Reputafy

Reputafy / Legal

Data Processing Addendum

Last updated 11 May 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Customer and VelocityNet LLC for use of the Reputafy Service. A downloadable PDF version is available at the link below.

Download DPA (PDF) — for signature workflows, contact amine@reputafy.com.

1. Parties and order of precedence

This DPA is entered into between VelocityNet LLC, acting as Processor, and Customer, acting as Controller, for personal data processed by Reputafy on Customer's behalf in connection with the Service. Where this DPA conflicts with the Terms of Service, this DPA prevails for matters concerning personal data.

2. Subject matter, nature and purpose of processing

Reputafy processes personal data on Customer's documented instructions, solely for the purpose of providing the Service: review aggregation, AI-assisted reply drafting, analytics, and related operations.

3. Categories of data and data subjects

  • Data subjects: Customer's employees and contractors, end-users who post reviews on connected platforms, and other individuals whose personal data is contained in Customer Content.
  • Categories of personal data: identification data (name, email, role), professional data (job title, employer), review content, reply content, location identifiers, behavioral data (timestamps, sentiment labels).

4. Processor obligations

  • Process personal data only on Customer's instructions.
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational measures as set out in Annex II.
  • Engage subprocessors only with a written agreement imposing the same data-protection obligations.
  • Assist Customer in responding to data-subject requests and in meeting obligations under GDPR Articles 32 to 36.
  • Notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach.
  • At Customer's choice, delete or return all personal data after the end of the provision of the Service.
  • Make available all information necessary to demonstrate compliance and allow audits at reasonable intervals.

5. Subprocessors

Customer authorizes Reputafy to engage the subprocessors listed at /legal/subprocessors. Reputafy will notify Customer at least 30 days before adding a new subprocessor. Customer may object in writing for legitimate data-protection reasons; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Service.

6. International transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, the parties incorporate by reference the Standard Contractual Clauses (Module 2: Controller-to-Processor) adopted by the European Commission in Decision (EU) 2021/914, and where applicable the UK International Data Transfer Addendum. Annex I and Annex II below complete the SCC annexes.

Annex I — Description of the transfer

  • Data exporter: Customer (Controller).
  • Data importer: VelocityNet LLC (Processor), organized in the State of Delaware, United States. Primary contact: Amine, official email coordinator, amine@reputafy.com.
  • Categories of data subjects: Customer administrators and end-users described in Section 3.
  • Categories of personal data: as described in Section 3.
  • Frequency: continuous, for the duration of the Subscription.
  • Retention: as set out in Section 9 of the Privacy Policy.

Annex II — Technical and organizational measures

2.1 Encryption

Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Production secrets are stored in a managed KMS with envelope encryption.

2.2 Access control

Role-based access control with mandatory multi-factor authentication for staff. Production access requires just-in-time elevation with peer review and logging.

2.3 Logging and monitoring

Centralized audit logging of administrative actions, with 12-month retention.

2.4 Backups and resilience

Encrypted daily backups with 90-day rotation, RPO 24h, RTO 4h.

2.5 Incident response

Documented incident response runbook with 24/7 on-call rotation and 72-hour customer notification commitment.

2.6 Vendor risk

Annual reviews of subprocessors, including SOC 2 / ISO 27001 reports where available.

Annex III — List of approved subprocessors

See the live, version-controlled list at /legal/subprocessors.

Contact

For DPA-related queries: amine@reputafy.com. For signature workflows: amine@reputafy.com.