Legal

Data Processing Agreement

Last updated: April 27, 2026 · Effective date: April 27, 2026

Pre-incorporation notice. This DPA is a working template. It will be reviewed by counsel and signed alongside a definitive commercial agreement before customer data is processed in production. For DPA execution, contact ali@reera.io.

This Data Processing Agreement ("DPA") is entered into between Reera ("Processor") and the Customer ("Controller") and forms part of the Terms of Service between the parties. It governs the processing of personal data by Reera on behalf of the Controller in connection with the Service.

1. Definitions

Terms used and not defined here have the meaning given to them in the EU General Data Protection Regulation 2016/679 ("GDPR"). "Personal Data," "Data Subject," "Processing," "Controller," and "Processor" have the meanings set out in Article 4 of the GDPR.

2. Subject matter and duration

The subject matter of the processing is the provision of the Service. The duration of the processing is the term of the underlying agreement plus any additional period required by law.

3. Nature and purpose of processing

Reera processes Personal Data to provide AI-driven classification, routing, and clustering of IT service tickets, and to improve the Customer's tenant-scoped model based on agent corrections.

4. Categories of Data Subjects

The Customer's employees, contractors, and agents who interact with the Service;
End users of the Customer's IT service desk whose tickets are routed through the Service.

5. Categories of Personal Data

Account / contact data: name, business email, role.
Ticket metadata: ticket title, free-text description (where the Customer chooses to ingest it), category, priority, assignee, status, timestamps.
Decision logs: the AI suggestion, confidence score, the human action taken, and the final outcome.

Reera does not ingest ticket attachments, secrets, credentials, or biometric data. The Controller is responsible for ensuring that Personal Data submitted to the Service is appropriate.

6. Controller and Processor obligations

The Controller warrants that it has a lawful basis for the processing, has provided appropriate notices to Data Subjects, and has obtained any necessary consents.

The Processor agrees to:

Process Personal Data only on documented instructions from the Controller;
Ensure that personnel authorized to process Personal Data are bound by confidentiality;
Implement appropriate technical and organizational security measures (Section 8);
Assist the Controller in fulfilling Data Subject rights requests;
Notify the Controller of any Personal Data Breach without undue delay (Section 9);
Make available all information necessary to demonstrate compliance with this DPA, and allow for reasonable audits (Section 11);
Return or delete Personal Data at the end of the agreement (Section 12).

7. Sub-processors

The Controller authorizes the use of the sub-processors listed at reera.io/subprocessors. Reera has entered into written data-processing agreements with each sub-processor that contain at least equivalent data-protection obligations to those in this DPA. Reera will notify the Controller at least 30 days before adding or replacing a sub-processor; the Controller may object on reasonable grounds, in which case the parties will work in good faith to resolve the objection.

8. Security measures

Reera implements industry-standard technical and organizational measures, including:

Encryption in transit (TLS 1.3) and at rest (AES-256);
Role-based access control with least-privilege service accounts;
Audit logging of all privileged actions;
Network isolation and segmentation;
Regular vulnerability scanning and patching;
An information-security management system modeled on ISO/IEC 27001;
Personnel security: confidentiality obligations, security training, background checks where permitted by law.

Full details are available at reera.io/security.

9. Personal Data Breach notification

Reera will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting the Controller's data. The notification will include, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken to address it.

10. International transfers

By default, all processing takes place within the European Economic Area on Google Cloud Platform infrastructure. Reera will not transfer Personal Data outside the EEA without the Controller's prior written authorization and the implementation of appropriate safeguards (e.g. Standard Contractual Clauses).

11. Audit rights

The Controller may, at its own expense and with reasonable advance notice, audit Reera's compliance with this DPA no more than once per twelve-month period. Audits will be conducted under reasonable confidentiality and during normal business hours, and will not unreasonably interfere with Reera's operations. In lieu of an on-site audit, Reera may provide third-party reports (e.g. SOC 2 Type II report when available, ISO/IEC 27001 Statement of Applicability).

12. Return or deletion of data

On termination of the underlying agreement, Reera will, at the Controller's choice, either return or delete all Personal Data processed on behalf of the Controller within 30 days, unless retention is required by law. Backups containing Personal Data are rotated within 35 days following deletion.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying Terms of Service.

14. Governing law

This DPA is governed by the laws of Spain. Any dispute arising out of or relating to this DPA will be submitted to the exclusive jurisdiction of the courts of Barcelona, Spain.

15. Contact

For DPA execution or any data-protection inquiry: ali@reera.io.