Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the ReplyQ Terms of Service and governs the processing of personal data by Signum Solutions Private Limited ("ReplyQ", "we", "Processor") on behalf of the Customer ("you", "Controller") in compliance with:

• General Data Protection Regulation (GDPR) - EU Regulation 2016/679
• Personal Data Protection Act 2012 of Singapore (PDPA)
• Other applicable data protection laws

2. Definitions

• Personal Data: Information relating to identified or identifiable natural persons, as processed by ReplyQ on behalf of Customer
• Processing: Any operation performed on Personal Data, including collection, storage, use, analysis, and deletion
• Data Subject: The individual to whom Personal Data relates (typically your end-customers)
• Sub-Processor: Any third-party processor engaged by ReplyQ to process Personal Data
• Data Controller: The Customer, who determines the purposes and means of processing Personal Data
• Data Processor: ReplyQ, who processes Personal Data on behalf of the Customer

3. Scope and Applicability

3.1 Application

This DPA applies to all processing of Personal Data by ReplyQ on behalf of Customer in connection with the provision of ReplyQ's Services, specifically:

• End-customer WhatsApp messages and conversation data
• End-customer contact information (phone numbers, names)
• Message metadata (timestamps, delivery status)
• Media files shared by end-customers

3.2 Data Controller Responsibilities

Customer acknowledges that they are the Data Controller for all end-customer Personal Data and are responsible for:

• Determining the purposes and means of processing
• Obtaining necessary consents from Data Subjects
• Providing appropriate privacy notices to Data Subjects
• Ensuring lawful basis for processing exists
• Responding to Data Subject rights requests

4. ReplyQ's Processing Obligations

4.1 Processing Instructions

ReplyQ shall process Personal Data only:

• On documented instructions from Customer (including via the Services interface)
• For the purposes of providing the Services as described in our Terms of Service
• In compliance with applicable data protection laws

If ReplyQ believes any instruction violates applicable law, we will inform Customer immediately.

4.2 Purpose Limitation

Personal Data will be processed solely for the following purposes:

• Delivering WhatsApp messages to and from end-customers
• Generating AI-powered customer service responses
• Training AI models specific to Customer's business (unless disabled)
• Providing conversation analytics and reporting
• Customer support and troubleshooting
• Legal compliance and security monitoring

4.3 Confidentiality

ReplyQ ensures that all personnel authorized to process Personal Data:

• Are subject to confidentiality obligations
• Receive appropriate data protection training
• Access Personal Data only on a need-to-know basis

5. Security Measures

ReplyQ implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

5.1 Technical Measures

• Encryption of data in transit using TLS 1.3
• Encryption of data at rest using industry-standard algorithms
• Multi-tenant database architecture with strict access controls
• JWT-based authentication for API access
• Regular encrypted backups
• Logging and monitoring of access to Personal Data

5.2 Organizational Measures

• Access control policies limiting data access to authorized personnel
• Data protection training for employees
• Regular security audits and vulnerability assessments
• Incident response procedures
• Vendor security due diligence for Sub-Processors

5.3 Security Testing

ReplyQ conducts regular security testing including penetration testing and vulnerability scanning. Security audit reports may be requested through support@replyq.app.

6. Sub-Processors

6.1 Authorized Sub-Processors

Customer authorizes ReplyQ to engage the following Sub-Processors:

6.2 Sub-Processor Obligations

ReplyQ ensures that all Sub-Processors:

• Are bound by written agreements imposing data protection obligations equivalent to this DPA
• Implement appropriate security measures
• Process Personal Data only for the purposes authorized by ReplyQ

ReplyQ remains liable for the acts and omissions of its Sub-Processors to the same extent as if performing the services directly.

6.3 Changes to Sub-Processors

ReplyQ will provide Customer with at least 30 days' notice before:

• Adding new Sub-Processors
• Replacing existing Sub-Processors

Customer may object to new Sub-Processors by contacting support@replyq.app within 14 days of notice. If Customer objects, ReplyQ will either not engage the Sub-Processor or allow Customer to terminate the Services without penalty.

7. Data Subject Rights

7.1 Assisting with Requests

ReplyQ shall, to the extent legally permitted, promptly notify Customer if ReplyQ receives a Data Subject rights request directly. ReplyQ will:

• Provide reasonable assistance to Customer in responding to such requests
• Provide access to Personal Data within our control
• Implement technical measures to facilitate rights fulfillment (data export, deletion)

7.2 Data Portability

Customer may export Personal Data in machine-readable format (JSON) through:

• In-app Settings → Data Export
• API endpoint: /api/v1/data/export
• Request via support@replyq.app

7.3 Data Erasure

Customer may request deletion of Personal Data through:

• In-app Settings → Delete My Data
• Account termination
• Request via support@replyq.app

Deletion timeline: Active database data within 30 days; backup copies within 90 days (excluding financial records retained for legal compliance).

8. Data Breach Notification

8.1 Notification to Customer

In the event of a Personal Data breach, ReplyQ shall:

• Notify Customer without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide details including:
  • Nature of the breach (categories and approximate number of Data Subjects affected)
  • Types of Personal Data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
• Provide reasonable cooperation in investigating and remediating the breach

8.2 Notification Method

Breach notifications will be sent to Customer's registered email address and in-app notification. Customer is responsible for maintaining current contact information.

8.3 Regulatory Notification

Customer is responsible for notifying supervisory authorities and affected Data Subjects as required by applicable law. ReplyQ will provide reasonable assistance.

9. International Data Transfers

9.1 Transfer Mechanisms

Personal Data may be transferred internationally as follows:

9.2 Standard Contractual Clauses

Where Standard Contractual Clauses (SCCs) are used:

• ReplyQ uses the EU Commission's Standard Contractual Clauses for Controller-to-Processor transfers (Module 2)
• SCCs are incorporated by reference into this DPA
• Full SCC text available at EU Commission website

9.3 Supplementary Measures

To supplement SCCs, ReplyQ implements:

• Encryption of data in transit and at rest
• Pseudonymization where feasible
• Contractual prohibitions on Sub-Processor data access without encryption keys
• Regular review of data protection laws in destination countries

10. Audit Rights

10.1 Customer Audit Rights

Customer may audit ReplyQ's compliance with this DPA:

• Frequency: Once per calendar year, or more frequently if required by supervisory authority
• Notice: 30 days' advance written notice
• Scope: ReplyQ's data protection policies, procedures, and security measures
• Cost: Customer bears audit costs; ReplyQ may charge reasonable fees for extensive audits

10.2 Audit Alternatives

In lieu of on-site audit, ReplyQ may provide:

• Security certifications (SOC 2 Type II when available)
• Third-party audit reports
• Written responses to audit questionnaires
• Video conference to review policies and procedures

10.3 Confidentiality

Any information obtained during audit shall be treated as ReplyQ's Confidential Information and used solely to verify DPA compliance.

11. Data Retention and Deletion

11.1 Retention Periods

ReplyQ retains Personal Data as follows:

• Message history: While Customer account is active
• AI training data: While fine-tuning enabled and account active
• Custom AI models: Until account termination or fine-tuning disabled
• Backups: 90-day rolling retention

11.2 Deletion Upon Termination

Upon termination of Services, ReplyQ shall:

• Delete or return all Personal Data at Customer's choice (via data export)
• Active data: Deleted within 30 days
• Backup copies: Purged within 90 days
• Custom AI models: Deleted within 30 days

Exception: Financial records retained for 7 years as required by Singapore Companies Act.

11.3 Certification of Deletion

Upon request, ReplyQ will provide written certification that Personal Data has been deleted in accordance with this DPA.

12. Limitation of Liability

Liability under this DPA shall be subject to the limitation of liability provisions in the Terms of Service. Total liability shall not exceed the amount paid by Customer in the twelve (12) months preceding the claim.

This limitation does not apply to:

• Gross negligence or willful misconduct
• Violations of data protection laws to the extent liability cannot be limited
• ReplyQ's indemnification obligations

13. Term and Termination

13.1 Term

This DPA takes effect on the date Customer first uses the Services and continues until termination of the Terms of Service.

13.2 Survival

The following provisions survive termination:

• Section 11 (Data Retention and Deletion)
• Section 12 (Limitation of Liability)
• Section 10.3 (Confidentiality)

14. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Singapore, consistent with the Terms of Service.

For disputes involving GDPR: Customer may also bring claims in the courts of their EU member state.

15. Amendments

ReplyQ may update this DPA to reflect:

• Changes in data protection laws
• Guidance from supervisory authorities
• Changes to Services or Sub-Processors

Material changes will be notified with 30 days' notice via email and in-app notification.

16. Contact Information