Skip to content
Reapita

Last updated: May 24, 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Merchant," the "Controller") and Reapita, Inc. ("Reapita," the "Processor") and applies to the extent that Reapita processes personal data on behalf of the Merchant in connection with the service. Capitalized terms not defined here have the meanings given in the Terms.

1. Definitions

"Data Protection Laws" means all laws and regulations applicable to the processing of personal data, including the GDPR, the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act / California Privacy Rights Act. "Personal Data," "Processing," "Controller," "Processor," and "Data Subject" have the meanings given in the GDPR.

2. Roles

For the Subscriber Personal Data processed under this DPA, the Merchant is the Controller and Reapita is the Processor. The Merchant is responsible for the legal basis for processing and for obtaining all necessary consents from Data Subjects.

3. Scope and purpose

Reapita processes Subscriber Personal Data solely to provide the service described in the Terms — recurring billing, customer-portal operation, retention flows, dunning, analytics, and migration. Reapita does not process Subscriber Personal Data for any other purpose, including its own marketing.

4. Categories of data

  • Identification — name, email, phone (if collected by Merchant).
  • Contact — shipping and billing addresses.
  • Subscription — products, cadence, dates, totals.
  • Payment-method reference — Shopify Vault ID only; no card data.
  • Behavior — portal interactions, cancellation reasons, dunning outcomes.

5. Categories of Data Subjects

The Merchant's end customers (the subscribers).

6. Duration

For the lifetime of the Merchant's use of the service, plus a 30-day post-termination retention window before deletion, except where law requires longer retention.

7. Reapita's obligations

  • Process Subscriber Personal Data only on the Merchant's documented instructions, including with regard to international transfers, unless required by law.
  • Ensure that personnel authorized to process the data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures (see Annex A below) to protect the data.
  • Engage Subprocessors only as permitted under Section 8 of this DPA.
  • Assist the Merchant in responding to Data Subject requests, in notifying personal-data breaches, and in conducting data-protection impact assessments.
  • Make available all information necessary to demonstrate compliance, and allow for audits as set out in Section 10.

8. Subprocessors

The Merchant grants Reapita general authorization to engage Subprocessors. Reapita publishes the current list of Subprocessors and will notify Merchants of intended changes with at least 30 days' notice, during which the Merchant may object on reasonable data-protection grounds. Current Subprocessors include AWS (hosting), Cloudflare (CDN and edge functions), Resend (transactional email), Sentry (error monitoring), and PostHog (product analytics). All Subprocessors are bound to data-protection terms no less protective than those in this DPA.

9. International transfers

For transfers of Subscriber Personal Data out of the EEA, UK, or Switzerland, the parties enter into the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or the Swiss equivalent as applicable. Reapita maintains a US-EU Data Privacy Framework certification for relevant transfers.

10. Audits

Reapita undergoes annual third-party SOC 2 Type II audits and will make the resulting report available to the Merchant under NDA. The Merchant may, on reasonable advance written notice and no more than once per calendar year, conduct an additional audit limited to Reapita's compliance with this DPA. The Merchant bears the cost of any such Merchant-initiated audit unless it reveals material non-compliance.

11. Breach notification

Reapita will notify the Merchant without undue delay and in any event within 72 hours of becoming aware of a personal-data breach involving Subscriber Personal Data, and provide the information needed for the Merchant to meet its own notification obligations.

12. Return or deletion of data

On termination of the Terms, Reapita will, at the Merchant's choice, return or delete all Subscriber Personal Data, except where Reapita is required by law to retain a copy. See the Privacy Policy for retention specifics.

13. Liability

The parties' liability under this DPA is subject to the limitations of liability in the Terms, except where applicable law prohibits such limitation.

14. Order of precedence

In the event of conflict between this DPA and the Terms, this DPA prevails with respect to the processing of Subscriber Personal Data.

Annex A — Technical and organizational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls with the principle of least privilege; quarterly access reviews.
  • Hardware-backed MFA on all production access.
  • Continuous logging of administrative actions; 90-day audit log retention.
  • Annual third-party penetration testing.
  • Documented incident-response runbooks; quarterly tabletop exercises.
  • Background checks on personnel with production access.
  • Documented business-continuity and disaster-recovery plans; RTO 4h, RPO 1h.

Annex B — Standard Contractual Clauses

The EU Standard Contractual Clauses (Module Two: controller to processor) approved by the European Commission in Commission Implementing Decision (EU) 2021/914 are incorporated by reference and deemed signed by both parties on the effective date of the Terms. The UK International Data Transfer Addendum is incorporated for UK transfers; the Swiss FDPIC supplementary terms apply for Swiss transfers.

Contact

Data-protection questions: [email protected].