Data Processing Addendum
Effective Date: May 24, 2026
This Data Processing Addendum ("DPA") forms part of the Repmark Terms of Service available at getrepmark.com/terms (the "Agreement") between Repmark ("Repmark," "we," "us," or "our") and the customer that has accepted the Agreement ("Customer," "you," or "your"). By accepting the Agreement or by using the Services, Customer agrees to this DPA. In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Information, this DPA controls.
1. Definitions
Capitalized terms used in this DPA have the meanings given below or, where not defined, in the Agreement.
- "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any binding regulations promulgated thereunder.
- "Business," "Consumer," "Personal Information," "Service Provider," "sell," and "share" have the meanings given to those terms in the CCPA.
- "Customer Personal Information" means Personal Information that Customer uploads, provides, or makes available to Repmark, or that Repmark collects on Customer's behalf, in connection with the Services.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information.
- "Services" means the reputation management services that Repmark provides to Customer under the Agreement.
- "Sub-processor" means any third party engaged by Repmark to process Customer Personal Information on Repmark's behalf.
2. Roles of the Parties
The parties acknowledge and agree that, with respect to the processing of Customer Personal Information under the Agreement, Customer is the Business and Repmark is the Service Provider.
3. Scope and Purpose of Processing
3.1 Business Purposes
Repmark processes Customer Personal Information solely to provide the Services, which include:
- Monitoring Customer's Google Business Profile reviews;
- Generating AI-drafted responses to reviews in Customer's voice;
- Tracking competitor review activity;
- Producing trend analysis and monthly reports; and
- Communicating with Customer about the Services.
3.2 Categories of Personal Information
- Public review content (reviewer display names, review text, ratings, dates);
- Customer business identifiers (business name, location, Google Place ID);
- Customer business contact information (owner name, email, phone);
- Voice and tone samples that Customer provides at signup and during ongoing use of the Services; and
- AI-generated response drafts.
3.3 Categories of Consumers
- Persons who have left Google reviews about Customer's business; and
- Customer's business owner and designated representatives.
4. Service Provider Obligations
Repmark certifies that it understands the restrictions in this Section 4 and the CCPA, and that it will comply with them. Repmark will:
(a) Purpose limitation. Process Customer Personal Information only for the business purposes specified in this DPA and the Agreement, and not for any other purpose.
(b) No sale or sharing. Not sell or share Customer Personal Information.
(c) No external use. Not retain, use, or disclose Customer Personal Information outside the direct business relationship between Repmark and Customer, except as permitted by the CCPA.
(d) No data combination. Not combine Customer Personal Information with Personal Information that Repmark receives from, or on behalf of, any other person, except as permitted by the CCPA.
(e) Equivalent protection. Provide the same level of privacy protection for Customer Personal Information as is required of Customer under the CCPA.
(f) Notification of inability. Notify Customer promptly if Repmark determines that it can no longer meet its obligations under the CCPA.
(g) Customer remediation rights. Grant Customer the right, upon reasonable notice, to take reasonable and appropriate steps to (i) help ensure that Repmark uses Customer Personal Information in a manner consistent with Customer's obligations under the CCPA, and (ii) stop and remediate unauthorized use of Customer Personal Information. The steps available to Customer under this Section 4(g) consist of (i) requesting a written description of Repmark's relevant processing activities and security measures, (ii) reviewing Repmark's most recent compliance documentation if any, and (iii) on written notice, requiring Repmark to cease a specific use of Customer Personal Information that Customer reasonably believes is non-compliant. Customer is not entitled to on-site audit, system access, or inspection of Repmark's facilities under this Section.
5. Sub-processors
Customer authorizes Repmark to engage the Sub-processors listed below in Section 5.2 to provide the Services. Repmark will:
(a) Enter into a written agreement with each Sub-processor that imposes data protection obligations substantially similar to those in this DPA;
(b) Remain liable to Customer for its Sub-processors' acts and omissions in processing Customer Personal Information; and
(c) Provide Customer with at least thirty (30) business days' advance notice before engaging a new Sub-processor or replacing an existing one. Customer may object on reasonable grounds during this notice period; if the parties cannot resolve the objection in good faith, Customer may terminate the Agreement without penalty.
5.2 Current Sub-processors
| Sub-processor | Role | Data Processed | Location |
|---|---|---|---|
| Anthropic | AI review response generation; content flagging; content classification | Review text; business context; voice samples | United States |
| Apify | Public Google review data collection | Public Google review content (reviewer display names, review text, ratings) | Czech Republic |
| Resend | Transactional email delivery to Customer | Customer email address; report content | United States |
| Cloudflare | Encrypted backup storage (R2); bot mitigation (Turnstile); DNS | Encrypted Customer data backups; signup verification tokens | United States / Global |
| Google Cloud (Places API; Business Profile API) | Public business data lookup; review response posting (when Business Profile integration is enabled) | Google Place IDs; OAuth tokens (when Business Profile API is enabled by Customer) | United States |
| Telegram | Internal operational alerts to Repmark staff | Business names; review snippets; response drafts | United Arab Emirates / Global |
| Oracle Cloud Infrastructure | Service hosting | All Customer Personal Information processed by the Services | United States |
| Stripe | Payment processing | Customer business name; email; payment information | United States |
| Vercel | Hosting of marketing site (no Customer Personal Information transits through Vercel in normal operation) | Limited signup form data in transit only | United States |
6. Consumer Rights Assistance
Taking into account the nature of the processing and the information available to it, Repmark will provide reasonable assistance to Customer in fulfilling Customer's obligations under the CCPA to respond to Consumer requests, including requests to know, delete, correct, and opt out.
Upon Customer's verified written instruction to delete a Consumer's Personal Information, Repmark will delete that information from its records and instruct its Sub-processors to do the same, subject to statutory exceptions under the CCPA (including but not limited to legal compliance, security and fraud prevention, and internal uses compatible with the original purpose of collection).
7. Retention and Deletion
Repmark will retain Customer Personal Information for the duration of the Agreement plus thirty (30) days after termination or cancellation, after which Repmark will delete it from its production systems. Backups containing Customer Personal Information are retained for a limited operational period in accordance with Repmark's standard backup rotation policy and are deleted upon expiration.
Customer may request earlier deletion by emailing support@getrepmark.com. Repmark will honor such requests within forty-five (45) calendar days of verification, subject to statutory exceptions.
8. Security
Repmark maintains reasonable security measures appropriate to the nature of the Customer Personal Information it processes, including:
- Encryption in transit (TLS) and encryption at rest;
- Access controls limiting Customer Personal Information access to authorized Repmark personnel;
- Authentication controls on administrative systems;
- Routine patching and security review of infrastructure; and
- Backup and recovery procedures.
9. Security Incidents
Repmark will notify Customer without undue delay, and in any event within seventy-two (72) hours where reasonably possible, of any Security Incident affecting Customer Personal Information of which Repmark becomes aware. The notification will include, to the extent then known: the nature of the incident, the categories and approximate number of Consumers and records affected, the likely consequences, and the measures Repmark is taking to address and mitigate the incident.
10. Compliance and Cooperation
Upon Customer's reasonable written request and no more than once per twelve-month period, Repmark will provide Customer with information reasonably necessary to demonstrate Repmark's compliance with this DPA. Repmark may limit the information provided to the extent reasonably necessary to protect other customers' confidentiality or Repmark's intellectual property and confidential information.
11. Governing Law
This DPA is governed by the laws of the State of California, without regard to its conflict of laws provisions. Any disputes arising out of or relating to this DPA will be resolved as set forth in the Agreement.
12. Changes to this DPA
Repmark may update this DPA from time to time. For material changes that adversely affect Customer's rights, Repmark will provide at least thirty (30) days' advance notice by email to the address on file and post the updated DPA at getrepmark.com/dpa. For non-material changes (including clarifying edits and the routine addition of replacement Sub-processors under Section 5), Repmark may update the DPA effective on posting. Customer's continued use of the Services after the Effective Date of any update constitutes acceptance.
13. Contact
Questions, deletion requests, or other inquiries about this DPA may be directed to:
support@getrepmark.com
This DPA is a contract between Repmark and its Customers. Repmark is not a law firm, and nothing in this DPA constitutes legal advice to Customer or to any third party.