NexReply logo

Data Processing Agreement (DPA)

Version: 1.0 — Last updated: 05-01-2026

1. Parties

This data processing agreement (“DPA”) is entered into between:

  • NexReply (hereinafter: “Processor”); and
  • the customer of NexReply (hereinafter: “Controller”).

The Processor and the Controller are hereinafter jointly referred to as the “Parties”.

2. Purpose and scope

This DPA governs the processing of personal data by the Processor solely on behalf of the Controller, in the context of providing the NexReply service for automating customer service communications (matching + AI).

The Controller determines the purposes and means of the processing. The Processor does not process personal data for its own purposes.

3. Nature of the processing, data, and data subjects

3.1 Nature of the processing

  • Receiving, analysing, and classifying customer messages (e.g. email/tickets)
  • Generating (draft) replies using rules and AI
  • Storing conversations, metadata, and logs for execution, auditing, and support
  • Escalation to a human agent where confidence is insufficient (human fallback)

3.2 Categories of personal data

  • Identification data (name, email address, telephone number)
  • Communication content (emails/messages and attachments)
  • Order and shipping data (e.g. order number, status, Track & Trace)
  • Technical data and log data (e.g. timestamps, IP address, error and security logs)

3.3 Categories of data subjects

  • (End) customers and contact persons of the Controller

4. Obligations of the Processor

  • The Processor processes personal data solely on the basis of written or electronic instructions from the Controller.
  • The Processor implements appropriate technical and organisational security measures (see Article 8).
  • The Processor ensures confidentiality; persons acting under the authority of the Processor are bound by confidentiality obligations.
  • The Processor supports the Controller in handling data subject requests (to the extent reasonable and within the capabilities of the Service).
  • The Processor shall not make personal data available to third parties unless permitted under this DPA or required by law.

5. Instructions and responsibility

The Controller warrants that:

  • it is entitled to provide personal data to the Processor and has a valid legal basis for the processing;
  • the instructions given to the Processor do not conflict with applicable laws and regulations.

The Processor is not liable for damage resulting from unlawful or incorrect instructions from the Controller, nor for processing personal data for which the Controller lacks a valid legal basis.

6. AI processing

AI functionality is used exclusively for the purpose of providing the Service to the Controller and within the Controller’s instructions.

Personal data is not used to train AI models and is not processed for independent purposes outside the provision of the Service, unless the Parties expressly agree otherwise in writing.

Where the Service has insufficient confidence, the conversation is escalated to a human agent (human fallback), if this functionality is enabled.

7. Sub-processors

The Processor may engage sub-processors for, among other things, hosting/infrastructure, email services, and AI services, provided that the Processor enters into an agreement with each sub-processor containing safeguards at least equivalent to those set out in this DPA.

An up-to-date list of sub-processors is available via support or upon written request.

8. Retention periods and deletion

Personal data shall not be retained longer than necessary for the performance of the Service.

The standard retention period for operational email data and (security) logs is 90 days, unless:

  • otherwise agreed in writing; or
  • statutory obligations require a longer retention period.

After the retention period has expired, data will be deleted or anonymised in such a way that it can no longer be attributed to an identifiable individual.

9. Security

The Processor implements appropriate technical and organisational measures, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of the processing, and the risks to data subjects. Where appropriate, this includes in particular:

  • Transport security (TLS) for IMAP/SMTP/API where possible
  • Access control and least-privilege principles
  • Logging, monitoring, and measures against unauthorised access
  • Encryption of data at rest where available within the chosen infrastructure

No method of transmission or storage is 100% secure; the Processor strives to implement measures appropriate to the risk profile.

10. Personal data breaches

The Processor shall notify the Controller of a personal data breach without undue delay after becoming aware of it, providing relevant information to the extent available (nature of the incident, affected data, and measures taken or proposed).

11. Rights of data subjects

The Processor supports the Controller in handling requests from data subjects (such as access, rectification, erasure, restriction, data portability, and objection) insofar as reasonably possible and appropriate within the Service, and to the extent the Processor is legally required to do so.

12. International transfers

If (sub-)processing takes place outside the EU/EEA, the Processor shall ensure appropriate safeguards, such as the Standard Contractual Clauses (SCCs), and additional measures where necessary.

13. Audit and inspection

The Controller has the right, upon reasonable prior notice and within reasonable limits, to verify compliance with this DPA. Audits shall be conducted in a manner that does not unreasonably disrupt the Processor’s services.

14. Liability and terms

To the extent permitted by applicable law, the liability of the Processor is further limited in accordance with the General Terms and Conditions of NexReply. In the event of any conflict between this DPA and the General Terms and Conditions, the provisions designated by the Parties in writing as prevailing shall apply, or, failing such designation, the provisions of the agreement between the Parties.

15. Term and termination

This DPA remains in effect for as long as the Processor processes personal data for the Controller in connection with the Service. Upon termination of the Service, the Processor shall delete or anonymise personal data in accordance with Article 8, unless statutory obligations require otherwise.

16. Final provisions

  • This DPA is governed by Dutch law.
  • Disputes shall be submitted to the competent court in the Netherlands.
  • This DPA may be accepted electronically (e.g. via intake form or dashboard).

Contact

Questions about this DPA? Email privacy@nexreply.nl.