Data Processing Addendum

Last updated: May 20, 2026

1. Scope and roles

This Data Processing Addendum applies when a business customer uses Reply Intern to process Google review data. The customer is the controller. RADOM UG is the processor for review data processed to provide Reply Intern.

2. Processing instructions

Reply Intern processes personal data only to provide the service, secure the service, comply with law, and follow the customer's documented instructions through settings, connected locations, support requests, and these terms.

3. Data categories and subjects

  • Data subjects: business users, Google reviewers, and outreach recipients where outreach is enabled.
  • Data categories: account data, Google account/location IDs, review text, reviewer names, ratings, reply drafts, published replies, settings, reports, support records, billing metadata.

4. Subprocessors

Reply Intern uses subprocessors listed in the Privacy Policy, including Google, Microsoft Azure, Stripe, hosting/database infrastructure, and search providers for internal outreach where enabled. Reply Intern remains responsible for subprocessor performance under this Addendum.

5. Security measures

  • HTTPS transport encryption.
  • Hashed password storage.
  • Encrypted Google OAuth token storage when production encryption keys are configured.
  • Restricted production access for operational administrators.
  • Environment-based secret management outside source code.
  • Retention cleanup for expired reset tokens, disconnected review data, and stale outreach records.

6. Deletion and return

Customers can export account data and delete account data from Settings. Business/location deletion removes associated reviews and replies. Disconnecting Google stops future sync and marks the location for review/reply data cleanup after the configured retention period.

7. Assistance and breaches

Reply Intern will reasonably assist customers with data subject requests, security questions, and supervisory authority requests relating to the service. Reply Intern will notify affected customers without undue delay after becoming aware of a confirmed personal data breach affecting processed customer data.

8. International transfers

Reply Intern is designed to use EU-based processing for the core service. If a subprocessor transfer outside the EEA is required, Reply Intern relies on appropriate transfer safeguards such as adequacy decisions or standard contractual clauses.