Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction. "Subprocessor" means any third party engaged by RERIGHT to process Personal Data on behalf of the Controller.

RERIGHT processes Personal Data only as necessary to perform the services described in the applicable engagement agreement or service terms. The categories of data, data subjects, and purposes of processing are defined in the specific engagement agreement between the parties.

RERIGHT shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist the Controller in responding to data subject access requests and other rights requests
• Assist the Controller in ensuring compliance with data breach notification obligations
• Delete or return all Personal Data to the Controller at the end of the engagement, unless retention is required by law
• Make available to the Controller all information necessary to demonstrate compliance with these obligations

RERIGHT maintains a current list of subprocessors. The list is provided to Controllers under signed DPA upon request — email vijay@reright.io. RERIGHT will notify the Controller of any intended changes to subprocessors, giving the Controller a reasonable opportunity to object. If the Controller raises a reasonable objection and RERIGHT cannot accommodate it, either party may terminate the affected services upon written notice.

If Personal Data is transferred outside the jurisdiction of the Controller, RERIGHT will ensure appropriate safeguards are in place, including standard contractual clauses or other mechanisms recognized under applicable data protection law.

• Encryption of data in transit using TLS/HTTPS and at rest where applicable
• Access controls limiting data access to authorized personnel only
• Regular encrypted backups to secure offsite storage (Backblaze B2)
• Monitoring for unauthorized access or anomalous activity
• Secure server infrastructure hosted in professional data centers (Hetzner, Helsinki, EU)

RERIGHT will notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Upon reasonable request and subject to confidentiality obligations, RERIGHT will make available information necessary to demonstrate compliance with this DPA. RERIGHT will allow and contribute to audits conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable advance notice and scope limitations.

This DPA remains in effect for the duration of the engagement agreement. Upon termination, RERIGHT will delete or return all Personal Data processed on behalf of the Controller within 30 days, unless retention is required by applicable law.

For DPA inquiries or to request an executed copy: