data Transfers

10.1 Transfers Within the EEA

Replaiy stores and processes Personal Data primarily in the European Union (Railway, EU-West Amsterdam region; Cloudflare R2, WEUR region).

10.2 Transfers Outside the EEA

Where transfers of Personal Data outside the European Economic Area are necessary, Replaiy ensures that an appropriate transfer mechanism is in place, including:

  • Adequacy decisions where applicable.

  • The SCCs (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor as applicable), incorporated by reference into this DPA.

  • Supplementary technical and organizational measures, including encryption in transit and at rest, and Zero Data Retention configurations with AI Providers.

10.3 SCC Incorporation

The SCCs are deemed entered into between the Controller (as data exporter) and the relevant Sub-processor or Replaiy (as data importer), with:

  • Clause 7 (docking clause): not applicable.

  • Clause 9(a): general written authorization with 30 days' notice (Section 7.2).

  • Clause 11(a) optional language: not applicable.

  • Clause 17 (governing law): the law of the Netherlands.

  • Clause 18 (forum): the courts of the Netherlands.

  • Annexes I, II, and III of the SCCs are completed by reference to the Annexes of this DPA.

11. Audits

11.1 Audit Rights

Replaiy will make available to the Controller, upon reasonable written request, the information necessary to demonstrate compliance with Article 28 GDPR. This information may be provided in the form of:

  • Replaiy's most recent Security FAQ and security documentation.

  • Third-party audit reports or certifications, where available.

  • Written responses to reasonable security questionnaires.

11.2 On-Site Audits

Where the above information is insufficient and the Controller is required by a supervisory authority to conduct an on-site audit, the parties will agree in good faith on the scope, timing, and conditions. Audits shall:

  • Take place no more than once per 12-month period, except in the case of a confirmed Personal Data Breach.

  • Be conducted during business hours with at least 30 days' prior written notice.

  • Be subject to confidentiality obligations.

  • Not unreasonably interfere with Replaiy's operations.

  • Be conducted at the Controller's expense, including reasonable time-and-materials charges by Replaiy.

12. Return and Deletion of Personal Data

Upon termination of the Agreement, Replaiy will, at the Controller's choice:

  • Return all Personal Data to the Controller through the export tools available within the Services, within 30 days of termination, or

  • Delete or irreversibly anonymize all Personal Data.

After the 30-day export window, Replaiy will delete or irreversibly anonymize Personal Data, except where retention is required by Union or Member State law (e.g., billing records under Dutch tax law).

De-identified data already incorporated into Replaiy's AI training pipeline under the opt-in described in the Privacy Policy and Agreement is not subject to deletion, as it no longer constitutes Personal Data.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the Rechtbank Midden-Nederland, location Utrecht, the Netherlands, without prejudice to mandatory provisions of applicable data protection law.

15. Order of Precedence

In the event of a conflict, the order of precedence is:

  1. The SCCs (where applicable to a specific transfer).

  2. This DPA.

  3. The Agreement (Terms of Service).

Annex I β€” Description of Processing

Categories of Data Subjects:

  • Users (Customer's authorized representatives)

  • Leads (recipients of communications)

Categories of Personal Data:

  • Name, email, LinkedIn profile URL, headline, employer

  • Conversation content (drafts, sent and received messages)

  • Authentication tokens (encrypted)

  • Profile pictures and company logos (stored in Cloudflare R2, EU)

  • Technical data (IP, device, usage logs)

Sensitive Data: None. The Controller is responsible for ensuring no special categories of personal data are submitted.

Frequency of Processing: Continuous, for the duration of the Agreement.

Nature of Processing: Collection, storage, structuring, AI generation, transmission, retrieval, and deletion.

Purpose: Provision of the Services.

Retention: As set out in the Privacy Policy and Section 12 of this DPA.

Controller Identity: The Customer, as identified in the account.

Processor Identity: Replaiy B.V., Bovenkamp 7A, 1391 LH Abcoude, the Netherlands.

Annex II β€” Technical and Organizational Measures

Replaiy implements the following technical and organizational measures, in accordance with Article 32 GDPR:

Encryption

  • TLS 1.2 or higher for data in transit

  • AES-256 encryption at rest, including for authentication tokens and database content

Access Control

  • Role-based access control (RBAC) with least-privilege principles

  • Multi-factor authentication required for all employee accounts

  • Multi-factor authentication available to all Users

  • Strict password policy with industry-standard hashing

  • Access logs for administrative actions

Network and Infrastructure Security

  • Hosting on Railway, EU-West Amsterdam region

  • Object storage on Cloudflare R2, WEUR region

  • Network segmentation between environments

  • Continuous monitoring and alerting

  • Regular vulnerability scans and dependency reviews

  • Backup and disaster recovery procedures with EU-based redundancy

Application Security

  • Secure development practices, including code review

  • Security testing before major releases

  • Dependency monitoring for known vulnerabilities

Data Minimization and Anonymization

  • PII stripping before any data enters the AI Model Improvement training pipeline

  • Pseudonymization where technically feasible

  • Automated retention enforcement

Personnel

  • Confidentiality agreements with all personnel

  • Data protection awareness training

  • Need-to-know access principles

Incident Response

  • Documented incident response plan

  • 72-hour breach notification commitment to Controllers

  • Coordination with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) where required

AI Provider Configuration

  • Zero Data Retention enabled for AI Provider calls via OpenRouter

  • Routing limited to compatible providers (Anthropic, xAI, Google)

A more detailed overview is available in our Security FAQ.

Annex III β€” List of Sub-processors

The current list of authorized Sub-processors is maintained in the Subprocessors page of our Help Center and is incorporated by reference into this DPA. The list includes the name, location, and processing activity of each Sub-processor, and is updated in accordance with Section 7.

Contact

For questions about this DPA or to request a signed counterpart:

Replaiy B.V.
Bovenkamp 7A
1391 LH Abcoude
The Netherlands
Email: legal@replaiy.ai (contractual matters), dpa@replaiy.ai (data protection matters)
Web: https://replaiy.ai