Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RepMinder, Inc. ("Processor" or "RepMinder") and you ("Controller" or "Customer"). This DPA applies when RepMinder processes personal data on behalf of the Customer in connection with the RepMinder service.

This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable privacy laws.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by RepMinder on behalf of the Customer.
• "Data Subject" means the individual to whom Personal Data relates.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Sub-processor" means any third party appointed by RepMinder to process Personal Data on behalf of the Customer.
• "Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including GDPR, UK GDPR, and equivalent laws.

3. Data Processing Details

3.1 Nature and Purpose of Processing

RepMinder processes Personal Data for the purpose of providing AI readiness assessment services, including:

• Scanning and analyzing websites submitted by the Customer
• Generating AI readiness scores and recommendations
• Storing scan results and reports
• Providing dashboard and analytics features
• Processing optional GA4/GSC OAuth tokens and synchronized timeline metrics on behalf of the Customer
• Executing live verification query runs across configured AI/search providers (manual or API-triggered cadence during launch phase)
• Delivering customer support and service communications

3.2 Duration of Processing

RepMinder will process Personal Data for the duration of the Customer's subscription, plus a retention period of up to 90 days after subscription termination, unless otherwise required by law or requested by the Customer.

For growth-lane records (verification runs/results and content-agent conversation history), RepMinder applies plan-based retention windows: 90 days (free), 180 days (professional/business), and 365 days (enterprise), unless a different enterprise agreement applies.

3.3 Categories of Data Subjects

• Customer's employees and authorized users
• Customer's website visitors (where applicable)
• Customer's business contacts

3.4 Types of Personal Data

• Contact information (name, email address)
• Account credentials
• Billing and payment information
• Usage data and analytics
• Website URLs and scan results
• Support communications

4. Processor Obligations

RepMinder shall:

• Process Personal Data only on documented instructions from the Customer, unless required by applicable law
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist the Customer in responding to Data Subject requests (access, rectification, erasure, etc.)
• Assist the Customer in ensuring compliance with data protection obligations
• Delete or return all Personal Data to the Customer after termination of services, unless required by law to retain it
• Make available to the Customer all information necessary to demonstrate compliance with this DPA
• Notify the Customer without undue delay after becoming aware of a personal data breach

5. Security Measures

RepMinder implements the following technical and organizational security measures:

5.1 Technical Measures

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Regular security patching and updates
• Intrusion detection and prevention systems
• Automated backup and disaster recovery procedures
• Network segmentation and access controls

5.2 Organizational Measures

• Information security policies and procedures
• Employee security awareness training
• Background checks for personnel with access to Personal Data
• Incident response and breach notification procedures
• Regular security audits and vulnerability assessments
• Vendor risk management program

6. Sub-processors

The Customer authorizes RepMinder to engage the following sub-processors to process Personal Data:

RepMinder will notify the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object to such changes within 30 days.

7. International Data Transfers

Personal Data is primarily stored in Australia (Sydney region). Where Personal Data is transferred to countries outside the EEA, UK, or Switzerland that do not provide an adequate level of data protection, RepMinder ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all sub-processors
• Compliance with the EU-U.S. Data Privacy Framework (for U.S.-based processors where applicable)

8. Data Subject Rights

RepMinder will assist the Customer in fulfilling Data Subject requests, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

RepMinder will respond to Data Subject requests forwarded by the Customer within 10 business days, providing the necessary information or assistance to enable the Customer to fulfill its obligations.

9. Data Breach Notification

In the event of a personal data breach, RepMinder will:

• Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Provide sufficient information to enable the Customer to meet any obligations to report or inform Data Subjects of the breach
• Take reasonable steps to mitigate the effects of the breach and prevent future breaches
• Cooperate with the Customer in investigating and resolving the breach

10. Audits and Compliance

RepMinder will make available to the Customer information necessary to demonstrate compliance with this DPA. Upon reasonable notice and during normal business hours, the Customer may:

• Request copies of relevant security certifications and audit reports
• Conduct audits or inspections (not more than once per year, unless required by a supervisory authority)
• Request information about RepMinder's data processing practices

RepMinder maintains SOC 2 Type II compliance (via Supabase and Vercel infrastructure) and undergoes regular security assessments.

11. Data Deletion and Return

Upon termination of the Customer's subscription or upon request, RepMinder will:

• Delete or return all Personal Data to the Customer within 90 days, unless required by law to retain it
• Delete existing copies of Personal Data from backup systems within 180 days
• Provide written certification of deletion upon request

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. RepMinder shall be liable for the acts and omissions of its sub-processors to the same extent as if they were RepMinder's own acts and omissions.

13. Term and Termination

This DPA will remain in effect for as long as RepMinder processes Personal Data on behalf of the Customer. Upon termination, the data deletion provisions in Section 11 will apply.

14. Contact Information

For questions about this DPA or to request a signed enterprise DPA, please contact: