Data Processing Addendum

Last updated: June 2, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service between Reliancy, Inc. ("Processor," "Reliancy," "we") and the business entity that accepts it ("Controller," "Customer," "you"). It applies when Reliancy processes Personal Data on your behalf in connection with a Hosted Service or other Offering where we act as a processor (or subprocessors) under applicable data protection law.

If this DPA conflicts with the Terms regarding processing of Personal Data, this DPA controls for that subject matter.

1. Definitions

• "Personal Data" means information relating to an identified or identifiable individual that Controller provides to Reliancy or that Reliancy processes on Controller's behalf under the Terms.
• "Applicable Law" means GDPR, UK GDPR, and other data protection laws that apply to the processing.
• "Subprocessor" means a third party engaged by Reliancy to process Personal Data.

Capitalized terms not defined here have the meanings in the Terms.

2. Roles and Scope

2.1 Controller determines the purposes and means of processing Personal Data in its tenant, accounts, and content.

2.2 Processor processes Personal Data only on documented instructions from Controller (the Terms, this DPA, Order, and configuration within the Application), unless required by law—in which case Processor will inform Controller unless prohibited.

2.3 This DPA does not apply where Reliancy acts as an independent controller (for example, account billing with Reliancy, marketing to business contacts, or product analytics described in the Privacy Policy).

3. Processing Details

• Subject matter: Provision of the Application and related support
• Duration: Subscription Term plus retention periods in the Terms and Section 8
• Nature and purpose: Hosting, storage, backup, support, security monitoring, and operation of the Offering
• Categories of data subjects: Controller's employees, contractors, and end users authorized by Controller
• Types of Personal Data: Names, business contact details, user IDs, authentication data, usage logs, and content Controller chooses to store in the Application

Controller may provide additional detail in an Order or data inventory request.

4. Processor Obligations

Reliancy will:

• process Personal Data only on Controller's instructions as described in Section 3;
• ensure personnel with access are bound by confidentiality;
• implement appropriate technical and organizational security measures (Section 6);
• engage Subprocessors under Section 5;
• assist Controller with data subject requests, DPIAs, and consultations with supervisory authorities, where applicable, taking into account the nature of processing and information available to us;
• notify Controller without undue delay after becoming aware of a Personal Data breach affecting Controller's Personal Data;
• delete or return Personal Data per Section 8, subject to backup retention cycles.

5. Subprocessors

5.1 Controller authorizes Reliancy to use Subprocessors, including Microsoft Azure and providers for email, monitoring, and support tools.

5.2 Reliancy will impose data protection terms on Subprocessors substantially similar to this DPA.

5.3 A list of Subprocessors is available on request at info@reliancy.com. We will notify Controller of intended additions of Subprocessors that materially affect processing where required by Applicable Law, allowing objection on reasonable grounds relating to data protection.

6. Security

Reliancy maintains measures appropriate to risk, including access controls, encryption in transit for Hosted Services, logging, and vulnerability management. No system is perfectly secure. Controller is responsible for configuring roles, credentials, and integrations in the Application.

7. International Transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, Reliancy will use Standard Contractual Clauses (or successor mechanisms) and supplementary measures as required. Controller may request copies of applicable transfer terms at info@reliancy.com.

8. Return and Deletion

Upon termination of the Hosted Service, Reliancy will make Personal Data available for export for thirty (30) days as described in the Terms, then delete production copies within a commercially reasonable period, except data retained in encrypted backups or logs on ordinary rotation schedules.

9. Audits

Upon reasonable written request no more than once per year (unless required by a supervisory authority), Controller may request information necessary to demonstrate compliance with this DPA. Reliancy may satisfy requests through third-party audit reports or security summaries where available.

10. Liability

Liability arising from this DPA is subject to the limitations and exclusions in the Terms, except where prohibited by Applicable Law.

11. Term

This DPA applies for the duration of processing and survives termination until Personal Data is deleted per Section 8.

Contact: Reliancy, Inc. — info@reliancy.com

Related documents: Terms of Service · Privacy Policy · Service Level Agreement