Last updated: 17/02/2026
This Data Processing Agreement ("DPA") forms part of the agreement between WeReply ("Processor") and the customer ("Controller") governing the use of the WeReply platform.
This DPA applies where WeReply processes personal data on behalf of the Controller in the course of providing the platform and related services.
The parties agree that this DPA reflects their obligations under Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
The subject matter of this DPA is the Processing of Personal Data in connection with the provision of the WeReply platform.
This DPA remains in effect for as long as WeReply processes Personal Data on behalf of the Controller.
WeReply processes Personal Data for the purpose of providing communication management services, including message handling, integrations, AI-supported features, account management, and related support services.
Processing operations may include collection, storage, organization, retrieval, transmission, and deletion of Personal Data.
Categories of Personal Data processed may include, depending on the Controller's use of the Platform:
Categories of Data Subjects may include:
WeReply shall process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by applicable law.
WeReply shall ensure that persons authorized to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
WeReply shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
The Controller authorizes WeReply to engage Subprocessors to support the delivery of the platform.
WeReply shall ensure that any Subprocessor is bound by contractual obligations that provide at least the same level of data protection as this DPA.
An up-to-date list of Subprocessors is available upon request.
WeReply will use reasonable care in selecting Subprocessors and will require them to implement appropriate data protection measures in accordance with applicable data protection laws.
Where Personal Data is transferred outside the European Economic Area, WeReply shall ensure appropriate safeguards are implemented in accordance with Chapter V of the GDPR.
Such safeguards may include:
WeReply shall assist the Controller, taking into account the nature of Processing, in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
WeReply shall assist the Controller in ensuring compliance with obligations relating to security, breach notification, impact assessments, and prior consultation where applicable.
WeReply shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.
The notification shall include available information required under Article 33 GDPR.
Upon termination of the agreement, WeReply shall delete or return Personal Data to the Controller, at the Controller's choice, unless applicable law requires storage of the Personal Data.
Backups may be retained temporarily in accordance with standard retention practices, after which they will be securely deleted.
WeReply shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.
Where required, audits may be conducted subject to reasonable notice, confidentiality obligations, and proportionality limitations.
Liability arising under this DPA shall be subject to the liability limitations agreed in the main agreement between the parties.
This DPA shall be governed by the law applicable to the main agreement between the parties.