Data Processing Agreement
Last updated: July 3, 2026
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Data Controller (“Controller”): The customer who has accepted the Secreply Terms of Service
- Data Processor (“Processor”): frits.cloud, trading as Secreply, registered with the Dutch Chamber of Commerce (KvK) under number 90653327
This DPA forms part of and is subject to the Secreply Terms of Service. By accepting the Terms of Service, the Controller also accepts this DPA.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR
- “Processing” means any operation performed on Personal Data as defined in Article 4(2) GDPR
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
3. Subject Matter and Duration
3.1 Subject Matter
The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Secreply platform — an AI-powered security questionnaire automation service.
3.2 Duration
This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller, including any period after termination of the main agreement during which data is retained or deleted in accordance with these terms.
3.3 Nature and Purpose of Processing
- Storing and managing user accounts and organization data
- Processing uploaded documents for knowledge base indexing
- Generating AI-assisted answers to security questionnaires
- Providing collaboration features between team members
- Processing payments and billing
4. Types of Personal Data
The following categories of Personal Data may be processed:
- Contact information (name, email address, phone number)
- Account credentials (hashed passwords)
- Organization information (company name, VAT number, billing details)
- Content data (documents, questionnaires, and answers uploaded by users)
- Usage data (login timestamps, feature usage)
- Technical data (IP addresses, browser information)
5. Categories of Data Subjects
- Employees and contractors of the Controller who use the platform
- Individuals whose personal data may be contained in documents uploaded by the Controller
6. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law
- Ensure that persons authorized to process Personal Data have committed to confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 8
- Not engage another processor without prior written authorization from the Controller (general authorization granted in Section 7)
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
- Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, impact assessments)
- Delete or return all Personal Data upon termination of the agreement, at the Controller's choice
- Make available all information necessary to demonstrate compliance and allow for audits
7. Sub-processors
7.1 General Authorization
The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 30 days.
7.2 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, compute | EU (Frankfurt, Germany) |
| OpenAI | AI-powered answer generation and document analysis | United States* |
| Stripe | Payment processing | United States* |
* Transfers to the United States are protected by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework, as applicable.
7.3 Sub-processor Obligations
The Processor shall impose the same data protection obligations on each sub-processor by way of a contract. The Processor remains fully liable for the performance of its sub-processors.
8. Security Measures
The Processor implements the following technical and organizational measures:
8.1 Technical Measures
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Secure password hashing (bcrypt)
- Network isolation and firewall rules
- Automated vulnerability scanning
- Regular security patches and updates
- Automated backups with encryption
- Logical data separation between customers
8.2 Organizational Measures
- Principle of least privilege for access controls
- Confidentiality obligations for all personnel
- Incident response procedures
- Regular review of security practices
9. Data Breach Notification
- The Processor shall notify the Controller of a Data Breach without undue delay, and in any event within 48 hours of becoming aware of the breach
- The notification shall include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- The Processor shall cooperate with the Controller and take reasonable steps to mitigate the effects of the breach
10. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests under Articles 15–22 GDPR, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall respond to such assistance requests within 10 business days.
11. Data Transfers
The primary data storage location is the EU (AWS Frankfurt, Germany). Where Personal Data is transferred outside the EEA (e.g., to OpenAI or Stripe in the United States), appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission
- EU-US Data Privacy Framework certification (where applicable)
- Supplementary measures including encryption and access controls
12. Audits
- The Processor shall make available all information necessary to demonstrate compliance with this DPA
- The Controller may conduct audits, including inspections, no more than once per year, with at least 30 days prior written notice
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
- The Controller shall bear its own costs of any audit
13. Data Deletion and Return
Upon termination of the agreement:
- The Controller may export its data through the platform during a 30-day grace period
- After the grace period, the Processor shall delete all Personal Data within 30 days
- The Processor shall provide written confirmation of deletion upon request
- Data retained for legal obligations (e.g., billing records) shall be clearly identified and minimized
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is not permitted by applicable law.
15. Governing Law
This DPA shall be governed by the laws of the Netherlands. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms of Service.
16. Contact
For questions about this DPA or data processing matters, contact us at:
© 2026 Secreply (frits.cloud). All rights reserved.