Data Processing Agreement

Table of Contents

Definitions
Roles & Responsibilities
Nature of Processing
Data Subject Rights
Sub-processors
Security Measures
Data Breach Notification
Data Retention & Deletion
Governing Law
Contact

Section 01

Definitions

Controller: The business or individual using OptiReply who determines the purpose and means of processing personal data
Processor: Seven9IT Solutions / OptiReply, acting on behalf of the Controller
Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data, including collection, storage, retrieval, and deletion
Data Subject: The individual whose personal data is being processed (e.g., your customers who leave reviews)

Section 02

Roles & Responsibilities

When you use OptiReply to process customer review data from your Google Business Profile, you act as the Controller and Seven9IT Solutions acts as the Processor.

      We process your customer data only on your documented instructions — specifically, to provide the OptiReply platform services you have subscribed to.
    

We will not process personal data for any purpose beyond delivering the agreed services without your explicit written consent.

Section 03

Nature of Processing

Category	Details
Subject matter	Customer review management and AI response generation
Duration	For the term of your OptiReply subscription
Nature	Collection, storage, analysis, and display of review data
Purpose	Enabling businesses to manage and respond to Google reviews
Data types	Customer names, review text, star ratings, timestamps
Data subjects	Customers who have left reviews on your Google Business Profile

Processing is conducted solely to deliver OptiReply services under your subscription.

      Google API Data — No AI Training: We do not use data obtained through Google Business Profile APIs to train, retune, or improve our AI models or any machine learning models. Google API data is used exclusively to deliver the services visible in your OptiReply dashboard — responding to reviews and providing business insights. All AI-generated responses are intended for human review and approval before being published to Google.
    

Section 04

Data Subject Rights

We will assist you in fulfilling data subject requests under applicable law (PIPEDA, GDPR where applicable). If a data subject contacts us directly, we will promptly redirect them to you as the Controller.

Right of access to personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability

Section 05

Sub-processors

We engage the following sub-processors to deliver OptiReply services. All sub-processors are bound by data protection obligations no less restrictive than this DPA.

Sub-processor	Purpose	Location
Supabase	Database & authentication	AWS us-east-1
Stripe	Payment processing	United States
Vercel	Frontend hosting	Global CDN
Google Cloud	API services	United States
AI providers	Response generation	United States

We will notify you of any material changes to our sub-processor list with reasonable advance notice.

Section 06

Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of personal data in transit (TLS/HTTPS) and at rest
Ongoing confidentiality, integrity, and availability of processing systems
Regular testing and evaluation of security measure effectiveness
Access controls limiting data access to authorized personnel only
Secure authentication for all platform access

Section 07

Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and within 72 hours of becoming aware of the breach, providing:

Description of the nature of the breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach

Section 08

Data Retention & Deletion

Upon termination of your subscription or upon your written request, we will delete or return all personal data processed on your behalf within 30 days, unless retention is required by applicable law.

See our Data Deletion Policy for the full process.

Section 09

Governing Law

This DPA is governed by the laws of the Province of Ontario, Canada, and the federal laws of Canada, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

Section 10

Contact

For DPA-related inquiries:

OptiReply — Seven9IT Solutions

📍 Toronto, Ontario, Canada

📧 privacy@seven9it.com

🌐 www.optireply.com