# Replyion — Data Processing Agreement (v1 Draft)

> **DRAFT — LAWYER REVIEW PENDING — DO NOT SHIP UNTIL CLEARED.**
> Drafted 2026-04-28. Must be reviewed by qualified Spanish counsel with GDPR / LOPDGDD competence before any clinic signs.

This Data Processing Agreement ("DPA") is entered into between:

- **Replyion SL** ("Processor"), and
- the **Clinic** identified in the Order Form ("Controller").

It forms part of, and is governed by, the Replyion Terms of Service. Where the Terms and this DPA conflict on data protection matters, this DPA controls.

This DPA is drafted to comply with Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD").

## 1. Subject matter and duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the Replyion Service as described in the Terms of Service. Processing continues for the duration of the Service contract.

## 2. Nature and purpose of processing

The Processor processes personal data to:

(a) receive, store, route, and respond to WhatsApp messages between the Controller's patients and the Controller's clinic;
(b) qualify patient inquiries against the Controller's configured criteria;
(c) book consultations into the Controller's calendar;
(d) escalate conversations to the Controller's clinical team in line with configured escalation rules;
(e) produce operational reporting and per-clinic analytics for the Controller.

## 3. Types of personal data

- Identification data: patient name (as provided), WhatsApp phone number, language preference.
- Communication data: message content (text and media), timestamps, language detection results, agent confidence scores.
- Health data (special category, GDPR Art. 9): symptoms, history, treatment goals, prior diagnoses if shared by the patient.
- Booking data: appointment date and time, service requested, doctor assigned.

## 4. Categories of data subjects

- Prospective and current patients of the Controller's clinic.
- Personnel of the Controller's clinic with access to the Replyion operator console.

## 5. Controller obligations

The Controller:

(a) is and remains the data controller in respect of patient personal data, and bears the responsibilities of a controller under GDPR;
(b) ensures that the legal basis for processing is established before the Processor receives any personal data, in line with Articles 6 and 9 GDPR;
(c) ensures that patients are informed of the Controller's data practices in line with Articles 13 and 14;
(d) provides accurate Clinic configuration to the Processor, including services, prices, hours, and language coverage;
(e) handles patient rights requests in the first instance and escalates to the Processor only as needed.

## 6. Processor obligations

The Processor shall:

(a) process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do otherwise by Union or Member State law;
(b) ensure that persons authorised to process personal data are bound by confidentiality;
(c) implement the technical and organisational security measures listed in Annex B;
(d) only engage sub-processors with the Controller's prior written authorisation, which may take the form of a general authorisation conditional on advance notice of any change (see Section 8);
(e) assist the Controller, by appropriate technical and organisational measures, with the Controller's obligation to respond to requests for the exercise of data subject rights;
(f) assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, impact assessment, prior consultation), taking into account the nature of processing and information available to the Processor;
(g) at the Controller's choice, return or delete personal data at the end of the provision of services, and delete copies unless retention is required by law;
(h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits.

## 7. Sub-processors

The Processor may engage sub-processors to provide the Service. The Controller grants general authorisation to the sub-processors listed in Annex A and to changes thereto, subject to the following terms:

(a) the Processor shall notify the Controller of any intended addition or replacement of sub-processors at least thirty days in advance;
(b) the Controller may object to such changes on reasonable grounds within fifteen days of notice;
(c) where the Controller objects, the Parties shall discuss in good faith; if no resolution is reached, the Controller may terminate the affected portion of the Service without penalty;
(d) the Processor shall impose on each sub-processor data protection obligations equivalent to those in this DPA by written contract.

## 8. International transfers

Where personal data is transferred outside the European Economic Area, the Processor relies on the Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, in the appropriate module (controller-to-processor or processor-to-sub-processor) executed with each non-EEA sub-processor. Documentation is available on request.

The Processor has conducted a transfer impact assessment for each non-EEA sub-processor. Summaries are available on request and are subject to update if the legal landscape changes.

## 9. Security measures

The Processor implements the technical and organisational measures listed in Annex B. The Processor reviews these measures annually and on any material change to the Service.

## 10. Personal data breach notification

The Processor shall notify the Controller without undue delay, and in any event within seventy-two hours of becoming aware, of any personal data breach affecting the Controller's data. The notification shall include, to the extent known at the time:

(a) a description of the nature of the breach;
(b) the categories and approximate number of data subjects and records affected;
(c) the name and contact details of the Processor's data protection contact;
(d) the likely consequences of the breach;
(e) the measures taken or proposed to address the breach.

The Processor shall update the Controller as further information becomes available.

## 11. Audit rights

The Controller may, on reasonable prior notice and not more than once per year (unless triggered by a documented incident), audit the Processor's compliance with this DPA. The Controller may engage a qualified third-party auditor at the Controller's cost. The Processor will reasonably cooperate.

The Processor may satisfy this obligation by providing the Controller with then-current third-party audit reports (for example, SOC 2 Type II once obtained) where these address the relevant controls.

## 12. Liability

The Parties' liability under this DPA is governed by the Limitation of Liability section of the Terms of Service, except that limits do not apply to liability under GDPR Article 82 to the extent prohibited by that Article.

## 13. Term and termination

This DPA is co-terminus with the Service contract. Sections 6(g), 9, 10, 11, and 12 survive termination.

## 14. General

(a) This DPA forms an integral part of the Terms of Service.
(b) Any conflict between this DPA and the Terms of Service on data protection matters is resolved in favour of this DPA.
(c) This DPA is governed by the laws of Spain.
(d) The Parties submit to the exclusive jurisdiction of the courts of Barcelona for disputes arising from this DPA.

---

# Annex A — Authorised sub-processors

| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic, PBC | LLM inference for agent responses | United States | EU-US SCCs Module 3 |
| Supabase Inc. | Primary database (clinic + conversation data) | EU (Frankfurt region) | EU-internal |
| 360dialog GmbH | WhatsApp Business API gateway | Germany | EU-internal |
| Google Ireland Ltd. | Google Calendar API | Ireland | EU-internal |
| Stripe Payments Europe Ltd. | Clinic billing payments processor | Ireland | EU-internal |
| Resend, Inc. | Transactional email | United States | EU-US SCCs Module 3 |
| Vercel Inc. | Application and marketing site hosting | United States (with EU edge) | EU-US SCCs Module 3 |
| Sentry, Inc. | Error monitoring (PII-scrubbed) | United States | EU-US SCCs Module 3 |
| Cloudflare, Inc. | DNS, R2 backup storage | United States (with EU presence) | EU-US SCCs Module 3 |
| Inngest, Inc. | Async job orchestration (metadata only) | United States | EU-US SCCs Module 3 |

The Processor maintains and updates this list within thirty days of any change. The current authoritative version is published at `replyion.com/legal/sub-processors`.

---

# Annex B — Technical and organisational security measures

## B.1 Access control

- Multi-factor authentication required for all Processor personnel accounts with access to production systems.
- Role-based access control. Production database access limited to engineers with documented operational need.
- Quarterly access review.

## B.2 Authentication

- Password hashing with industry-standard algorithm (Argon2 or bcrypt).
- Session expiry on inactivity (30 minutes default for clinic operator console).
- 2FA for all clinic operator accounts at the `pro` plan and above; recommended for all.

## B.3 Encryption

- In transit: TLS 1.2 minimum, TLS 1.3 preferred. HSTS enabled on all public surfaces.
- At rest: AES-256 for primary database (Supabase) and backup storage (Cloudflare R2).

## B.4 Network security

- Production VPC with no inbound public traffic except through documented entry points (Vercel edge, 360dialog webhook receiver).
- Egress allowlisting for production workers.
- DDoS protection at Cloudflare and Vercel edge.

## B.5 Logical separation

- Multi-tenant data isolation via PostgreSQL row-level security policies, filtering every query by `clinic_id`.
- Service-role bypass requires explicit setting per database session and is logged in `audit_log`.

## B.6 Logging and monitoring

- Application logs to Sentry with PII scrubbing.
- Database query logs to Supabase audit log.
- Independent operational metrics in `agent_health` and `events` tables.
- Automated alerting via Inngest scheduled jobs and Sentry alerts.

## B.7 Incident response

- Documented procedure at `08_Operations/Runbooks/incident_response.md`.
- 72-hour Controller notification commitment in Section 10.
- Quarterly tabletop or live drills.

## B.8 Backups and recovery

- Supabase automated point-in-time recovery, 7-day window.
- Weekly off-platform encrypted snapshots to Cloudflare R2 in a separate region.
- Documented restore procedure and at least one tested restore per quarter.

## B.9 Personnel

- Confidentiality agreements for all personnel with access to personal data.
- Data protection awareness training within the first 30 days of joining and annually thereafter.

## B.10 Vendor management

- Annual review of each sub-processor's certifications and audit reports.
- Documented sub-processor onboarding checklist including DPA, SCCs, and security questionnaire.

## B.11 Data minimisation

- Only data necessary for the contracted Service is processed.
- Patient data is not used to train models served to other clinics or to any third party.
- Aggregated, anonymised metrics may be derived for product improvement, in line with the Terms of Service.

## B.12 Retention and deletion

- Default retention schedule per category (see `01_Legal/Compliance/data_flow_v1.md`).
- Patient deletion request processed within 30 days, with cascade across messages, appointments, leads, and agent state.
- Audit log retained 10 years to satisfy regulatory record-keeping; never modified after write.

---

*Document version: v1 draft, 2026-04-28. Maintainer: `legal@replyion.com`.*