Data Processing Agreement

1. Parties and subject

The customer is controller and SiteReply is processor. Processing supports the SiteReply platform, knowledge base, embeddings, AI responses, security and support.

2. Duration and purpose

Processing generally lasts for the contract term and includes collection, organization, storage, retrieval, disclosure to approved subprocessors, restriction and deletion.

3. Data and people

• Customer users: business contact, account, role and usage data
• Website visitors: questions and other voluntarily submitted live content
• Customer content: websites, files, text, metadata and embeddings
• Support/security: access, diagnostic and audit data

4. Instructions

SiteReply acts only on documented customer instructions, including for third-country transfers, unless law requires otherwise. SiteReply informs the customer before legally required processing unless prohibited for important public-interest reasons. Product configuration, API use, support requests and this agreement constitute instructions.

SiteReply informs the customer without undue delay if an instruction appears to infringe the GDPR or other data-protection law. The customer remains responsible for legality and transparency.

5. Security

• Confidentiality obligations for all persons authorized to process personal data
• Role-based access and authentication
• Transport encryption and protected server/database access
• Organization-level tenant attribution
• Audited administrative support access
• Backup, patching and recovery procedures
• Data minimization, validation and abuse protection
• Appropriate Article 32 technical and organizational measures based on risk, state of the art and implementation cost

6. Subprocessors

The customer gives general authorization for subprocessors listed at /subprocessors. SiteReply announces material changes. The customer may object for substantial data-protection reasons; if no reasonable solution exists, the affected service can be terminated.

SiteReply imposes the same data-protection obligations on each subprocessor, including sufficient technical and organizational measures, and remains responsible to the customer for the subprocessor's performance.

7. International transfers

Transfers outside the EEA occur only under Articles 44 et seq. GDPR, such as an adequacy decision or Standard Contractual Clauses.

8. Assistance and incidents

Taking account of the processing, SiteReply assists with data-subject requests through suitable technical and organizational measures and assists with the controller's obligations under Articles 32 to 36 GDPR, including security, breach notifications, impact assessments and prior consultations.

Personal-data breaches are reported without undue delay after discovery with available information.

9. Audit

SiteReply provides required compliance information. Audits require reasonable notice, confidentiality and minimal operational disruption. Extraordinary customer-specific audit costs are borne by the customer unless a material breach is found.

10. Return and deletion

At service end, SiteReply deletes or returns personal data at the customer's choice and deletes existing copies unless law requires retention. Database backups are protected and routinely deleted after 14 days.

11. Priority

This DPA prevails over the terms for processor obligations. The German version controls.