Data Processing Agreement

How Reputacion processes personal data on behalf of its customers, in accordance with Article 28 GDPR.

Last updated: 2 July 2026

Definitions and roles

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service between Reputacion (the "Processor") and the customer (the "Controller"). It governs the processing of personal data carried out by Reputacion on behalf of the Controller under Article 28 GDPR. The terms "personal data", "processing", "data subject", "controller" and "processor" have the meaning given to them in the GDPR.

Purpose, nature and duration

Reputacion processes personal data solely to provide the Reputacion services: collecting, displaying and managing customer reviews, sending review-request campaigns by email and SMS, and related analytics. Processing lasts for the duration of the customer's subscription plus any legally required retention period.

Categories of data and data subjects

The categories of personal data processed include:

  • Identification data (name, email address, phone number)
  • Review content and ratings submitted by data subjects
  • Campaign engagement data (opens, clicks, responses)
  • Technical data (IP address, device, browser) collected by the widget and the platform

Data subjects are the Controller's customers and prospects, as well as the Controller's staff who use the platform.

Documented instructions

Reputacion processes personal data only on the Controller's documented instructions, including those set out in this DPA and the platform configuration, unless required otherwise by Union or Member State law. Reputacion informs the Controller if it considers that an instruction infringes data protection law.

Confidentiality

Reputacion ensures that persons authorised to process personal data are bound by confidentiality obligations and receive appropriate data protection training.

Security measures

Reputacion implements appropriate technical and organisational measures under Article 32 GDPR, including encryption in transit (HTTPS/TLS), access controls, hosting with certified providers, regular backups and monitoring, to ensure a level of security appropriate to the risk.

Sub-processors

The Controller authorises Reputacion to engage the sub-processors listed below. Reputacion imposes on each of them data protection obligations equivalent to those set out in this DPA and remains liable for their performance. Reputacion will inform the Controller of any intended change of sub-processors, giving it the opportunity to object.

OVH SAS (France) — Server and database hosting
Stripe Inc. (United States, Standard Contractual Clauses) — Payment processing
Brevo (France) — Transactional and campaign email delivery
Twilio Inc. (United States, Standard Contractual Clauses) — SMS delivery
Sentry (United States, Standard Contractual Clauses) — Error tracking and monitoring
Google LLC (United States, Standard Contractual Clauses) — Google Business Profile API
OpenAI, L.L.C. (United States, Standard Contractual Clauses) — AI-assisted review response generation and sentiment analysis
Anthropic, PBC (United States, Standard Contractual Clauses) — Editorial (SEO) content generation
DataForSEO LLC (United States, Standard Contractual Clauses) — Search ranking and local visibility tracking
Meta Platforms, Inc. (United States, Standard Contractual Clauses) — Facebook and Instagram messaging

International transfers

Where personal data is transferred outside the EU/EEA, Reputacion ensures an adequate level of protection through appropriate safeguards under Chapter V GDPR, in particular the European Commission's Standard Contractual Clauses (SCCs).

Assistance to the controller

Taking into account the nature of the processing, Reputacion assists the Controller with appropriate measures in responding to data-subject requests (access, rectification, erasure, portability, objection) and in ensuring compliance with its obligations under Articles 32 to 36 GDPR.

Personal data breaches

Reputacion notifies the Controller without undue delay after becoming aware of a personal data breach and provides the information the Controller needs to meet its own notification obligations.

Return and deletion of data

Upon termination of the services, Reputacion will, at the Controller's choice, delete or return all personal data processed on its behalf and delete existing copies, unless Union or Member State law requires storage.

Audits and inspections

Reputacion makes available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice and confidentiality.

Contact

For any question relating to this DPA or the processing of personal data, contact our Data Protection Officer:

Email: privacy@reputacion.io

Address: Reputacion SAS, 31 rue du Chanoine Boulanger, 54220 Malzéville (Nancy), France

Reputacion

The all-in-one platform to collect, manage and display your customer reviews. Turn your testimonials into a powerful marketing tool.

Company

© 2026 Reputacion. All rights reserved.