Replista Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written or electronic agreement between BIT Inc. (株式会社ビーアイティー) ("Replista," "we," "us," or "our") and the customer who has executed such agreement ("Customer" or "you") for the provision of the Replista services (the "Agreement").
This DPA applies to the extent that Replista processes Personal Data on behalf of the Customer as a Processor in the course of providing the Services. This DPA shall be effective for the term of the Agreement.
1. Definitions
1.1. For the purposes of this DPA, the capitalized terms below shall have the following meanings. All other capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.
- "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including, but not limited to, the GDPR, the UK GDPR, the Swiss FADP, and the CCPA/CPRA.
- "CCPA/CPRA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
- "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," and "Processing" shall have the meanings given to them in the GDPR.
- "Customer Data" means the Personal Data that Replista Processes on behalf of the Customer in connection with the provision of the Services.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- "SCCs" means the Standard Contractual Clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679.
- "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner.
2. Roles and Responsibilities
2.1. Parties' Roles. The parties acknowledge and agree that with regard to the Processing of Customer Data, the Customer is the Controller and Replista is the Processor.
2.2. Customer's Obligations. The Customer is solely responsible for the lawfulness of the Processing of Customer Data, including providing all necessary notices and obtaining all necessary consents from Data Subjects. The Customer warrants that its instructions to Replista will comply with Applicable Data Protection Laws.
2.3. Replista's Obligations. Replista will process Customer Data only in accordance with the Customer's documented lawful instructions, as set forth in this DPA and the Agreement, unless required to do so by applicable law.
3. Details of Processing
The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are as set out in Annex 1 to this DPA.
4. Security of Processing
Replista shall implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex 2.
5. Sub-processing
5.1. Authorization. The Customer provides a general written authorization for Replista to engage Sub-processors to process Customer Data. The current list of Replista's Sub-processors is set out in Annex 3.
5.2. New Sub-processors. Replista will notify the Customer of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Customer the opportunity to object. If the Customer has a reasonable basis to object to a new Sub-processor, the parties will work together in good faith to find a mutually acceptable resolution.
5.3. Sub-processor Obligations. Replista will enter into a written agreement with each Sub-processor imposing data protection obligations that are at least as protective as those in this DPA.
6. Data Subject Rights
Taking into account the nature of the Processing, Replista will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Applicable Data Protection Laws.
7. Personal Data Breaches
Replista will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Replista will provide the Customer with sufficient information to allow the Customer to meet any reporting obligations under Applicable Data Protection Laws.
8. International Data Transfers
8.1. Replista may transfer and process Customer Data globally where Replista or its Sub-processors maintain data processing operations.
8.2. To the extent that the transfer of Customer Data from the European Economic Area (EEA), the UK, or Switzerland to a third country not recognized as providing an adequate level of data protection is required, such transfer shall be governed by the SCCs.
8.3. By entering into this DPA, the parties are deemed to have signed the SCCs, which are incorporated by reference, with the Customer as the "data exporter" and Replista as the "data importer."
8.4. For transfers from the UK, the UK Addendum shall apply and is incorporated by reference. For transfers from Switzerland, Swiss-specific amendments to the SCCs shall apply.
9. Audits and Records
Replista will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, upon reasonable prior notice and subject to confidentiality obligations.
10. Return and Deletion of Data
Upon termination of the Agreement, Replista will, at the Customer's choice, delete or return all Customer Data, unless applicable law requires storage of the Personal Data.
11. CCPA / CPRA Provisions
To the extent the CCPA/CPRA applies, Replista will act as a "Service Provider." Replista will not (a) sell or share Customer Data; (b) retain, use, or disclose Customer Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement; or (c) combine Customer Data with personal information that it receives from, or on behalf of, another person.
12. General Terms
This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws. In case of any conflict, this DPA shall prevail over the Agreement on matters of data protection.
Annex 1: Details of Processing
A. List of Parties
Data Exporter (Controller): The Customer, as defined in the Replista Agreement.
Data Importer (Processor): BIT Inc., the provider of the Replista service.
B. Description of Transfer
- Data Subjects: The end-users who interact with the Customer's Instagram account(s) managed through the Service.
- Categories of Personal Data:
- Profile Data: Instagram username, full name (if public), profile picture, user ID.
- Communications Data: The content of messages exchanged between the end-user and the Customer, including text, images, videos, links, and other media.
- Technical Data: IP addresses, device identifiers, cookies, timestamps, and other metadata generated during the use of the Service.
- Special Categories of Data (if applicable): The Service is not intended for the Processing of special categories of Personal Data. The Customer is responsible for ensuring no such data is submitted to the Service.
- Nature and Purpose of the Processing: The Processing is performed to provide the Customer with an AI-powered chatbot service for managing Instagram communications, including automated responses, message analytics, and contact management, as instructed by the Customer. The Processing will continue for the duration of the Agreement.
Annex 2: Technical and Organizational Security Measures
Replista implements and maintains the following measures to ensure a level of security appropriate to the risk:
- Encryption of Personal Data: All Customer Data is encrypted in transit using industry-standard protocols (TLS 1.2 or higher) and at rest using advanced encryption standards (AES-256) provided by our cloud infrastructure provider.
- Access Control:
- Access to Personal Data is restricted on a strict need-to-know basis to authorized personnel only.
- Multi-Factor Authentication (MFA) is enforced for all access to production environments.
- All access to systems is logged and monitored.
- Physical Security: Our infrastructure is hosted on Google Cloud Platform, which maintains state-of-the-art, certified physical security measures for its data centers.
- Resilience and Availability: Regular data backups and redundant infrastructure are in place to ensure business continuity and disaster recovery.
- Incident Management: A formal incident response plan is in place to detect, respond to, and report on security incidents in a timely manner.
- Personnel Security: All employees undergo background checks and are subject to strict confidentiality agreements. Regular security and data privacy training is mandatory for all personnel.
Annex 3: List of Sub-processors
The Customer authorizes Replista to use the following Sub-processors for the provision of the Service:
The Customer authorizes Replista to use the Sub-processors listed on our publicly available Service Providers page.
| Sub-processor | Purpose of Processing | Location (Data Center) |
|---|---|---|
| Google LLC | Cloud infrastructure, database, authentication, and data storage (via Google Cloud Platform and Firebase). | United States, Global |
| Meta Platforms, Inc. | Integration with the Instagram messaging platform via the Instagram Graph API. | United States, Global |
| Slack Technologies, LLC | Internal and external communication platform for service notifications and support. | United States, Global |
| Google LLC (Gemini, Vertex AI) | Provision of AI language models for generating automated responses. | United States, Global |
(Last Updated: December 28th, 2024)
Contact Us
If you have any questions about this Data Processing Addendum, please contact us at:
BIT Inc. (株式会社ビーアイティー)
Email: support-replista@bit-sys.co.jp