Legal
Data Processing Addendum
Last updated 17 June 2026
This Data Processing Addendum (the “DPA”) forms part of the Terms of Service or other written agreement (the “Agreement”) between Wondertabs Pte. Ltd. (UEN 202037320G), a company incorporated in Singapore (“Wondertabs”, “we”, “us”), and the business that has accepted the Agreement (the “Customer”) for use of ReplyArc (the “Service”). It is automatically incorporated into the Agreement for all Customers and takes effect when the Customer first accepts the Agreement or first uses the Service. No separate signature is required; on request we will countersign a copy, including the Standard Contractual Clauses described in Section 13.
1. Definitions
1.1 “Customer Data” means personal data that the Customer submits to the Service or that the Service collects on the Customer's behalf, including End User conversation data, captured contact details, website visit data, and personal data contained in content the Customer uploads (such as knowledge-base documents and crawled pages).
1.2 “End User” means an individual who interacts with the Customer through the Service - chiefly visitors to the Customer's websites who use the embedded chat widget, and individuals who message the Customer through messaging channels the Customer connects to the Service.
1.3 “Data Protection Laws” means all data protection and privacy laws applicable to the processing of Customer Data under the Agreement, including, as applicable: the Singapore Personal Data Protection Act 2012 (“PDPA”); Regulation (EU) 2016/679 (“GDPR”) and the GDPR as incorporated into United Kingdom law (“UK GDPR”); and US state privacy laws including the California Consumer Privacy Act as amended (“CCPA”).
1.4 “Sub-processor” means a third party engaged by Wondertabs to process Customer Data in order to provide the Service.
1.5 “SCCs” means the standard contractual clauses annexed to European Commission Implementing Decision (EU) 2021/914, and “UK Addendum” means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner (version B1.0), each as amended or replaced from time to time.
1.6 “Personal data”, “processing”, “controller”, “processor”, “personal data breach” and similar terms have the meanings given in the GDPR; under the PDPA, “controller” is read as “organisation” and “processor” as “data intermediary”; under the CCPA, “controller” is read as “business” and “processor” as “service provider”.
2. Parties and roles
2.1 For Customer Data, the Customer is the controller and Wondertabs is the processor. The Customer is the organisation under the PDPA and the business under the CCPA in respect of End User personal data; Wondertabs processes that data as the Customer's data intermediary (PDPA), processor (GDPR/UK GDPR) and service provider (CCPA), solely on the Customer's behalf and instructions. Where the Customer is itself a processor for a third-party controller, the Customer warrants that its instructions to Wondertabs are authorised by that controller, and Wondertabs acts as the Customer's sub-processor.
2.2 Wondertabs is an independent controller - not the Customer's processor - for the limited data it processes for its own purposes: Customer account and authentication data, billing records, support communications, security and abuse-prevention telemetry (audit logs, rate-limit and usage-guardrail counters), service usage statistics, aggregated or de-identified data that no longer identifies any individual or Customer, and chats with its own demo and marketing-site assistant on replyarc.ai. That processing is described in the ReplyArc Privacy Policy, not this DPA.
2.3 This DPA is the written contract evidencing the processing relationship for the purposes of section 4(2) and 4(3) of the PDPA and constitutes the Customer's documented instructions for the purposes of Article 28 GDPR.
3. Subject matter, duration, nature and purpose
3.1 Subject matter: the processing of Customer Data needed to provide the Service - an AI chat agent embedded on the Customer's websites and connected channels, with human-takeover (live handoff), lead capture, a team inbox, and analytics for the Customer.
3.2 Duration: the term of the Agreement, plus the deletion period in Section 11.
3.3 Nature and purpose: hosting, storage, transmission, retrieval, display, AI assisted response generation, AI derived classification, scoring and summarisation (see the “AI derived data” category in Annex I), routing to human agents, lead capture, channel relay, analytics, deletion, and related technical support - in each case to provide and support the Service for the Customer. Annex I describes the processing in detail, including the categories of data subjects and personal data.
4. Customer instructions
4.1 Wondertabs will process Customer Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by a law to which Wondertabs is subject; in that case Wondertabs will inform the Customer of the legal requirement before processing, unless that law prohibits doing so on important grounds of public interest.
4.2 The Customer's documented instructions are: (a) this DPA and the Agreement; (b) the Customer's configuration and use of the Service through the dashboard, API and widget settings (agent behaviour, connected channels, retention settings, deletion actions, and exports or transmissions of Customer Data that the Customer's authorised users initiate - for example, emailing a conversation transcript to a recipient they designate); and (c) any further written instructions the parties agree. Wondertabs will inform the Customer without undue delay if, in its opinion, an instruction infringes Data Protection Laws, and may suspend the affected processing until the instruction is confirmed or changed.
4.3 As controller, the Customer is responsible for: (a) having a lawful basis (including any required consents) for the collection and processing of Customer Data; (b) providing End Users with the privacy notices required of it, including notice that chat is AI assisted and any cookie or tracking disclosures required for the widget on its sites; (c) the lawfulness of its own use of captured leads, including the Singapore Do Not Call provisions, the Spam Control Act, and equivalent marketing laws elsewhere; and (d) not configuring the Service to solicit special categories of personal data, government identifiers, or data of children, except where the Customer has its own lawful basis and has agreed this with Wondertabs in writing.
5. Confidentiality of authorised persons
5.1 Wondertabs ensures that every person it authorises to process Customer Data (including employees and contractors) is bound by a contractual or statutory duty of confidentiality, is given access only to the extent needed to operate, secure and support the Service, and processes Customer Data only as permitted by this DPA.
5.2 A limited number of Wondertabs platform staff may access Customer Data - including conversation content - under role-based access controls, solely to operate, secure and support the Service and to investigate abuse or policy violations. Cross-tenant content searches by platform staff are audit-logged, and support access to a Customer's workspace through impersonation is view-only and time-limited.
6. Security
6.1 Wondertabs implements and maintains appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as required by Article 32 GDPR and the PDPA Protection Obligation (section 24). The measures in place at the Last updated date are described in Annex II.
6.2 Wondertabs may update Annex II from time to time, provided the changes do not materially reduce the overall level of protection of Customer Data during the term of the Agreement.
7. Sub-processors
7.1 General authorisation. The Customer gives Wondertabs general written authorisation to engage Sub-processors to provide the Service. The Sub-processors engaged at the Last updated date are listed in Annex III and maintained on the ReplyArc sub-processor page at replyarc.ai/legal/subprocessors (the “Sub-processor Page”), which also describes how to subscribe to change notifications.
7.2 Notice of changes and objection right. Wondertabs will update the Sub-processor Page at least 30 days before a new or replacement Sub-processor processes Customer Data; that update constitutes notice to the Customer. Customers that subscribe to change notifications (as described on the Sub-processor Page) additionally receive the same notice by email at least 30 days in advance. The Customer may object on reasonable, data-protection-related grounds by writing to legal@replyarc.ai within 30 days of the notice; the parties will discuss in good faith, and if Wondertabs cannot offer a reasonable alternative within 30 days, the Customer may terminate the Agreement (or, where severable, the affected feature) as its sole remedy, with a pro-rata refund of any prepaid, unused fees. Where a Sub-processor must be replaced urgently for security or continuity reasons, Wondertabs may do so immediately and notify the Customer (by updating the Sub-processor Page and emailing subscribed Customers) without undue delay, with the same objection right.
7.2A Scope of the notice obligation. The 30-day prior-notice obligation in Section 7.2 applies to Sub-processors of Customer Data. It does not apply to third-party services that operate only on Wondertabs' own public websites - the marketing site and the sign-in and sign-up pages - where Wondertabs is the controller and no Customer Data is processed (for example, the Google Analytics and Contentsquare analytics on those public pages, described on the Sub-processor Page and in the Cookie Policy). Those services did not trigger the 30-day notice. The historical window of 15-17 June 2026, during which the Contentsquare tag briefly also ran in the signed-in dashboard, has been remediated by suppressing that tag in the dashboard.
7.3 Flow-down and liability. Wondertabs imposes on each Sub-processor, by written contract, data protection obligations that are materially no less protective than those in this DPA, including confidentiality, security, and (where the Sub-processor is outside Singapore or receives EU/UK data) the transfer safeguards in Section 13. Wondertabs remains fully liable to the Customer for the performance of each Sub-processor's obligations.
7.4 Customer AI provider. All AI features run on platform-managed AI: the AI model provider is engaged by Wondertabs under Wondertabs' own API keys and is a Sub-processor listed in Annex III. Wondertabs does not offer a bring-your-own-key option and does not store any AI provider API key belonging to the Customer.
8. Assistance with data subject requests
8.1 Taking into account the nature of the processing, Wondertabs will assist the Customer, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to requests by data subjects to exercise their rights under Data Protection Laws (including access, correction, erasure, restriction, portability and objection under GDPR Articles 12-23, access and correction under PDPA sections 21-22, and access, deletion, correction and opt-out requests under US state laws).
8.2 The Service provides self-serve tooling for this purpose: conversation search and transcript export in the inbox; per-data-subject export of captured contact details and the linked conversation transcripts (including any recorded consent timestamps); erasure performed as irreversible anonymisation - captured contact fields are cleared and linked message content is overwritten with an erasure marker; deletion of contact profiles (“forget me”); a log of data-subject requests and their fulfilment; and configurable automatic purging of transcripts and leads by age, enforced by a scheduled job. The Customer will use this tooling as its first recourse; Wondertabs will provide reasonable further assistance where it is insufficient.
8.3 If Wondertabs receives a request directly from an End User relating to Customer Data, it will not respond substantively (except to direct the individual to the Customer, or where legally required to respond) and will forward the request to the Customer without undue delay, and at the latest within 5 business days.
8.4 Wondertabs will also provide the Customer with the information reasonably needed for the Customer's own transparency obligations regarding the Service's AI features - including what data is sent to which AI model provider and for what purpose (Section 15.1) - so the Customer can make accurate disclosures to its End Users.
9. Assistance with security, impact assessments and consultations
9.1 Taking into account the nature of the processing and the information available to it, Wondertabs will provide reasonable assistance to the Customer with: (a) the Customer's security obligations under Article 32 GDPR and PDPA section 24; (b) data protection impact assessments (Article 35 GDPR) and prior consultations with supervisory authorities (Article 36 GDPR) that concern the Service; and (c) the Customer's breach-related obligations described in Section 10.
10. Personal data breach notification
10.1 Wondertabs will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Data. This is also Wondertabs' notification to the Customer for the purposes of PDPA section 26C(2) (data intermediary's duty to notify the organisation without undue delay).
10.2 The notification will, to the extent then known (and supplemented as information becomes available), describe: the nature of the breach; the categories and approximate numbers of data subjects and records concerned; the likely consequences; the measures taken or proposed to address the breach and mitigate its effects; and a contact point.
10.3 As controller, the Customer is responsible for assessing the breach and for any required notifications to regulators and individuals - including the PDPA Part 6A assessment and three-calendar-day notification to the PDPC for notifiable breaches, the 72-hour notification to supervisory authorities under Article 33 GDPR / UK GDPR, and notifications under US state laws. Wondertabs will cooperate in good faith, provide reasonable information and assistance for those assessments and notifications, and document the breach and its remediation. Wondertabs will not notify a regulator or data subjects on the Customer's behalf unless required by law.
10.4 Wondertabs' notification of, or response to, a breach is not an acknowledgement of fault or liability.
11. Deletion and return of Customer Data
11.1 During the term, the Customer controls retention: it may delete conversations, contacts and uploaded content through the Service at any time, and may enable automatic purging of transcripts and leads older than a number of days it sets, enforced by a scheduled job.
11.2 On termination or expiry of the Agreement, Wondertabs will, at the Customer's choice, return and/or delete Customer Data: (a) return - on written request made within 30 days after termination, Wondertabs will provide an export of Customer Data in a commonly used machine-readable format; and (b) deletion - Wondertabs will delete or irreversibly anonymise Customer Data from active systems within 30 days of the Customer's deletion instruction, and in any event within 90 days of termination, except to the extent a law applicable to Wondertabs requires continued storage - in which case Wondertabs will isolate and protect the retained data and process it only as that law requires.
11.3 Customer Data in encrypted backups leaves the backup set as backups expire in the ordinary course of the backup provider's rolling rotation schedule; backups are not used to restore deleted Customer Data except where restoration of the broader system is needed for disaster recovery, in which case the deletion obligations in this Section reapply to the restored data.
11.4 On written request, Wondertabs will confirm in writing that deletion under this Section has been completed.
12. Audits and information
12.1 Wondertabs will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. The Customer agrees to satisfy its audit and information needs first through: this DPA and its annexes, the Sub-processor Page, ReplyArc's security documentation, written responses to reasonable security and compliance questionnaires (no more than once per 12 months, unless a personal data breach affecting the Customer or a regulator's requirement justifies more), and available third-party audit reports or certifications of Wondertabs' Sub-processors.
12.2 Where Data Protection Laws give the Customer a mandatory audit right that the materials above do not satisfy, the Customer (or an independent, non-competitor auditor bound by confidentiality) may audit Wondertabs' compliance with this DPA, subject to: at least 30 days' written notice; scope and timing agreed in advance; at most one audit per 12 months (except after a personal data breach affecting the Customer or where a regulator requires it); conduct during business hours without disrupting operations; no access to other customers' data or to information that would compromise platform security; and the Customer bearing its own costs and Wondertabs' reasonable costs of any audit exceeding one business day. The same rights satisfy Clause 8.9 of the SCCs.
13. International transfers
13.1 Where processing happens. The Service's primary infrastructure is in Singapore: application hosting on Fly.io in Singapore (ap-southeast-1), with the primary database and authentication hosted in the Singapore region, as published on the Sub-processor Page. Certain Sub-processors process limited Customer Data outside Singapore, as set out in Annex III and on the Sub-processor Page.
13.2 PDPA undertaking. For any transfer of Customer Data outside Singapore, Wondertabs will comply with the PDPA Transfer Limitation Obligation (section 26) by ensuring the recipient is bound by legally enforceable obligations to provide the transferred data a standard of protection comparable to that under the PDPA.
13.3 EU transfers (SCCs). To the extent Customer Data is subject to the GDPR and its transfer to Wondertabs in Singapore (or onward to a Sub-processor) is a restricted transfer, the parties enter into the SCCs, incorporated into this DPA by reference and completed as follows: Module Two (controller to processor) applies where the Customer is a controller, Module Three (processor to processor) where the Customer is a processor; Clause 7 (docking clause) is included; under Clause 9, Option 2 (general written authorisation) applies with the 30-day notice period in Section 7.2; the optional language in Clause 11 is not used; under Clause 17, Option 1 applies and the SCCs are governed by the law of Ireland; under Clause 18, disputes are resolved before the courts of Ireland. Annexes I, II and III of the SCCs are completed by Annexes I, II and III of this DPA. The Customer is the data exporter; Wondertabs is the data importer.
13.4 UK transfers. To the extent Customer Data is subject to the UK GDPR, the SCCs as completed above apply as amended by the UK Addendum, which is incorporated by reference: Tables 1-3 of the UK Addendum are completed with the parties', transfer and security details in this DPA and its annexes, and for Table 4 either party may end the UK Addendum as set out in its Section 19. If the Information Commissioner issues a revised addendum or agreement, the parties will adopt it as required.
13.5 Successor clauses. If the European Commission or the UK Information Commissioner adopts new or revised standard clauses applicable to the transfers under this DPA (including clauses designed for importers directly subject to the GDPR), the parties will take the steps reasonably necessary to adopt them within a reasonable period, not exceeding any legally mandated deadline.
13.6 Government requests. If Wondertabs receives a legally binding request from a public authority for access to Customer Data, it will (unless legally prohibited) promptly notify the Customer, review the legality of the request and challenge it where there are reasonable grounds to do so, disclose only the minimum data required, and document the request and response - consistent with Clauses 14 and 15 of the SCCs.
14. CCPA service-provider terms
To the extent Customer Data includes personal information of consumers protected by the CCPA or another US state privacy law, the following applies, and the Customer discloses that personal information to Wondertabs only for the limited and specified business purposes of providing the Service described in Section 3 and Annex I:
(a) Wondertabs is the Customer's service provider (CCPA) or processor (other state laws) and will comply with the obligations applicable to that role, providing the same level of privacy protection as the law requires of the Customer;
(b) Wondertabs will not sell or share the personal information (as “sell” and “share” are defined in the CCPA), and will not use it for cross-context behavioural advertising or targeted advertising;
(c) Wondertabs will not retain, use or disclose the personal information for any purpose other than the business purposes specified in this DPA (including the limited internal purposes the CCPA regulations permit a service provider, such as security, fraud prevention and compliance), and not outside the direct business relationship between Wondertabs and the Customer;
(d) Wondertabs will not combine the personal information with personal information it receives from other customers or collects from its own interactions with consumers, except as permitted by the CCPA regulations;
(e) Wondertabs will notify the Customer without undue delay if it determines it can no longer meet its obligations under the CCPA or this Section, and the Customer may then take the reasonable and appropriate steps contemplated by the CCPA to stop and remediate any unauthorised use of personal information (Section 12 satisfies the monitoring right);
(f) Wondertabs will assist the Customer in responding to consumer requests as described in Section 8, including deletion and correction requests and requests to opt out of sale or sharing that the Customer forwards to Wondertabs; and
(g) Wondertabs certifies that it understands the restrictions in this Section and will comply with them.
15. AI processing and no model training
15.1 To generate each AI reply, the Service sends to its platform-managed AI model providers, each engaged as a Sub-processor under Wondertabs' own platform API keys (Annex III), the conversation so far (up to the 20 most recent messages, which include anything the End User has typed), the agent's configured persona and business facts, and passages retrieved from the Customer's knowledge base. Chat-answer inference currently runs on OpenRouter, which forwards the request to Anthropic's Claude models; OpenAI is used for text embeddings and as a chat-answer fallback. Shorter excerpts of conversation and knowledge-base content also power supporting features, including intent and sentiment classification, human-handoff summaries, suggested inbox reply drafts, knowledge-gap analysis and report generation; uploaded documents are sent to OpenAI's embedding API to build the knowledge index. The Service does not send End User IP addresses, account credentials or billing data to any model provider. Under each provider's API terms, this content is not used to train its models and may be retained by the provider for a limited period (currently up to 30 days) for abuse monitoring.
15.2 Wondertabs will not use Customer Data to train or improve AI models, and does not permit its platform model providers to do so under the terms of its agreements with those providers. Any future change to this position would be a new processing purpose requiring the Customer's prior opt-in instruction.
15.3 Wondertabs maintains documentation of the data flows, providers and purposes of the Service's AI features that process Customer Data, and will make summaries available to the Customer on request, in support of Sections 8.4 and 12.1.
16. Liability
To the maximum extent permitted by law, each party's and its affiliates' liability arising out of or related to this DPA (including the SCCs and the UK Addendum, except where the SCCs do not permit such a limitation, including in respect of data subjects' third-party beneficiary rights) is subject to the exclusions and limitations of liability set out in the Agreement. Wondertabs' liability under this DPA counts toward, and is capped by, the limitation of liability in the Agreement, which applies as a single aggregate cap across the Agreement and this DPA; obligations that the Agreement expressly excludes from that cap (including the Customer's indemnification and payment obligations) remain as stated in the Agreement.
17. Order of precedence
If there is a conflict: (a) the SCCs and the UK Addendum prevail over this DPA and the Agreement in respect of the transfers they govern; (b) this DPA prevails over the Agreement in respect of the processing of Customer Data; and (c) the Agreement governs everything else. Nothing in the Agreement (including any future-agreed terms) is intended to modify the SCCs or to prejudice the fundamental rights or freedoms of data subjects.
18. Term, governing law and general
18.1 This DPA takes effect as described in the preamble and remains in force until Wondertabs has completed the deletion or return of Customer Data under Section 11, even if the Agreement has ended. Sections 10, 11, 13, 16 and 17 survive termination to the extent relevant.
18.2 Except where the SCCs or UK Addendum require otherwise (Section 13), this DPA is governed by the law governing the Agreement - the laws of Singapore - and disputes are subject to the exclusive jurisdiction of the Singapore courts, as set out in the Agreement.
18.3 Wondertabs may update this DPA from time to time as Data Protection Laws evolve; material changes will be notified to the Customer at least 30 days before taking effect, in the same manner as changes to the Agreement, and no change will materially reduce the protection of Customer Data during the term. Questions and notices under this DPA: legal@replyarc.ai; data protection contact: dpo@replyarc.ai (Data Protection Officer, Wondertabs Pte. Ltd.). Notices to the Customer under this DPA (including breach notifications under Section 10 and forwarded data-subject requests under Section 8.3) are sent to the Customer's account-owner email, unless the Customer designates a data-protection contact in writing to legal@replyarc.ai.
Annex I - Description of the processing
(This Annex also serves as Annex I to the SCCs and the information for Tables 1-3 of the UK Addendum.)
A. List of parties
| Data exporter | Data importer | |
|---|---|---|
| Name | The Customer, as identified in its ReplyArc account and the Agreement | Wondertabs Pte. Ltd. (UEN 202037320G) |
| Address | As provided in the Customer's account | Singapore (registered office per ACRA records; postal contact available on request) |
| Contact | The Customer's account owner email (or a data-protection contact the Customer designates in writing - Section 18.3) | dpo@replyarc.ai / legal@replyarc.ai |
| Role | Controller (Module Two) or processor (Module Three) | Processor |
| Signature and date | Deemed executed by acceptance of the Agreement, on the date of acceptance | Deemed executed by provision of the Service from the date of acceptance |
Competent supervisory authority (SCCs Clause 13): the supervisory authority of the EU member state in which the Customer (or its EU representative) is established or, failing that, where the relevant data subjects are located.
B. Description of the transfer and processing
Categories of data subjects:
- End Users: visitors to the Customer's websites who interact with (or whose visits are tracked for) the embedded chat widget, and individuals who message the Customer through messaging channels the Customer connects (for example WhatsApp, Facebook Messenger, Instagram, Telegram, Slack, Microsoft Teams, Discord).
- The Customer's own authorised users and staff, as they appear in conversation data (display names, replies, notes, presence).
- Individuals whose personal data appears in content the Customer uploads or crawls into the Service (knowledge-base documents, website pages, imported contacts).
Categories of personal data:
| Category | Examples |
|---|---|
| Identification and contact data | Name, email address, phone number shared in chat or captured as a lead; channel identifiers (e.g. WhatsApp number, Messenger/Instagram/Telegram handles) |
| Conversation data | Chat messages and replies (free text - may include any information the End User chooses to type), shared contact cards, conversation status, ratings/feedback, human-handoff and join/leave events |
| Website visit data | Pages viewed, session and journey events, referrer and campaign parameters, browser language, timezone, screen size; server-derived browser and device type; a salted one-way hash of the IP address (raw IP addresses are processed transiently - for example for rate limiting, in records that expire automatically - and are not stored in analytics records; IP addresses or ranges the Customer itself enters in its abuse-prevention block list are stored for the Customer) |
| AI derived data | Intent classification with confidence scores, sentiment and emotion scoring for messages and conversations, lead scores and scoring factors, and AI generated conversation summaries (Section 15) |
| Compliance records | Consent timestamps recorded with captured leads and contact profiles, data-subject-request records and erasure markers |
| Customer content | Personal data contained in documents and pages the Customer uploads or crawls for the agent's knowledge base |
Sensitive data: none is required by the Service or intentionally collected. Because chat is free text, an End User may volunteer special-category data; the Customer must not configure the Service to solicit it (Section 4.3(d)). Applied restrictions and safeguards: tenant isolation, encryption, access restriction to the Customer's workspace, erasure tooling and configurable purging (Annex II).
Frequency of the transfer: continuous, for the duration of the Agreement.
Nature and purpose of the processing: as described in Section 3 - hosting, storage, transmission, retrieval, display, AI assisted response generation and AI derived classification, scoring and summarisation (Section 15), human handoff, lead capture, channel relay, analytics for the Customer, deletion, and technical support.
Retention period (criteria): Customer-controlled during the term (including optional automatic purging by age of transcripts and leads); on termination, return and/or deletion per Section 11 (deletion within 30 days of the Customer's instruction and in any event within 90 days of termination, subject to legal holds and backup rotation).
Transfers to (sub-)processors: as set out in Annex III; object, nature and duration as above.
C. Competent supervisory authority
As stated in Part A. For the UK Addendum, the Information Commissioner's Office is the relevant authority.
Annex II - Technical and organisational measures
(This Annex also serves as Annex II to the SCCs. All measures below are implemented and running at the Last updated date.)
| Domain | Measures |
|---|---|
| Tenant isolation | Multi-tenant data is segregated by workspace: application servers enforce tenant isolation in code by scoping every query to the tenant identifier resolved from the authenticated session or API key, and tenant-scoped tables additionally carry Postgres row-level-security policies keyed to tenant membership, which restrict client-facing database paths (including real-time message delivery) as defense-in-depth |
| Encryption in transit | TLS for all connections to the marketing site, dashboard, API and widget endpoints, fronted by Cloudflare |
| Encryption at rest | Database encryption at rest by the managed database provider; channel and integration credentials (e.g. messaging-channel access tokens, connector secrets and pasted webhook URLs) are encrypted with AES-256-GCM and decrypted only at the point of use; ReplyArc REST API keys are stored only as SHA-256 hashes (the full key is shown once at creation and never stored); platform AI provider keys are held as deployment secrets outside the database; credentials are not written to application logs, and integration-boundary error logs pass through automatic secret redaction |
| Authentication and access control | Customer authentication via Supabase Auth (email/password stored only as hashes, magic links, Google OAuth); workspace membership and roles control dashboard access; staff access to production data is restricted by role-based access controls to what is needed to operate, secure and support the Service; cross-tenant content searches by platform staff are audit-logged, and support impersonation of Customer workspaces is view-only and time-limited (Section 5) |
| Data minimisation and pseudonymisation | Visitor analytics records persist only a salted one-way hash of the IP address, never the raw address; raw IP addresses are processed transiently for rate limiting, in records that expire automatically; IP addresses or ranges the Customer enters in its abuse-prevention block list are stored for the Customer; End Users are identified by random visitor identifiers |
| Abuse and availability controls | Cloudflare CDN and DDoS protection; Cloudflare Turnstile anti-bot checks on exposed forms; per-endpoint rate limiting; widget requests gated by per-agent allowed-origin lists where the Customer configures them (an unconfigured allowlist permits embedding from any origin - see the Agreement); per-conversation message caps, per-workspace conversation caps and platform spend ceilings |
| Logging and monitoring | Administrative and security-relevant actions are audit-logged; audit events are automatically deleted after 90 days |
| Data subject request tooling | Per-subject export of captured contact details and linked conversation transcripts; erasure by irreversible anonymisation (message content overwritten with an erasure marker); contact-profile (“forget me”) deletion; a data-subject-request log; configurable automatic purging of transcripts and leads enforced by a scheduled job |
| Backups and recovery | Automated encrypted backups managed by the database provider, expiring on a rolling rotation schedule; restoration only for disaster recovery (Section 11.3) |
| Hosting | Application hosted on Fly.io in Singapore (ap-southeast-1); database and authentication on Supabase, hosted in the Singapore region (as published on the Sub-processor Page) |
| Personnel | Confidentiality obligations for all persons authorised to process Customer Data (Section 5); least-privilege access |
| Sub-processor management | Written contracts with flow-down obligations, transfer safeguards and the public Sub-processor Page with change notifications (Section 7) |
| Incident response | Breach assessment and Customer notification per Section 10, with documentation of incidents and remediation |
Measures Wondertabs provides to assist the Customer (SCCs Clause 10): the data subject request tooling, export, deletion and retention controls described above and in Section 8.
Annex III - Sub-processors
(This Annex also serves as Annex III to the SCCs. The authoritative, current list is the Sub-processor Page at replyarc.ai/legal/subprocessors; the list below is identical to that page at the Last updated date.)
| Sub-processor | Function | Personal data processed | Location of processing |
|---|---|---|---|
| Supabase (Supabase, Inc.) | Database, authentication, file storage, real-time messaging | All Customer Data stored in the Service: conversation transcripts, captured leads, visitor analytics (hashed IPs, device data, page views), uploaded documents and files; End User IPs on real-time connections | Database hosted in Singapore; US entity |
| Fly.io (Fly.io, Inc.) | Application hosting and TLS for the dashboard, API and background jobs | All Service traffic in transit (IP addresses, request content); application logs | Singapore (ap-southeast-1); US entity |
| Upstash (Upstash, Inc.) | In-memory cache: rate limiting, duplicate-request protection, agent presence, usage counters | End User IPs inside short-lived rate-limiting keys; chat responses cached up to 24 hours; internal user IDs | Singapore region; US entity |
| OpenAI (OpenAI, L.L.C.) | Text embeddings (and chat-answer inference as a fallback), using platform API keys held by Wondertabs | Chat messages and recent conversation history, agent persona and business facts, knowledge-base passages, uploaded document text (for embeddings). Not sent: End User IP addresses, credentials, billing data | United States |
| OpenRouter (OpenRouter, Inc.), routing to Anthropic (Anthropic PBC) | AI inference for chat answers and the per-turn classifier, using platform API keys held by Wondertabs; OpenRouter forwards the request to Anthropic's Claude models | Chat messages and recent conversation history, agent persona and business facts, knowledge-base passages. Not sent: End User IP addresses, credentials, billing data; text embeddings are not processed here (they remain with OpenAI) | United States (OpenRouter and Anthropic) |
| Resend (Resend, Inc.) | Transactional email: sign-in and account emails, team invitations, lead alerts, scheduled reports, notifications | Recipient email addresses; email content, which can include lead contact details and short conversation excerpts; sign-in and invitation links | United States |
| Cloudflare (Cloudflare, Inc.) | Content delivery network and network security in front of the Service | IP addresses and traffic metadata of requests passing through the edge network | Global edge network; US entity |
| Sentry (Functional Software, Inc.) | Error and performance monitoring of the dashboard application | Error reports with technical request context and account identifiers; session replays captured on errors (default PII capture disabled) | United States |
| Stripe (Stripe, Inc.) | Payment processing for paid plans | Billing and customer contact details, payment-method metadata, and subscription and charge records. Card numbers are entered into Stripe-hosted fields and are not stored by Wondertabs | United States |
| Expo (650 Industries, Inc.), via Apple APNs / Google FCM | Mobile push notifications to the Customer's agents | Device push tokens; notification text, which may include lead names | United States; Apple/Google push networks global |
| Google Fonts (Google LLC) | Serves the chat widget's display font at load time | The requesting End User's IP address only - no chat, account or page content | Global |
Customer-directed recipients (not Sub-processors). Some data leaves the Service only because the Customer configures it to, on the Customer's documented instructions (Section 4.2) and under the Customer's own terms with the recipient: messaging channels the Customer connects (WhatsApp Business, Facebook Messenger and Instagram (Meta), Telegram, Slack, Microsoft Teams, Discord - message content flows to and from the channel provider once connected); notification webhooks the Customer pastes (for example Slack or Teams incoming webhooks) and the Customer's own outbound webhook and AI tool endpoints; and link-out buttons in the chat widget (for example WhatsApp, Messenger, LINE, phone or booking links), where the End User leaves the widget and deals with that service directly.