Data Processing Agreement

This Data Processing Agreement (“DPA”) amends and forms part of the Replit Terms & Conditions (the “Agreement”) between Replit, Inc.** (“Company”) and you (“Customer**”). This DPA prevails over any conflicting term of the Agreement.

  1. Definitions
    1. In this DPA:
      1. Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in applicable Data Protection Law;
      2. Customer Personal Data” means any Customer Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer or Customer’s customers are the Controller, and which is Processed by Company to provide the Services;
      3. Data Protection Law” means all applicable laws and regulations in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Customer Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), and the United Kingdom Data Protection Act of 2018, as such laws may be amended from time to time. For the avoidance of doubt, if Company’s Processing activities involving Customer Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
      4. Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
      5. International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
      6. Services” means the services provided by Company to Customer under the Agreement;
      7. Subprocessor” means a Processor engaged by Company to Process Customer Personal Data; and
      8. Standard Contractual Clauses” means the clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L3 9, 12.2.2010, p. 5-18).
  2. Scope and applicability
    1. This DPA applies to Processing of Customer Personal Data by Company to provide the Services. The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 1.
    2. Customer is a Controller and appoints Company as a Processor on behalf of Customer with respect to the Personal Data provided by Customer to Company to perform the Services on Customer’s behalf. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
  3. Instructions
    1. Company will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions. The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work.
    2. Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions.
    3. Company will not sell Customer Personal Data or otherwise Process Customer Personal Data for any purpose other than for the specific purposes set forth herein. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.
  4. Personnel
    1. Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
  5. Security and Personal Data Breaches
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Appendix 2.
    2. Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.
  6. Subprocessing
    1. Customer hereby authorizes Company to engage Subprocessors. A list of Company’s current Subprocessors is available at https://repl.it/site/subprocessors.
    2. Company will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law. If Company processes Customer Personal Data of residents in the European Economic Area (EEA), United Kingdom, or Switzerland on Customer’s behalf, Company will notify Customer prior to any intended change to Subprocessors. In such circumstances, Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection.
  7. Assistance
    1. Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under applicable Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
  8. Audit
    1. Company will make available to Customer required information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Customer by at least sixty (60) days’ notice, and no more than once per calendar year, and performed by an independent auditor as agreed upon by Customer and Company. Any such audit must be conducted during Company’s business hours, without disruption to Company’s operations, and in compliance with Company’s confidentiality obligations.
    2. Company will inform Customer if Company believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Company may suspend the audit or inspection, or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.
  9. International Data Transfers
    1. This section 9 on “International Data Transfers” and its subparts applies only to the extent that Company processes Customer Personal Data of residents in the European Economic Area (EEA), United Kingdom, or Switzerland on Customer’s behalf.
    2. Customer hereby authorizes Company to perform International Data Transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 9.3.
    3. By signing this DPA, Customer and Company conclude the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Customer; the “data importer” is Company; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the country in which Customer is established; Appendix 1 and Appendix 2 to the Standard Contractual Clauses, are Appendix 1 and 2 to this DPA respectively; and the optional indemnification clause is struck.

9.4 Company hereby represents and warrants that (a) it is not and will not be in breach of any provision of the Standard Contractual Clauses as referred to in Section 9.3 above; and (b) it has not been declared by a court of competent jurisdiction to be subject to the U.S. Foreign Intelligence Surveillance Act ("FISA") or Executive Order 12333 ("EO"), and nor has it received any requests under Section 702 or, to the best of its knowledge, been subject to any action under the EO. If Company receives any future requests discussed in this paragraph during the terms of this DPA, Company commits to taking reasonable steps to challenge such requests and/or seek judicial redress. If following such steps Company is still ordered to comply with such a request, and where Company is prohibited by applicable law from disclosing the receipt of such a request, Company shall inform Customer that Company can no longer comply with Customer’s processing instructions without providing details as to why, so that Customer can terminate the Processing.

9.5 All authorizations of International Data Transfers in this Section 9 are expressly conditioned upon Company’s ongoing compliance with the requirements of Data Protection Law applicable to International Data Transfers, and any applicable legal instrument for International Data Transfers. If such compliance is affected by circumstances outside of Company’s control, including circumstances affecting the validity of an applicable legal instrument, Company and Customer will work together in good faith to reasonably resolve such non-compliance.

  1. Notifications
    1. All notices made under this DPA shall be made to Customer via email at the email Customer has used to sign up.
  2. Termination and return or deletion
    1. This DPA is terminated upon the termination of the Agreement. Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Company will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.

Appendix 1

Description of the Processing

  1. Data Subjects

The Customer Personal Data Processed concern the following categories of Data Subjects (please specify): Paid customers of Replit and Replit users.

  1. Categories of Customer Personal Data

The Customer Personal Data Processed concerns the following categories of data (please specify): Any Personal Data processed by Replit on behalf of Customer in connection with providing the Services, including contact information, usage information, profile information, and user-generated content.

  1. Sensitive data

The Customer Personal Data Processed concern the following special categories of data (please specify): N/A

  1. Processing operations

The Customer Personal Data will be subject to the following basic Processing activities (please specify): Replit will Process the Customer Personal Data for purposes of providing Services pursuant to the Agreement and this DPA.

Appendix 2

Security Measures

Company will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Company’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Data (“Data Personnel”). Company’s security requirements cover the following areas:

a. Information Security Policies and Standards. Company will maintain information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.

b. Physical Security. Company will maintain commercially reasonable security systems at all Company sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.

c. Organizational Security. Company will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.

d. Network Security. Company maintains commercially reasonable information security policies and procedures addressing network security.

e. Access Control. Company agrees that: (1) only authorized Company staff can grant, modify or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.

f. Virus and Malware Controls. Company protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.

g. Personnel. Company has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.

h. Subcontractor security. Company shall only select and contract with subcontractors that are capable of maintaining appropriate security safeguards that are no less onerous than those contained in the Addendum and this Appendix.

i. Business Continuity. Company implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Company also adjusts its Information Security Program in light of new laws and circumstances, including as Company’s business and Processing change.