Data Processing Addendum

Effective May 18, 2026.

This Data Processing Addendum ("DPA") supplements the Terms of Service and applies where you ("Customer") are a controller of personal data under GDPR, UK GDPR, CCPA/CPRA, or a comparable privacy law, and you engage ReplyBird as a processor (or service provider under CCPA) to handle that personal data.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by us on Customer's behalf in connection with the Service. "Sub-processor", "controller", "processor", and "data subject" have the meanings given in GDPR. "Service Provider" and "sale" have the meanings given in the CCPA/CPRA.

2. Roles and scope

Customer is the controller and ReplyBird is the processor of Personal Data processed to provide the Service. Categories of data subjects include Customer's users, Customer's clients, and others whose email correspondence Customer chooses to process through the Service. Categories of Personal Data include email content, contact information, calendar metadata, and account identifiers.

3. Instructions and purpose limitation

We process Personal Data only on Customer's documented instructions, which include using the Service in the manner described in our public documentation and the Terms. We will not sell or share Personal Data (within the meaning of CCPA/CPRA) or use it for our own commercial purposes, including training of AI models.

4. Confidentiality

Personnel authorized to process Personal Data are bound by confidentiality obligations.

5. Security

We implement appropriate technical and organizational measures, described in the security section of our Privacy Policy, including encryption-in-transit (TLS 1.2+), encryption-at-rest for OAuth tokens (AES-256-GCM), access controls, and audit logging.

6. Sub-processors

Customer authorizes our use of the sub-processors listed on the sub-processors page. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA. We will provide 30 days' advance notice of new sub-processors via that page, or by email to customers subscribed to the notification list.

7. Data subject requests

We will assist Customer in responding to data subject requests (access, correction, erasure, restriction, portability, objection) by providing Service features that enable Customer to action such requests directly, or by reasonable cooperation where features are not sufficient.

8. Breach notification

We will notify Customer without undue delay and no later than 72 hours after becoming aware of a Personal Data breach affecting Customer's data, with the information then available.

9. International transfers

Where Personal Data is transferred out of the EEA, UK, or Switzerland, the parties incorporate the European Commission Standard Contractual Clauses (Module Two — controller to processor) and the UK International Data Transfer Addendum where applicable, with Customer as data exporter and ReplyBird as data importer.

10. Audit

We will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Customer may, not more than once per twelve-month period and on 30 days' notice, audit our compliance, provided that the audit is conducted during business hours, does not disrupt operations, respects confidentiality, and (unless required by a supervisory authority) relies first on our most recent third-party audit reports or certifications.

11. Return or deletion

Upon termination of the Service, we will delete Personal Data within 90 days, except where retention is required by law. Customer may export data prior to termination using available Service features.

12. Liability

Liability under this DPA is subject to the limitations in the Terms.

13. Order of precedence

If there is a conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA prevails.

14. How to execute

This DPA is incorporated into the Terms automatically for Customers acting as controllers. A countersigned copy is available on request to legal@replybird.app.