Data Processing Agreement
Last updated: 2026-06-30
Introduction
This Data Processing Agreement (the "DPA") forms part of the Terms of Use between Reinversed AB ("Reinversed", "we", "us") and Customer. It applies where Reinversed processes personal data on behalf of Customer in the course of providing the Service.
This DPA is intended to satisfy Article 28 of the EU General Data Protection Regulation ("GDPR") and equivalent processor-contract requirements under applicable data-protection law. Capitalised terms not defined in this DPA have the meaning given in the Terms of Use.
Roles and scope
For personal data contained in Customer Data, Customer is the controller and Reinversed is the processor, unless the parties expressly agree different roles in an Order Form. Customer determines the purposes and means of processing. Reinversed processes Customer Personal Data only on Customer's documented instructions, including the Terms of Use, this DPA, the applicable Order Form, Service configuration, and Customer's use of Service functionality.
"Customer Personal Data" means personal data contained in Customer Data that Reinversed processes on behalf of Customer as processor.
This DPA does not govern personal data Reinversed processes as controller, such as account administration, billing, security, communications, website analytics or marketing. That processing is described in the Privacy Policy.
Processing details
The subject matter of processing is Reinversed's provision, security, maintenance, troubleshooting and support of the Service.
The duration of processing is the Subscription Term plus any post-termination retention, export, deletion, backup or legal-retention period described in the Terms of Use, this DPA or applicable law.
The nature and purpose of processing includes hosting, storing, transmitting, retrieving, indexing, analysing, logging, displaying, securing, backing up, deleting and otherwise processing Customer Personal Data as necessary to provide the Service, operate Agents, run integrations, support Customer, investigate incidents, prevent misuse, comply with law and follow Customer's documented instructions.
Categories of data subjects may include Customer's authorised users, administrators, employees, contractors, customers, prospects, suppliers, contacts, end users and other individuals whose personal data Customer submits to or processes through the Service.
Categories of Customer Personal Data may include names, business contact details, account identifiers, authentication identifiers, messages, prompts, files, documents, records, usage logs, technical metadata, support content, integration metadata, Agent Outputs, Agent Action metadata and other personal data Customer chooses to submit to or process through the Service.
Special categories of personal data, criminal-offence data, children's data, payment-card data, government identifiers and other highly sensitive data are not intended for processing unless the applicable Order Form or Service configuration permits that use and Customer has ensured that the processing is lawful and appropriately safeguarded.
Customer obligations
Customer is responsible for:
- complying with applicable data-protection law as controller;
- ensuring that Customer has a valid legal basis for processing Customer Personal Data through the Service;
- providing all required notices and obtaining all required consents;
- ensuring Customer's processing instructions are lawful, complete and accurate;
- configuring permissions, Connected Sources, Agents, Write Actions and end-user deployments appropriately;
- reviewing whether the Service is suitable for Customer's intended processing, risk level and data categories; and
- responding to data-subject requests, regulatory requests and other controller obligations, with Reinversed's assistance as described in this DPA.
Reinversed will inform Customer if, in Reinversed's opinion, an instruction infringes GDPR or other EU or Member State data-protection law, unless legally prohibited from doing so.
Reinversed obligations
Reinversed will:
- process Customer Personal Data only on Customer's documented instructions, unless required by EU or Member State law;
- ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations;
- implement appropriate technical and organisational measures to protect Customer Personal Data;
- assist Customer with data-subject requests, security obligations, breach notifications, data-protection impact assessments and regulator consultations, taking into account the nature of processing and information available to Reinversed;
- make available information necessary to demonstrate compliance with Article 28 GDPR as described in this DPA;
- delete or return Customer Personal Data at the end of the Service as described in this DPA; and
- impose required data-protection obligations on sub-processors.
Security measures
Reinversed will maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures may include:
- access controls and least-privilege authorisation;
- encryption in transit and at rest where supported by the relevant service;
- logging, monitoring and audit trails;
- credential, secret and key management controls;
- network, infrastructure and application security controls;
- backup, resilience and recovery processes;
- vulnerability management and secure development practices;
- personnel confidentiality obligations and access review processes; and
- incident-response processes.
Customer acknowledges that security measures may evolve over time, provided Reinversed does not materially decrease the overall level of protection for Customer Personal Data during the Subscription Term.
Sub-processors
Customer gives Reinversed general authorisation to engage sub-processors to process Customer Personal Data. Sub-processors may include providers of cloud hosting, infrastructure, storage, model inference, logging, monitoring, analytics, security, payment, communication and customer-support services.
Key sub-processors may include Google Cloud Platform, Google Vertex AI / Gemini, OpenAI, Anthropic, Stripe and communication or support providers used to provide the Service. A current list of sub-processors is available on request.
Reinversed will impose data-protection obligations on each sub-processor that are no less protective than those required by this DPA, to the extent applicable to the sub-processor's services. Reinversed remains responsible for sub-processors' performance of those obligations as required by GDPR.
Reinversed will provide prior notice of intended additions or replacements of sub-processors by reasonable means, which may include email, in-product notice, a legal page update or another notice mechanism. Customer may object on reasonable data-protection grounds within 14 days of notice. If the parties cannot resolve the objection, Customer may terminate the affected Service to the extent the new sub-processor is necessary for that Service.
International transfers
Reinversed aims to host and process Customer Personal Data within the EU/EEA where practicable. Some services, model providers, support operations, logs, security monitoring, abuse monitoring or integrations may involve processing outside the EU/EEA.
Reinversed will not transfer Customer Personal Data outside the EU/EEA unless an adequacy decision or appropriate transfer mechanism applies, such as the European Commission's Standard Contractual Clauses, together with supplementary measures where required by applicable law.
Customer authorises Reinversed to enter into Standard Contractual Clauses with sub-processors on Customer's behalf where necessary for international transfers of Customer Personal Data.
Data-subject requests
Customer is responsible for responding to data-subject requests relating to Customer Personal Data. Reinversed will provide reasonable assistance through Service functionality or other appropriate measures, taking into account the nature of processing and information available to Reinversed.
If Reinversed receives a request directly from a data subject relating to Customer Personal Data, Reinversed will, where lawful and reasonably identifiable as relating to Customer, promptly forward the request to Customer or instruct the data subject to contact Customer.
Personal data breaches
Reinversed will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include information reasonably available to Reinversed to assist Customer in meeting its obligations under Articles 33 and 34 GDPR.
Reinversed's notification of or response to a personal data breach is not an admission of fault or liability.
Customer is responsible for notifying supervisory authorities and data subjects where required, unless mandatory law or an Order Form assigns a different obligation to Reinversed.
Assistance and audits
Taking into account the nature of processing and information available to Reinversed, Reinversed will provide reasonable assistance for Customer's security obligations, data-protection impact assessments and consultations with supervisory authorities.
Reinversed will make available information reasonably necessary to demonstrate compliance with this DPA. Customer may request an audit no more than once per year, unless a personal data breach or regulator requirement justifies an additional audit. Audits must be subject to reasonable prior notice, confidentiality obligations, security restrictions, normal business hours, and measures to avoid disruption or access to other customers' data.
Reinversed may satisfy audit requests by providing security documentation, third-party certifications, summaries, questionnaires or other appropriate evidence before permitting an on-site or remote audit.
Return and deletion
On termination or expiry of the Service, Customer may export Customer Personal Data using available functionality for 30 days unless access has been terminated for security, legal or acceptable-use reasons that reasonably prevent continued access.
At Customer's choice, and subject to Service functionality, Reinversed will delete or return Customer Personal Data and delete existing copies after the end of the Service, unless EU or Member State law requires continued storage.
Deletion from backups, logs and archival systems may occur according to Reinversed's ordinary retention and deletion cycles, provided Customer Personal Data remains protected under this DPA until deleted.
Government and regulator requests
If Reinversed receives a legally binding request for Customer Personal Data from a public authority, Reinversed will, where legally permitted, notify Customer and provide reasonable assistance so Customer may seek protective measures. Reinversed may disclose Customer Personal Data where legally required.
Liability and precedence
The liability provisions in the Terms of Use apply to this DPA unless mandatory data-protection law requires otherwise.
If this DPA conflicts with the Terms of Use, this DPA controls for the processing of Customer Personal Data as processor. If this DPA conflicts with Standard Contractual Clauses, the Standard Contractual Clauses control for the relevant international transfer.
Contact
Questions about this DPA can be sent to privacy@reinversed.com.