Data Processing Agreement

1. Parties

Between:

AppReply (the “Processor”)
Email: help@appreply.co

And

[Client Name] (the “Controller”)
Email: [Client Email]
Address: [Client Address]

2. Definitions

For the purposes of this Agreement, the following terms shall have the meanings set out below:

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on Personal Data.
• “Sub-processor” means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
• “Data Subject” means an identified or identifiable natural person.
• “Services” means the services provided by the Processor to the Controller as outlined in the main agreement.

3. Subject Matter and Duration

The Processor shall process Personal Data on behalf of the Controller in accordance with this Agreement. This Agreement shall commence on the effective date of the main agreement and continue until the termination of the Services.

4. Nature and Purpose of Processing

The Processor will process Personal Data as necessary to provide the Services and in accordance with the documented instructions of the Controller.

5. Types of Personal Data and Categories of Data Subjects

Types of Personal Data: Names, email addresses, job titles, company names, payment information, and any other Personal Data provided by the Controller.

Categories of Data Subjects: The Controller's employees, customers, users, and any other individuals whose Personal Data is provided by the Controller.

6. Obligations of the Controller

The Controller warrants that it complies with all applicable data protection laws regarding the Personal Data provided to the Processor. The Controller is responsible for:

• Ensuring that it has the legal right to transfer the Personal Data to the Processor.
• Providing documented instructions to the Processor that comply with applicable laws.
• Responding to Data Subject requests concerning their Personal Data.

7. Obligations of the Processor

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller.
• Ensure that personnel authorized to process Personal Data have committed to confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Assist the Controller in fulfilling its obligations under applicable data protection laws.
• Notify the Controller without undue delay upon becoming aware of a Personal Data breach.
• Delete or return all Personal Data upon termination of the Services, at the Controller's choice.

8. Sub-processors

The Controller provides a general authorization to the Processor to engage Sub-processors for carrying out processing activities on behalf of the Controller. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.

The Processor currently engages the following Sub-processors:

• Lemonsqueezy (Payment Processing)
  Privacy Policy: https://www.lemonsqueezy.com/privacy
• Supabase (Data Storage and Hosting)
  Privacy Policy: https://supabase.com/privacy
• Frigade (User Onboarding)
  Privacy Policy: https://www.frigade.com/privacy
• Google Analytics (Analytics Services)
  Privacy Policy: https://policies.google.com/privacy
• Vercel (Hosting)
  Privacy Policy: https://vercel.com/legal/privacy-policy
• Supabase Auth (Authentication Services)
  Privacy Policy: https://supabase.com/privacy

9. International Data Transfers

Personal Data may be transferred to, and processed in, countries outside of the European Economic Area (EEA). The Processor shall ensure that such transfers comply with applicable data protection laws and that appropriate safeguards are in place.

10. Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

• Encryption of Personal Data where appropriate.
• Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

11. Data Subject Rights

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfill the Controller's obligations to respond to requests to exercise Data Subject rights under applicable data protection laws.

12. Personal Data Breach

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach. The Processor shall provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects or supervisory authorities of the Personal Data breach.

13. Deletion or Return of Personal Data

Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.

14. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

15. Liability

Each Party shall be liable for damages caused by processing that infringes applicable data protection laws. The Processor shall be liable for the damage caused by processing only where it has not complied with obligations of data protection laws specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.

16. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of Norway. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Norway.

17. Amendments

Any amendments to this Agreement shall be in writing and signed by both Parties.

18. Entire Agreement

This Agreement constitutes the entire agreement between the Parties relating to the processing of Personal Data and supersedes any prior agreements.

19. Signatures

For the Controller:
Name: __________________________
Title: __________________________
Signature: _______________________
Date: ___________________________

For the Processor (AppReply):
Name: __________________________
Title: __________________________
Signature: _______________________
Date: ___________________________

Last updated: October 1, 2024.