Data Processing Addendum

Effective: 2026-05-17 · Last updated: 2026-05-17

This Data Processing Addendum (“DPA”) supplements the Repulabs Terms of Service (the “Agreement”) between Repulabs Pty Ltd (“Repulabs”, “Processor”) and the customer entity that has accepted the Agreement (“Customer”, “Controller”). Where the Customer is established in the EEA, UK, or Switzerland, this DPA forms part of the Agreement and governs Repulabs’ processing of personal data on the Customer’s behalf.

1. Subject matter and duration

Repulabs processes personal data submitted by the Customer to provide the reputation management services described in the Agreement. Processing continues for the term of the Agreement and any applicable post-termination retention period.

2. Nature, purpose, and categories of data

• Categories of data subjects — the Customer’s reviewers, recipients of review requests, callers to the AI receptionist, survey respondents, and authorized users of the Customer’s workspace.
• Categories of personal data — names, email addresses, phone numbers, IP addresses, review content, voice recordings (for AI phone calls), and free-text submissions in survey or feedback forms.
• Special categories — none processed unless voluntarily submitted by a data subject in free-text fields. Repulabs does not request special-category data.
• Purpose — providing the reputation management platform, including review syndication, outreach delivery, AI reply drafting, AI phone reception, and analytics.

3. Sub-processors

Repulabs engages sub-processors listed at /legal/subprocessors. New sub-processors are notified by email at least 30 days in advance. The Customer may object in writing to dpa@repulabs.com; if Repulabs cannot accommodate the objection, the Customer may terminate the Agreement for the affected service.

4. International transfers

Repulabs stores primary production data in Neon’s EU-Central-1 region. Where data is transferred outside the EEA, UK, or Switzerland, transfers are governed by the European Commission’s Standard Contractual Clauses (Module 2: controller-to- processor) which are incorporated by reference into this DPA, supplemented by the UK Addendum where applicable.

5. Security measures

Repulabs maintains technical and organizational measures detailed at /legal/security, including but not limited to:

• TLS 1.3 in transit; AES-256-GCM at rest for sensitive columns.
• Row-level-security tenant isolation enforced at the database layer.
• SOC 2 Type II compliance with annual independent audit.
• Access logging, MFA on admin accounts, principle of least privilege.
• 72-hour breach notification per GDPR Article 33.

6. Data subject rights

Repulabs will assist the Customer in fulfilling data-subject requests (access, rectif- ication, erasure, restriction, portability, objection). Requests should be initiated from the Customer’s workspace; tooling auto-pulls all data for the named subject across reviews, requests, recordings, and audit rows within 72 hours.

7. Audits

The Customer may audit Repulabs’ compliance with this DPA once per twelve-month period at the Customer’s expense. In lieu of an on-site audit, Repulabs will provide its most recent SOC 2 Type II report under NDA.

8. Return and deletion

On termination of the Agreement, the Customer may export all personal data via the platform’s export tooling for 30 days. After 30 days, Repulabs will delete all personal data within 60 days, except where retention is required by applicable law (e.g., tax records for invoiced amounts).

9. Signing this DPA

This DPA is countersigned automatically by acceptance of the Agreement. A countersigned PDF is available on request at dpa@repulabs.com.