Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between ReplAI Smart Ltd. ("Processor") and any business ("Controller") that subscribes to the ReplAI Smart service. It forms part of, and is subject to, the Terms of Service. Capitalised terms not defined here have the meaning given in the Terms of Service.

This DPA is concluded in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection legislation.

The Controller (the subscribing business) determines the purposes and means of processing end-customers' personal data. The Processor (ReplAI Smart Ltd.) processes that data solely on the Controller's behalf and only as necessary to provide the contracted Service. The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorised to process personal data are bound by confidentiality
• Implement appropriate technical and organisational security measures (Article 32 GDPR)
• Not engage sub-processors without prior notification to the Controller
• Assist the Controller in responding to data subject rights requests
• Delete or return all personal data upon termination of the Service
• Provide all information necessary to demonstrate compliance with GDPR obligations

The Processor processes the following categories of end-customer personal data on behalf of the Controller:

Purposes of Processing

• Providing AI-powered customer messaging automation on behalf of the Controller
• Processing booking, order, and lead capture flows
• Enabling live handover to human agents at the Controller's discretion
• Generating analytics and conversation history for the Controller's dashboard

Legal Basis

The Controller is responsible for establishing and documenting the legal basis for processing end-customer data. Typical bases include: contract performance (Art. 6(1)(b) GDPR) for booking and order processing; legitimate interest (Art. 6(1)(f)) for follow-up communications; and consent (Art. 6(1)(a)) where explicitly collected.

By entering into this DPA, the Controller provides general authorisation for the Processor to engage the following sub-processors. The Processor will inform the Controller of any changes to sub-processors, allowing the Controller a reasonable period to object.

SCC = Standard Contractual Clauses (2021/914/EU) — the approved transfer mechanism for international data transfers outside the EEA.

• Conversation data (messages, sessions): Retained for a default period of 90 days from the last message in a session. The Controller may configure a shorter period in the dashboard settings.
• Booking and lead records: Retained for the duration of the Controller's subscription plus 1 year, or until the Controller requests deletion.
• Automatic deletion: A scheduled process runs daily to permanently delete conversation data that has exceeded the retention period.
• Right to erasure requests: The Controller can trigger deletion of any end-customer's data from the dashboard. The Processor will action this within 30 days.
• On termination: The Processor will delete all Controller and end-customer personal data within 30 days of subscription termination, unless a longer retention period is required by law.

The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR):

• Encryption in transit: All data transmission uses TLS 1.2+
• Encryption at rest: Database storage encrypted via AES-256
• Access control: Row-level security (RLS) policies on all tables; each business can only access its own data
• Authentication: JWT-based authentication for all dashboard access; service-role keys never exposed to browsers
• Pseudonymisation: Customer messaging IDs are platform-assigned pseudonyms; the Processor does not attempt to de-anonymise them
• Incident response: Data breach notification to the Controller within 72 hours of becoming aware
• Audit logging: Handover events and data deletion requests are logged for accountability

6. Data Subject Rights

The Controller is the point of contact for end-customers exercising their GDPR rights (access, rectification, erasure, portability, restriction, objection). Where the Controller needs the Processor's assistance to fulfil a request, the Processor will provide reasonable assistance within 30 days and at no additional cost.

Business owners (Controllers) can trigger data deletion directly from the dashboard. Conversation history exports can be requested by contacting privacy@replaismart.com.

7. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Bulgaria and the European Union. Disputes shall be subject to the jurisdiction of the courts of Sofia, Bulgaria, without prejudice to any rights of data subjects under applicable supervisory authority procedures.