Legal

Data Processing Agreement

This DPA applies when InstaReplAI processes personal data on behalf of a business customer, including end-customer conversations, connected channel data and uploaded knowledge.

Last updated: May 10, 2026 Processor: TBD - planned Estonian company Customer role: controller or business

1. Scope and roles

This DPA forms part of the InstaReplAI Terms of Service unless a separate signed DPA or enterprise agreement applies. The customer is the controller, business or equivalent party for customer personal data. InstaReplAI is the processor, service provider or equivalent party for that data.

For data that InstaReplAI processes for its own purposes, such as account administration, billing, security, product analytics and marketing, InstaReplAI acts as a controller as described in the Privacy Policy.

2. Customer instructions

We process customer personal data only according to documented instructions from the customer, including the Terms, order forms, workspace settings, product configuration, support requests and this DPA, unless law requires otherwise. The customer is responsible for ensuring those instructions are lawful.

3. Processing details

Item Description
Subject matter AI-assisted customer conversation management, booking, analytics, support automation and integrations.
Duration For the term of the customer account, plus retention and deletion periods described in the Data Retention Policy.
Data subjects Customer personnel, workspace users, leads, end customers, message senders, support contacts and integration users.
Data categories Contact data, identifiers, messages, channel metadata, booking data, order context, support data and technical logs.
Sensitive data Not intended. Customer must not submit sensitive data unless legally permitted and appropriate safeguards are enabled.

4. Security measures

We use technical and organizational measures designed to protect customer personal data, including access controls, tenant separation, encryption in transit, encryption at rest where available, logging, backups, least privilege, provider review and operational monitoring. Details are summarized in the Security Policy.

5. Subprocessors

The customer authorizes InstaReplAI to use subprocessors to provide the service. Subprocessor categories and known TBD providers are listed at Subprocessors. We remain responsible for subprocessors as required by applicable data protection law.

Before adding a new production subprocessor that materially processes customer personal data, we will update the Subprocessors page or provide another reasonable notice. Customers may object where required by law by contacting privacy@instareplai.com with a specific, reasonable data protection concern.

6. Data subject requests

We will reasonably assist customers with access, deletion, correction, portability, restriction, objection, opt-out and other data subject requests where the customer cannot fulfill the request through product controls. We may direct end users to the customer when the customer controls the data.

7. Security incidents

We will notify affected customers without undue delay after confirming a personal data breach involving customer personal data, as required by law. Notice may include the nature of the incident, affected data, mitigation steps and customer action items, where known and legally permitted.

8. International transfers

If GDPR or UK GDPR applies and customer personal data is transferred outside the EEA, UK or Switzerland, the parties will rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, approved transfer mechanisms or replacement mechanisms. Final SCC module details are TBD pending company setup.

9. Return and deletion

After account termination or a verified deletion request, we will delete or return customer personal data according to product capabilities, legal retention duties, backup cycles and the Data Deletion Policy. We may retain limited records needed for security, billing, dispute, fraud prevention or legal compliance.