Data Processing Agreement
Last updated: April 2026 · Version 1.0
Overview
This Data Processing Agreement (“DPA”) forms part of the ReplyStars Terms of Service and governs the processing of personal data by ReplyStars (the “Processor”) on behalf of the business customer (the “Controller”) in connection with the ReplyStars service (the “Service”). It is written to meet the obligations of Article 28 of the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and equivalent UK GDPR provisions.
ReplyStars is operated by Vivan Shah, an individual established in Belgium, acting in a sole-trader capacity. Postal address for formal notices: Vivan Shah, Fazantenlaan 26, 2610 Antwerp, Belgium.
This DPA is incorporated by reference into the Terms of Service and applies automatically to any Controller that uses the Service to process personal data of its end customers. No signature is required. If your organisation requires a countersigned copy, email privacy@replystars.com.
1. Definitions
Terms not defined here have the meaning given to them in the GDPR. In particular:
- Controller— the business customer that determines the purposes and means of processing personal data through the Service.
- Processor— ReplyStars, which processes personal data on behalf of the Controller under the Terms of Service.
- Sub-processor— any third party engaged by the Processor to process personal data on behalf of the Controller.
- Data Subject— the natural person to whom the personal data relates (typically the Controller’s end customer).
- Personal Data— any information relating to an identified or identifiable natural person processed through the Service.
2. Subject matter, duration, nature and purpose
Subject matter: the processing of Personal Data required to deliver the Service, including the generation and delivery of review request messages, AI-drafted replies, win-back campaigns, referral prompts and related analytics.
Duration: for the term of the underlying Terms of Service, plus any wind-down period described in section 10 below.
Nature and purpose: collecting, storing, organising, transmitting, analysing and deleting Personal Data solely to provide the Service to the Controller.
Categories of Data Subjects:(i) the Controller’s authorised users and (ii) the Controller’s end customers whose contact details and feedback are processed through the Service.
Categories of Personal Data: names, phone numbers, email addresses, review content, appointment metadata, message delivery status, IP address, device/browser metadata, and any other data the Controller chooses to send to the Service.
3. Role of each party
With respect to end-customer data, the Controller is the controller and ReplyStars is the processor. With respect to account-holder data (the Controller’s own users and billing contacts), ReplyStars is an independent controller under its Privacy Policy. This DPA governs only the processor relationship.
4. Processor obligations (Art. 28(3))
ReplyStars will:
- Process Personal Data only on documented instructions from the Controller, including the instructions implied by the Controller’s ordinary use of the Service. If ReplyStars is required by EU or member-state law to process data beyond those instructions, it will inform the Controller unless the law prohibits such notice on public-interest grounds.
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures under Art. 32 GDPR (see section 6 below).
- Respect the conditions in sections 5 and 9 for engaging sub-processors and transferring data outside the EEA.
- Assist the Controller with responses to Data Subject requests (sections 7 and 8 below).
- Assist the Controller with compliance obligations under Arts. 32–36 GDPR, including security, breach notification, data protection impact assessments and prior consultation with supervisory authorities.
- Delete or return all Personal Data at the Controller’s choice at the end of the Service, except where EU or member-state law requires retention.
- Make available to the Controller all information necessary to demonstrate compliance with Art. 28 and allow for audits as described in section 11 below.
5. Sub-processors
The Controller gives general authorisation for ReplyStars to engage the sub-processors listed below. ReplyStars ensures that each sub-processor is bound by written terms imposing data protection obligations substantially the same as those set out in this DPA, and remains liable to the Controller for the performance of those obligations.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database + authentication | EU (Frankfurt) |
| Vercel | Application hosting + CDN | Global (EU edge where available) |
| Stripe | Payment processing | EU / US |
| OpenAI | AI reply generation | US |
| Resend | Transactional email delivery | US |
| Twilio | SMS delivery and opt-out handling | US |
| Google (Business Profile API) | Review sync and posting | US |
ReplyStars will notify the Controller by email at least 14 days before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds within that notice period; if the parties cannot agree on a resolution, the Controller may terminate the Service and receive a pro-rata refund of any prepaid fees.
6. Security measures (Art. 32)
ReplyStars maintains, at minimum, the following technical and organisational measures:
- Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent) through the underlying infrastructure providers.
- Role-based access control, least-privilege principles, and multi-factor authentication for administrative access.
- Separation of production and non-production environments.
- Logging and monitoring of authentication events, database access and administrative actions.
- Regular backups with a maximum retention of 35 days and a documented restoration procedure.
- Vendor security reviews prior to engaging new sub-processors and ongoing monitoring of their certifications (e.g. SOC 2, ISO 27001) where applicable.
- Incident response procedures covering detection, containment, eradication, recovery and post-incident review.
ReplyStars may update these measures from time to time provided the updates do not materially reduce the overall level of security.
7. Data Subject rights
ReplyStars will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to respond to Data Subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability and objection). Account holders can self-serve most requests in the dashboard under Settings → Privacy. For requests that require additional assistance, email privacy@replystars.com.
8. Personal data breach notification
ReplyStars will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s Personal Data, and no later than 72 hours after ReplyStars confirms the breach. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address it. ReplyStars will cooperate in good faith with the Controller’s own notification obligations under Arts. 33 and 34 GDPR.
9. International transfers
Where Personal Data is transferred outside the EEA, United Kingdom or Switzerland to a country that the European Commission has not declared adequate, the transfer is made under the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 or Module 3 as applicable) or an equivalent mechanism (for example, the EU-US Data Privacy Framework where the recipient is certified). By accepting this DPA the Controller enters into the SCCs with ReplyStars and, to the extent applicable, mandates ReplyStars to enter into onward-transfer SCCs with sub-processors on its behalf.
10. Return and deletion of data
On termination of the Service, the Controller may export its Personal Data through the Settings → Privacy export feature or by request. Unless the Controller instructs otherwise in writing, ReplyStars will delete all Personal Data within 30 days of termination, subject to retention periods required by law (including billing records) and to backup cycles of up to 35 days during which deleted data may persist in encrypted backups before being overwritten.
11. Audits
ReplyStars will make available to the Controller, on reasonable written request, the information necessary to demonstrate compliance with this DPA, including responses to standard security questionnaires and summaries of relevant third-party certifications held by sub-processors. On-site audits are permitted where required by law, must be conducted during business hours with reasonable notice, must not disrupt the Service or compromise other customers’ data, and are at the Controller’s cost unless the audit uncovers a material breach of this DPA.
12. Liability and order of precedence
Each party’s liability under this DPA is subject to the limitation and exclusion of liability provisions in the Terms of Service. In the event of any conflict between this DPA and the Terms of Service concerning the processing of Personal Data, this DPA prevails. In the event of any conflict between this DPA and the EU Standard Contractual Clauses, the Clauses prevail.
13. Contact
Questions about this DPA, requests for a signed copy, or notices under sections 5, 7 or 8 should be sent to privacy@replystars.com.