Data Processing Addendum
Last updated: April 2026
1. Parties
This Data Processing Addendum ("DPA") is entered into between the customer organization ("Data Controller") and Reppix ("Data Processor"), and supplements the Terms of Use and Privacy Policy. This DPA governs the processing of personal data by Reppix on behalf of the Data Controller.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed through the Reppix platform, including employee names, contact details, GPS location data, and financial transaction records. "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion. "Sub-processor" means any third party engaged by Reppix to process personal data on behalf of the Data Controller.
3. Scope of Processing
Reppix processes personal data solely for the purpose of providing the platform services described in the Terms of Use. This includes: - Storing and managing employee and customer records. - Processing orders, deliveries, and collection transactions. - Recording GPS location data for route tracking during working hours. - Generating invoices, reports, and performance analytics. - Sending notifications via WhatsApp and email on your behalf.
4. Processor Obligations
Reppix shall: - Process personal data only on documented instructions from the Data Controller. - Ensure that persons authorized to process personal data have committed to confidentiality. - Implement appropriate technical and organizational measures to ensure data security. - Assist the Data Controller in responding to data subject access requests. - Maintain a record of all categories of processing activities. - Not transfer personal data outside the agreed processing regions without consent.
5. Sub-processors
Reppix engages the following categories of sub-processors: - Cloud infrastructure providers (data hosting and storage). - Communication services (WhatsApp Business API, email delivery). - Mapping services (route optimization). Reppix will notify the Data Controller before engaging any new sub-processor. The Data Controller may object within 14 days. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.
6. Security Measures
Reppix implements the following security measures: - Database-per-tenant isolation: each organization's data is stored in a separate database. - Encryption at rest and in transit (TLS 1.2+). - Role-based access control with principle of least privilege. - Regular security assessments and vulnerability scanning. - Automated daily backups with 30-day retention. - Access logging and audit trails for all administrative actions. - Multi-factor authentication for administrative accounts.
7. Data Breach Notification
In the event of a personal data breach, Reppix shall: - Notify the Data Controller without undue delay, and in any case within 48 hours of becoming aware of the breach. - Provide details of the breach, including the categories and approximate number of data subjects affected. - Describe the likely consequences and the measures taken or proposed to address the breach. - Cooperate with the Data Controller in notifying the relevant supervisory authority and affected data subjects as required.
8. International Transfers
Personal data is processed and stored within the Middle East region by default. If transfer to another region is required for service operation, Reppix will ensure appropriate safeguards are in place, including standard contractual clauses or equivalent mechanisms recognized by applicable data protection law.
9. Data Subject Rights
Reppix shall assist the Data Controller in fulfilling data subject requests including: - Right of access to personal data. - Right to rectification of inaccurate data. - Right to erasure (where legally permissible). - Right to data portability. - Right to restrict or object to processing. Reppix will respond to Data Controller instructions regarding data subject requests within 5 business days.
10. Data Deletion and Return
Upon termination of the service agreement, Reppix shall: - Make all personal data available for export in a standard format (CSV/JSON) for 30 days. - Delete all personal data within 90 days of termination, except where retention is required by law. - Provide written confirmation of deletion upon request. - Financial records subject to legal retention requirements will be retained for the minimum required period and then deleted.
11. Audit Rights
The Data Controller has the right to audit Reppix's compliance with this DPA. Audits may be conducted: - Once per calendar year, with 30 days advance notice. - By the Data Controller or a mutually agreed independent auditor. - At the Data Controller's expense, unless the audit reveals material non-compliance. Reppix shall cooperate with reasonable audit requests and provide access to relevant documentation, logs, and personnel.
12. Contact
For questions about this Data Processing Addendum: Data Protection Contact: privacy@reppix.co Address: Reppix, Amman, Jordan