Skip to main content
Logo

Sub-Processor Agreement

Last updated: December 3, 2025

This Sub-Processor Agreement explains how ReplyQuick LLC ("ReplyQuick", "we", "us", "our") engages, manages, and oversees sub-processors who may process personal data on our behalf as part of delivering our services.

This document forms part of the ReplyQuick Data Processing Agreement (DPA) and applies to all processing activities conducted by third-party service providers that support our infrastructure, telephony capabilities, AI workflows, and platform operations.

1. Definitions

Sub-Processor

A third-party entity engaged by ReplyQuick that processes personal data on our behalf.

Personal Data

Any information relating to an identified or identifiable individual, including names, phone numbers, images, user credentials, and usage data.

Processing

Any operation performed on personal data, such as collection, storage, transmission, analysis, or deletion.

Data Protection Laws

All applicable privacy laws, including but not limited to:

  • HIPAA (U.S. Health Insurance Portability and Accountability Act)
  • GDPR (EU General Data Protection Regulation)
  • CCPA/CPRA (California)
  • LGPD (Brazil)
  • PIPEDA/PHIPA (Canada)
  • Other relevant state, federal, and international frameworks

2. General Obligations of Sub-Processors

ReplyQuick requires all sub-processors to adhere to strict data protection standards. Each sub-processor must:

  1. Process personal data only based on instructions from ReplyQuick, as outlined in our DPA.
  2. Maintain strict confidentiality and ensure their staff is trained and authorized to handle data securely.
  3. Implement industry-standard technical and organizational security measures, including:
    • Encryption in transit and at rest
    • Access controls and authentication security
    • Regular security testing and monitoring
    • Secure data storage and transmission
  4. Notify ReplyQuick promptly of any suspected or confirmed data breach.
  5. Cooperate with ReplyQuick to support compliance obligations, audits, and data subject rights requests.

3. Security & Technical Measures

All sub-processors must maintain robust security controls appropriate to the risks of processing personal data, including:

  • Encryption technologies (TLS, AES-256, or better)
  • Role-based access controls
  • Secure development lifecycle
  • Logging and monitoring of system activity
  • Incident detection and response procedures
  • Business continuity and disaster recovery measures

Sub-processors must provide security documentation or compliance attestations (SOC2, ISO27001, HITRUST, or equivalent) upon request.

4. International Data Transfers

Sub-processors may process data in jurisdictions outside those where data was originally collected only when:

  • Required for service delivery
  • Transfers comply with applicable laws
  • Adequate legal safeguards are in place, such as:
    • Standard Contractual Clauses (SCCs)
    • Adequacy decisions
    • HIPAA BAAs (where applicable)
    • LGPD-compliant instruments

ReplyQuick ensures that all transfers maintain an equivalent level of protection.

5. Audit & Compliance Oversight

ReplyQuick retains the right to:

  • Review sub-processor security practices
  • Request documentation and certifications
  • Conduct assessments or audits where appropriate
  • Suspend or terminate a sub-processor that fails to meet required standards

Sub-processors must fully cooperate with any compliance review.

6. Data Breach Notification

Sub-processors must notify ReplyQuick without undue delay (usually within 24 hours) upon discovering a breach affecting personal data.

The notification must include:

  • Nature and scope of the breach
  • Data types affected
  • Number of impacted individuals (if known)
  • Measures taken or proposed to contain and mitigate the breach
  • Contact details for further follow-up

ReplyQuick will, in turn, notify affected customers in accordance with applicable laws.

7. Termination & Data Return

Upon termination of services, sub-processors must:

  • Immediately stop processing personal data
  • Return or delete all personal data in their possession
  • Provide written confirmation of deletion
  • Maintain confidentiality obligations indefinitely

8. Current List of Approved Sub-Processors

The full list of third-party providers authorized to process data on behalf of ReplyQuick is maintained at:

replyquick.ai/subprocessors

This list includes:

  • Hosting providers
  • Telephony and SMS carriers
  • AI processing providers
  • Payment processors
  • Secure email and communications services

ReplyQuick will update the list prior to adding or removing a sub-processor.

9. Governing Law

This Agreement is governed by U.S. privacy law and relevant international data protection regulations, depending on the jurisdiction of the customer.

10. Contact Us

For questions regarding this Sub-Processor Agreement:

Email: info@replyquick.ai