Legal · DPA

Data Processing Agreement

Last updated: 2026-05-06

DraftThis document is in draft and pending lawyer review. The substance is operationally accurate but not yet legally binding. Last reviewed by counsel: pending. For early questions, reply to hello@replyion.com.

1. Roles

The Clinic acts as the Controller of patient personal data. Replyion SL acts as the Processor, processing patient data on the Controller's documented instructions and in accordance with this DPA.

2. Subject matter and duration

Replyion processes personal data to operate the AI patient coordinator on the Controller's behalf. The DPA is effective for the duration of the Master Subscription Agreement and survives only with respect to obligations that, by their nature, must survive (export, deletion, audit).

3. Categories of data subjects

Patients and prospective patients of the Clinic who initiate contact via WhatsApp.

4. Categories of personal data

Identification data: WhatsApp phone number (stored as one-way hash after first contact), name (where volunteered).
Communication content: WhatsApp messages between patient and agent.
Health data (Article 9): voluntarily disclosed by the patient in the course of asking about treatments.
Logistical data: location (city/country), language preference, calendar availability.

5. Sub-processors

The Controller authorizes the engagement of the sub-processors listed at /legal/subprocessors. Replyion notifies the Controller of any addition or replacement of a sub-processor at least 30 days in advance. The Controller may object on reasonable data-protection grounds within 14 days; failing resolution, either party may terminate the affected service component.

6. Security measures

Replyion implements the security measures detailed at /legal/security, which include EU-only data hosting, encryption in transit and at rest, daily backups, passwordless authentication with hardware keys for production access, and 24/7 monitoring.

7. Data subject rights

Replyion assists the Controller in fulfilling data subject requests under GDPR Articles 15–22 within five business days of a Controller request. Direct data subject contact about the underlying clinic data is forwarded to the Controller within 24 hours.

8. Personal data breaches

Replyion notifies the Controller without undue delay, and in any event within 24 hours of becoming aware, of any personal data breach affecting Controller data. Notice includes the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

9. Audit rights

The Controller may request a remote audit (questionnaire + evidence package) annually at no cost. On-site audits at the Controller's expense subject to 30-day notice and reasonable scoping. Replyion will share third-party audit reports (e.g. SOC 2 once available) instead of on-site audits where these substantively answer the Controller's questions.

10. International transfers

Where personal data is transferred to a sub-processor outside the European Economic Area, the transfer is governed by the EU Standard Contractual Clauses (Module 2 or 3 as applicable) per Commission Implementing Decision (EU) 2021/914, supplemented as necessary by additional safeguards.

11. Termination and return / deletion

On termination, Replyion exports all Controller data as JSON within 7 days, deletes it from live and backup systems within 30 days, and confirms deletion in writing. The Controller may instead request continued data processing under a successor agreement.

12. Governing law

Governed by the laws of Spain, with disputes subject to the exclusive jurisdiction of the courts of Barcelona.