Legal
Data Processing Agreement
Last updated: June 12, 2026
This Data Processing Agreement ("DPA") forms part of, and is governed by, the Terms of Service between Automate Anything LLC, doing business as Reply Flow ("Reply Flow", "we", "us", or "our"), and the customer that has accepted those Terms ("Customer", "you"). It applies whenever Reply Flow processes Personal Data on the Customer's behalf in the course of providing the Service, and it reflects the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (the "CCPA"), and similar data-protection laws ("Applicable Data Protection Laws").
By using the Service, the Customer agrees to this DPA. A countersigned copy is available on request to [email protected]. Where this DPA conflicts with the Terms of Service on the subject of data protection, this DPA controls.
1. Definitions
"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by Reply Flow to process Customer Personal Data. "Customer Personal Data" means Personal Data that Reply Flow processes on the Customer's behalf through the Service — including data the Customer brings in from connected accounts and stores (such as Gmail, WhatsApp, Shopify, and WooCommerce). Under the CCPA, the Customer is a "business" and Reply Flow is a "service provider".
2. Roles of the parties
For Customer Personal Data, the Customer is the Controller and Reply Flow is the Processor. The Customer is responsible for establishing a lawful basis for the Processing, for providing any required notices to, and obtaining any required consents from, its own customers and contacts (the Data Subjects), and for the accuracy of the instructions it gives Reply Flow. Reply Flow processes Customer Personal Data only as a Processor on the Customer's behalf.
3. Subject-matter, nature, purpose, and duration
- Subject-matter and purpose: Reply Flow processes Customer Personal Data only to provide and support the Service — operating a shared inbox, drafting and sending replies (including with AI agents the Customer configures), answering order-related questions, creating orders the Customer has enabled, and attributing revenue back to conversations.
- Nature of Processing: collection, storage, organisation, retrieval, use, transmission, and deletion as needed to operate the Service.
- Duration: for the term of the Terms of Service, plus the limited retention periods described in our Privacy Policy.
4. Categories of Data Subjects and Personal Data
Data Subjects may include: the Customer's end customers, prospective customers, and contacts who message the Customer; and the Customer's own authorised users.
Types of Personal Data may include: names, email addresses, phone numbers, message content and attachments, order and transaction data from connected commerce platforms (such as Shopify and WooCommerce), and any other content the Customer chooses to process through the Service. Reply Flow does not require special-category data and asks the Customer not to send it.
5. Reply Flow's obligations as Processor
- Documented instructions. Reply Flow processes Customer Personal Data only on the Customer's documented instructions — which include the Terms of Service, this DPA, and the Customer's configuration and use of the Service — unless required by law, in which case Reply Flow will notify the Customer first where legally permitted.
- Confidentiality. Reply Flow ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
- Security. Reply Flow implements appropriate technical and organisational measures under Article 32 GDPR, including: TLS encryption in transit and AES-256 encryption at rest; database row-level security that isolates each Customer's data from every other Customer's; encryption of connector and webhook secrets at the application layer; least-privilege, audited staff access; and verification of every inbound webhook's authenticity (HMAC) before any data is read or written. A fuller description is in our Privacy Policy.
- Data-subject requests. Taking into account the nature of the Processing, Reply Flow assists the Customer with its obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, and objection), including through the Service's own tools and — for connected stores — by honouring the platform's mandatory data-erasure requests automatically (for example, Shopify's
customers/redactandshop/redactwebhooks). - Assistance. Reply Flow assists the Customer, where relevant, with data-protection impact assessments and prior consultations with supervisory authorities.
- Breach notification. Reply Flow notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, with the information the Customer reasonably needs to meet its own notification obligations.
- Deletion or return. On termination of the Service, Reply Flow deletes or returns Customer Personal Data in accordance with the retention periods in the Privacy Policy, except where retention is required by law.
- Records and audits. Reply Flow makes available the information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and subject to confidentiality, allows for and contributes to audits no more than once per year (or as required by a supervisory authority).
6. Sub-processors
The Customer grants Reply Flow general authorisation to engage Sub-processors to provide the Service. Reply Flow imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for its Sub-processors' performance. Our current Sub-processors are listed in section 6 of the Privacy Policy (Supabase, Render, Anthropic, OpenAI, Google Cloud, Whapi, and Stripe). We will update that list before adding or replacing a Sub-processor; if you object to a change on reasonable data-protection grounds, email [email protected] and we will work with you in good faith, up to and including allowing you to stop using the affected feature or terminate.
7. International transfers
Where Customer Personal Data is transferred out of the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), or an equivalent safeguard offered by the relevant Sub-processor, which are incorporated into this DPA by reference.
8. CCPA
With respect to Personal Data subject to the CCPA, Reply Flow acts as a "service provider". Reply Flow does not sell or share Customer Personal Data, does not retain, use, or disclose it for any purpose other than performing the Service (or as otherwise permitted by the CCPA), and does not combine it with Personal Data from other sources except as permitted by the CCPA. Reply Flow certifies that it understands and will comply with these restrictions.
9. Liability and governing law
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA is governed by the same law and subject to the same dispute-resolution provisions as the Terms of Service.
10. Contact
For any question about this DPA, to request a countersigned copy, or to exercise a data right, email [email protected].