Data Processing Addendum
AskReplay LLC
Last Updated: June 13, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between AskReplay LLC (“AskReplay,” “we,” “us”) and the customer (“Customer,” “you”) and applies where AskReplay processes Personal Data on the Customer’s behalf in connection with the Service. If you are a business subject to the GDPR/UK GDPR, the CCPA/CPRA, or similar laws and require a countersigned copy, contact contact@ask-replay.com.
1. Definitions
“Personal Data,” “Processing,” “Data Subject,” “Controller,” “Processor,” and “Personal Data Breach” have the meanings given under applicable data protection law (“Data Protection Laws”). “Customer Personal Data” means Personal Data contained in Customer Content or otherwise processed by AskReplay on the Customer’s behalf. “Subprocessor” means a third party engaged by AskReplay to process Customer Personal Data.
2. Roles of the Parties
For Customer Personal Data, the Customer is the Controller (or a processor acting for another controller) and AskReplay is the Processor (or subprocessor). AskReplay also acts as a Controller for limited data it processes for its own purposes (such as account, billing, and security data), as described in our Privacy Policy. The Customer is responsible for the lawfulness of the Personal Data it provides and for providing all required notices to, and obtaining all required consents from, Data Subjects (including Viewers).
3. Scope and Instructions
AskReplay will process Customer Personal Data only (a) to provide and support the Service, (b) in accordance with the Customer’s documented instructions (including these Terms and the Customer’s use of the Service), and (c) as required by law (in which case AskReplay will inform the Customer unless legally prohibited). The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex A.
4. Confidentiality
AskReplay ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and process the data only as instructed.
5. Security
AskReplay implements appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art and the risks of processing. A summary of these measures is available at /security and forms Annex B to this DPA.
6. Subprocessors
The Customer provides a general authorization for AskReplay to engage Subprocessors to process Customer Personal Data. AskReplay maintains a current list of Subprocessors at /subprocessors and imposes data-protection obligations on each Subprocessor no less protective than those in this DPA. AskReplay will provide a mechanism to be notified of new Subprocessors and a reasonable period to object on legitimate data-protection grounds; AskReplay remains responsible for its Subprocessors’ performance.
7. Data Subject Rights
Taking into account the nature of the processing, AskReplay will provide reasonable assistance (including appropriate technical and organizational measures and Service functionality) to help the Customer respond to requests from Data Subjects to exercise their rights. If AskReplay receives such a request directly relating to a Customer’s data, it will, where permitted, refer the request to the Customer.
8. Personal Data Breach
AskReplay will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide reasonably available information to help the Customer meet its breach-notification obligations.
9. Data Protection Impact Assessments
AskReplay will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Data Protection Laws and relating to AskReplay’s processing.
10. Return and Deletion
Upon termination of the Service and on the Customer’s request, AskReplay will delete or return Customer Personal Data and delete existing copies, except where retention is required by law. Where the Service provides export functionality, the Customer may export its data before deletion. Residual copies in routine backups are deleted or overwritten in the ordinary course.
11. Audits
AskReplay will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality, security, scheduling, and frequency limitations. Where available, AskReplay may satisfy audit requests by providing third-party reports or documentation.
12. International Transfers
AskReplay and its Subprocessors may process Customer Personal Data in the United States and other countries. Where Data Protection Laws require, the parties will rely on a valid transfer mechanism (such as the European Commission’s Standard Contractual Clauses, which are incorporated by reference where applicable) for cross-border transfers.
13. Liability and Precedence
Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA controls.
Annex A — Details of Processing
- Subject matter and duration: provision of the AskReplay Service for the term of the Customer’s subscription.
- Nature and purpose: hosting, storing, indexing, and processing Customer Content to deliver interactive, AI-assisted Q&A; capturing and storing viewer/follow-up information; and providing analytics, security, and support.
- Types of Personal Data: account and contact details of Authorized Users; identifiers and contact details Viewers choose to submit (such as name, email, role, industry, goal); questions submitted and answers returned; and technical data (such as IP address and session activity).
- Categories of Data Subjects: the Customer’s Authorized Users and the Viewers who interact with the Customer’s recordings.
Annex B — Security Measures
The technical and organizational measures are described in the Security overview at /security, including encryption in transit, tenant data isolation, access controls, signed session tokens, and rate limiting.