DATA PROCESSING AGREEMENT (DPA)
1. Introduction and Scope
This Data Processing Agreement (“DPA”) forms part of the agreement between WeReply (“Processor”) and the customer (“Controller”) governing the use of the WeReply platform.
This DPA applies where WeReply processes personal data on behalf of the Controller in the course of providing the platform and related services.
The parties agree that this DPA reflects their obligations under Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
2. Definitions
- Personal Data means any information relating to an identified or identifiable natural person.
- Processing means any operation performed on Personal Data as defined under the GDPR.
- Controller means the entity that determines the purposes and means of the Processing of Personal Data.
- Processor means WeReply, which processes Personal Data on behalf of the Controller.
- Subprocessor means any third party engaged by Processor to process Personal Data on behalf of Controller.
3. Subject Matter and Duration
The subject matter of this DPA is the Processing of Personal Data in connection with the provision of the WeReply platform.
This DPA remains in effect for as long as WeReply processes Personal Data on behalf of the Controller.
4. Nature and Purpose of Processing
WeReply processes Personal Data for the purpose of providing communication management services, including message handling, integrations, AI-supported features, account management, and related support services.
Processing operations may include collection, storage, organization, retrieval, transmission, and deletion of Personal Data.
5. Categories of (Personal) Data and Data Subjects
Categories of Personal Data processed may include, depending on the Controller’s use of the Platform:
- Identification data, such as first and last name, username, customer ID, and social media identifiers.
- Contact data, such as email address, telephone number, billing address, shipping or delivery address, and other contact details.
- Communication data, including message content, conversation history, attachments, internal notes, and related metadata such as timestamps and sender or recipient identifiers.
- Transaction and order data, including order details, product information, delivery information, and transaction status where provided through integrations.
- Technical data, such as IP address, browser type, operating system, device information, log data, and usage statistics.
- Billing and financial data, including billing address, invoice information, VAT or tax identifiers, and transaction records.
- Any other personal data submitted to the Platform by or on behalf of the Controller.
Categories of Data Subjects may include:
- Employees, contractors, or representatives of the Controller.
- Customers, prospective customers, or end-users of the Controller.
- Website visitors and communication participants interacting with the Controller through integrated channels.
6. Instructions
WeReply shall process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by applicable law.
7. Confidentiality
WeReply shall ensure that persons authorized to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
8. Security Measures
WeReply shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit
- Access controls and role-based permissions
- System monitoring and logging
- Secure hosting infrastructure
- Measures designed to prevent unauthorized access
9. Subprocessors
The Controller authorizes WeReply to engage Subprocessors to support the delivery of the platform.
WeReply shall ensure that any Subprocessor is bound by contractual obligations that provide at least the same level of data protection as this DPA.
An up-to-date list of Subprocessors is available upon request.
WeReply will use reasonable care in selecting Subprocessors and will require them to implement appropriate data protection measures in accordance with applicable data protection laws.
10. International Transfers
Where Personal Data is transferred outside the European Economic Area, WeReply shall ensure appropriate safeguards are implemented in accordance with Chapter V of the GDPR.
Such safeguards may include:
- Standard Contractual Clauses
- Reliance on adequacy decisions
- Additional technical and organizational measures where appropriate
11. Assistance to the Controller
WeReply shall assist the Controller, taking into account the nature of Processing, in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
WeReply shall assist the Controller in ensuring compliance with obligations relating to security, breach notification, impact assessments, and prior consultation where applicable.
12. Personal Data Breaches
WeReply shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.
The notification shall include available information required under Article 33 GDPR.
13. Deletion or Return of Data
Upon termination of the agreement, WeReply shall delete or return Personal Data to the Controller, at the Controller’s choice, unless applicable law requires storage of the Personal Data.
Backups may be retained temporarily in accordance with standard retention practices, after which they will be securely deleted.
14. Audit Rights
WeReply shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.
Where required, audits may be conducted subject to reasonable notice, confidentiality obligations, and proportionality limitations.
15. Liability
Liability arising under this DPA shall be subject to the liability limitations agreed in the main agreement between the parties.
16. Governing Law
This DPA shall be governed by the law applicable to the main agreement between the parties.
Last updated: 17/02/2026