Skip to main content
Logo

Data Processing Agreement (DPA)

Last Updated: December 3, 2025

This Data Processing Agreement ("Agreement" or "DPA") forms part of the Terms and Conditions and governs how ReplyQuick LLC ("ReplyQuick", "we", "us", "our") processes personal data on behalf of its customers ("Customer", "you", "your") in connection with ReplyQuick services.

This DPA is designed to satisfy the requirements of:

  • HIPAA (U.S. Health Insurance Portability and Accountability Act)
  • GDPR (EU General Data Protection Regulation, Article 28)
  • CCPA/CPRA (California Consumer Privacy Act)
  • PIPEDA/PHIPA (Canada)
  • LGPD (Brazil)
  • Other applicable international privacy laws

If you do not agree to this DPA, you must cease using ReplyQuick services.

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person, including names, phone numbers, email addresses, images, device data, usage logs, audio, or other identifiers.

"Processing"

Any operation performed on personal data, including collection, storage, transmission, analysis, or deletion.

"Controller"

The party determining the purpose and means of processing personal data (generally the Customer).

"Processor"

The party processing personal data on behalf of the Controller (ReplyQuick).

"Sub-Processor"

Any third party appointed by ReplyQuick to process personal data.

"Data Protection Laws"

All applicable state, federal, and international privacy laws, including HIPAA, GDPR, CCPA/CPRA, LGPD, PIPEDA, and others.

"Services"

The ReplyQuick platform, telephony system, AI analysis, messaging features, dashboards, and any related tools or APIs provided to the Customer.

2. Roles of the Parties

  1. Customer is the Data Controller.
  2. ReplyQuick is the Data Processor.
  3. For HIPAA-covered entities, ReplyQuick is a Business Associate.
  4. Sub-processors engaged by ReplyQuick act as Sub-Processors.

ReplyQuick processes personal data solely on documented instructions from the Customer.

3. Purpose of Processing

ReplyQuick processes personal data only as necessary to:

  • Provide telephony, AI inference, and messaging services
  • Deliver missed-call automation and call/text handling
  • Run AI-powered scan analysis and reporting
  • Manage user accounts and subscriptions
  • Maintain system logs, security, and auditing
  • Provide support and troubleshooting
  • Execute workflows configured by the Customer
  • Comply with legal or regulatory requirements

ReplyQuick does not process data for marketing or unrelated purposes.

4. Customer Instructions

ReplyQuick will process personal data only:

  • In accordance with this DPA
  • Under Customer instructions
  • As required to provide the services
  • As required by applicable law

If an instruction violates applicable law, ReplyQuick will notify Customer.

5. Security Measures

ReplyQuick maintains industry-standard technical and organizational safeguards, including:

Technical Controls

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and role-based permissions
  • Secure APIs
  • Application firewalls
  • Automatic session expiration
  • Data redundancy and backups

Organizational Controls

  • Security training for authorized personnel
  • Strict access logging
  • Multi-factor authentication
  • Least-privilege access principles

Infrastructure Controls

  • Secure hosting and physical security via AWS
  • Monitoring, logging, and alerting
  • Regular penetration testing and vulnerability scanning

6. Confidentiality

ReplyQuick ensures that all personnel with access to personal data:

  • Are authorized
  • Are contractually bound to confidentiality
  • Receive training on secure handling and privacy laws
  • Only access data when necessary

7. Sub-Processors

ReplyQuick may engage sub-processors to support service delivery.

A current list of sub-processors is maintained at:

replyquick.ai/subprocessors

ReplyQuick will:

  • Notify customers of changes where legally required
  • Ensure sub-processors provide equal or greater security
  • Enter into binding contracts with each sub-processor
  • Remain responsible for their performance

8. International Data Transfers

ReplyQuick may transfer data internationally where necessary.

All transfers comply with applicable laws, using:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • HIPAA Business Associate requirements
  • LGPD-compliant mechanisms

Sub-processors must maintain equivalent protections.

9. Data Subject Rights

Where applicable, ReplyQuick will assist Customers in responding to:

  • Access requests
  • Correction requests
  • Deletion requests
  • Restriction or objection requests
  • Data portability

ReplyQuick does not respond directly to end-users unless instructed by Customer.

10. Data Breach Notification

If ReplyQuick becomes aware of a breach affecting personal data, we will notify Customer without undue delay, including:

  • Nature of the breach
  • Data categories and approximate volume affected
  • Likely consequences
  • Mitigation and corrective actions
  • Contact information for further support

Customer remains responsible for any required notifications to individuals or regulators, except where laws require ReplyQuick to notify directly.

11. Return or Deletion of Data

Upon termination of services:

  1. Customer may request data export.
  2. Customer may request deletion of data.
  3. ReplyQuick will delete remaining personal data after retention obligations expire.
  4. ReplyQuick may retain minimal records for:
    • Compliance
    • Security logs
    • Legal defense

HIPAA and state retention laws may require data retention for 7 years.

12. Compliance with HIPAA (Business Associate Addendum)

If Customer is a HIPAA Covered Entity or Business Associate:

  • This DPA incorporates ReplyQuick's Business Associate Addendum (BAA)
  • ReplyQuick will comply with all HIPAA/HITECH requirements
  • PHI will be protected in accordance with HIPAA security rules

The BAA is available at:

replyquick.ai/baa

13. Limitation of Liability

ReplyQuick's liability under this DPA is subject to the limitations in the Terms and Conditions, except where prohibited by HIPAA or GDPR.

14. Term and Termination

This DPA remains in effect:

  • As long as Customer uses ReplyQuick services
  • Until all processing is complete
  • Until all personal data is deleted or returned

Termination of the main service agreement automatically terminates this DPA.

15. Governing Law

This Agreement is governed by:

  • U.S. federal privacy law (HIPAA, etc.)
  • State privacy laws (CCPA/CPRA, etc.)
  • GDPR (for EU customers)
  • LGPD (for Brazil)
  • Any applicable international privacy regulations

16. Contact Information

For questions regarding this DPA:

Email: info@replyquick.ai