Data processing addendum
For business and agency customers who process other people's personal data through Repic. It sets out the terms on which Repic acts as your processor, and works alongside the privacy policy that governs the data Repic controls in its own right.
In plain terms
- This addendum is for business and agency customers who process other people's personal data through Repic.
- For that data you are the controller and Repic is your processor; for our own account and usage data we are an independent controller.
- You must have a lawful basis and every consent needed for the data you upload - especially any voice, face, or likeness of other people.
- Repic processes your data only on your instructions, protects it, helps with data-subject requests, and tells you without undue delay if there is a breach.
- Our sub-processors are listed on the sub-processors page; we give notice before adding new ones.
Scope and roles
This Data Processing Addendum ("DPA") forms part of the terms of service between [Repic Legal Entity Name] ("Repic", "we", "us") and the customer that accepts them ("Customer", "you"). It applies whenever Repic processes personal data on your behalf as part of providing the Service - most often when you are an agency or business and you upload or generate data about your own clients, staff, or other third parties ("Customer Personal Data").
For that Customer Personal Data, you are the controller and Repic is your processor. Separately, Repic is an independent controller for the account, billing, security, and usage data it processes to run and improve the Service and its own business; that processing is governed by our privacy policy, not this DPA. Where this DPA and the Terms conflict on a data-protection matter, this DPA prevails (see section 13).
Definitions
Terms used in this DPA have the meanings given by the data-protection laws that apply to the processing. In particular:
- Data Protection Law: all data-protection and privacy laws that apply to the processing under this DPA, which may include the EU GDPR, the UK GDPR, Pakistan's data-protection law as enacted, and US state privacy laws.
- Controller, processor, processing, personal data, special category data, data subject, and personal data breach: have the meanings given in the GDPR, applied to the equivalent concepts under any other Data Protection Law.
- Customer Personal Data: personal data that Repic processes on the Customer's behalf under the Terms and this DPA.
- Sub-processor: any third party engaged by Repic to process Customer Personal Data.
- Standard Contractual Clauses (SCCs): the clauses approved for transfers of personal data to third countries, including the UK International Data Transfer Addendum where relevant.
Details of processing
- Subject-matter: Repic's provision of the Service to the Customer under the Terms.
- Duration: the term of the Terms, plus the deletion or return period described in section 11.
- Nature and purpose: hosting, storage, generation, transcription, analysis, and related processing carried out to provide the Service and the features the Customer chooses to use, on the Customer's instructions.
- Types of personal data: identity and contact data; brand and profile data; the content, files, and media the Customer uploads or generates; and any personal data contained in those inputs, which may include voice recordings, photographs and likeness, and - only if the Customer chooses to submit it - biometric data.
- Categories of data subjects: the Customer's own clients, customers, employees, and contractors, and any other individuals whose personal data the Customer submits, including people depicted or heard in uploaded media.
Repic is built for you to work with your own brand and your own people. You must not upload or submit other people's biometric data (such as voiceprints or faceprints) or their voice, face, or likeness without a lawful basis and the specific consent the law requires - see section 4 and the biometric and likeness policy.
Customer instructions and obligations
Repic processes Customer Personal Data only on your documented instructions, including the instructions expressed through the way you configure and use the Service and its features. We will also process where the law requires it, and if that happens we will tell you first unless the law forbids it. Your use of the Service is your instruction to us to process Customer Personal Data as needed to provide it.
You are responsible for the personal data you put into Repic. You confirm that you have a lawful basis and all the rights, consents, and notices needed to submit that data and to have Repic process it on your behalf - and, in particular, that you have obtained the necessary consent for any voice, face, likeness, or other biometric data of third parties. You will not instruct us to process personal data in a way that breaks Data Protection Law, and you will keep your data and instructions accurate and lawful. The acceptable use policy applies to this data too.
If you upload voice, face, likeness, or other biometric data about anyone other than yourself, you must already have a lawful basis and that person's consent to do so. Repic relies on this, and you are responsible for it.
Confidentiality
Repic ensures that the people it authorises to process Customer Personal Data are bound by a duty of confidentiality, and it limits access to those who need it to provide or support the Service, on a least-privilege basis.
Security measures
Repic maintains technical and organisational measures designed to protect Customer Personal Data appropriately to the risk. Today these include encryption of data in transit, access controls and least-privilege access, keeping the key that makes a cloned voice usable on our servers only, and separation between customers' data. We are committed to strengthening these measures as the Service grows - including expanding encryption at rest and logging of internal access to customer media - and to keeping them appropriate to the nature of the data being processed.
The specific measures may evolve as technology and threats change, but Repic will not make changes that materially reduce the overall protection of Customer Personal Data during the term.
Sub-processors
You authorise Repic to engage the sub-processors listed on our sub-processors page to process Customer Personal Data in order to provide the Service. Repic imposes data-protection obligations on each sub-processor that are no less protective than this DPA, and remains responsible to you for how they process Customer Personal Data.
Before adding or replacing a sub-processor, Repic will give notice - by updating the sub-processors page or by email where you have subscribed to updates. You may object on reasonable data-protection grounds within [30 days] of the notice; we will work with you in good faith to address the concern, and if we cannot, you may stop using the affected part of the Service or terminate it.
International transfers
Providing the Service may involve processing Customer Personal Data in countries other than your own - for example in the cloud regions of our infrastructure and AI providers - including transfers out of the EEA, the UK, or Pakistan. Where such a transfer needs a safeguard under Data Protection Law, Repic relies on an appropriate mechanism, such as the European Commission's Standard Contractual Clauses together with the UK International Data Transfer Addendum where relevant, or another lawful transfer mechanism, which are incorporated into this DPA by reference where they apply. The destinations tied to each provider are described on the sub-processors page.
Assistance with data-subject requests
Taking into account the nature of the processing, Repic will assist you by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from data subjects exercising their rights - such as access, rectification, erasure, restriction, portability, and objection. If a data subject sends such a request about Customer Personal Data directly to Repic, we will not respond to its substance ourselves; we will forward it to you without undue delay so that you, as controller, can handle it.
Personal-data breach notification
If Repic becomes aware of a personal data breach affecting Customer Personal Data, it will notify you without undue delay. The notice will include the information reasonably available to us to help you meet your own obligations to regulators and data subjects, and we will take reasonable steps to contain and mitigate the breach. This concerns breaches of Customer Personal Data processed on your behalf; breaches of the data Repic controls are handled under our privacy policy.
Deletion or return of data
On expiry or termination of the Terms, and at your choice, Repic will delete or return the Customer Personal Data it processes on your behalf, and delete existing copies, unless the law requires us to keep it. You can also ask us during the term to delete or return specific Customer Personal Data.
We honour deletion and return requests as a commitment, and we are building self-serve export and deletion controls so this becomes something you can do directly. Until those controls are live, contact privacy@repic.site and we will action your request within [30 days] or another period we agree with you. Our general retention approach is described in the privacy policy.
Audit and information
Repic will make available to you the information reasonably necessary to demonstrate its compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint. To keep this workable and to protect other customers, audits take place on reasonable prior notice, no more than [once a year] except where a regulator or a genuine incident requires otherwise, subject to confidentiality; Repic may satisfy an audit request by providing relevant certifications, reports, or documentation where these are available.
Liability and order of precedence
This DPA is part of and governed by the Terms. For matters concerning the processing of Customer Personal Data, this DPA prevails over the rest of the Terms and any other agreement between us if they conflict. Each party's liability under this DPA is subject to the exclusions and the limits on liability set out in the terms of service - including any aggregate cap - to the maximum extent the law allows.
Contact
For anything about this DPA or the data Repic processes on your behalf, write to privacy@repic.site (a dedicated alias may be set up in due course), or to [Repic Legal Entity Name] at [Registered Business Address, Pakistan]. Business and agency customers who need a signed or counter-signed copy of this DPA can request one at the same address. This DPA is governed by the laws of the Islamic Republic of Pakistan, without affecting the mandatory data-protection rights that apply to you or your data subjects elsewhere.