Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Repik Terms of Service between [ENTITY_NAME](“Repik” or “Processor”) and the Business that uses the Service (“Controller”). The DPA governs Repik’s processing of End-Customer Personal Data on behalf of the Controller.

For Business-data that Repik processes as an independent controller (for example, the Controller’s account information), the Privacy Policy applies instead of this DPA.

• End-Customer Personal Data— any personal data about the Controller’s own loyalty customers that Repik processes on the Controller’s behalf (Customer ID, phone number if provided, stamp history, redemption history, wallet identifiers).
• Sub-processor — any third party engaged by Repik to process End-Customer Personal Data.
• Applicable Privacy Law — any law governing personal data that applies to the Controller and to Repik in its capacity as processor, including the CCPA/CPRA (California) and the LFPDPPP (Mexico).

Repik, as processor, agrees to:

• Process End-Customer Personal Data only on the Controller’s documented instructions, which are set out in the Service documentation and this DPA.
• Ensure personnel with access to End-Customer Personal Data are bound by confidentiality obligations.
• Apply appropriate technical and organizational measures (see Annex A) to protect the data.
• Not sell or share End-Customer Personal Data for cross-context behavioral advertising, and not combine it with data from other sources except to provide the Service.
• Assist the Controller in responding to data subject / titular requests (ARCO or CCPA/CPRA rights) within a reasonable time.
• Notify the Controller without undue delay if Repik becomes aware of a personal data breach affecting End-Customer Personal Data.
• Delete or return End-Customer Personal Data within 30 days of termination, except where retention is required by law or limited to disaster-recovery backups that are purged on a rolling schedule.

The Controller authorizes Repik to engage the sub-processors listed in Annex B, and future successors or replacements with comparable obligations. Repik will:

• Enter into a written contract with each sub-processor imposing data-protection obligations substantially equivalent to those in this DPA.
• Remain liable to the Controller for any act or omission of a sub-processor that would put Repik in breach of this DPA.
• Provide at least 30 days’ notice before adding or replacing a material sub-processor, via email and in the dashboard, so the Controller can object. If the Controller reasonably objects, Repik and the Controller will work in good faith to resolve the concern; absent resolution, the Controller may terminate the affected portion of the Service.

End-Customer Personal Data originating in Mexico may be transferred to and processed in the United States under the LFPDPPP framework for international remittances and the contractual commitments in this DPA. The parties treat this DPA as the “protective clauses” required under Articles 36 and 37 of the LFPDPPP Regulations.

[TBD by counsel] If the Service is extended to the EU/UK, Standard Contractual Clauses must be incorporated by reference or executed before transfer.

On reasonable written request (no more than once per 12 months, or whenever required by a regulator), Repik will make available information necessary to demonstrate compliance with this DPA, including:

• A current list of sub-processors.
• A summary of the technical and organizational measures (Annex A).
• Copies of the most recent independent audits or certifications, if any.

The Controller may conduct an on-site audit only if a regulator requires it or if Repik has suffered a material breach; the parties will agree on reasonable scope, notice, confidentiality, and cost allocation.

Liability under this DPA is subject to the limitation of liability set out in the Terms. This DPA takes effect when the Controller accepts the Terms and remains in effect for as long as Repik processes End-Customer Personal Data on the Controller’s behalf.

[TBD by counsel]Verify liability allocation works for Mexican Civil Code § 1910 concepts and for California’s statutory privacy damages before relying on the limitation in cross-border disputes.

• Encryption in transit using TLS 1.2 or higher across all external endpoints.
• Passwords hashed with bcrypt (cost 12); authentication tokens signed with RS256 and delivered via httpOnly, secure cookies.
• Strict multi-tenant query filtering; all queries scoped to business_id.
• Serializable-isolation database transactions for stamp and redemption operations to enforce anti-fraud guarantees.
• Per-endpoint rate limiting (Upstash Redis with in-memory fallback).
• CORS allow-list restricted to first-party origins via environment configuration.
• Structured audit logs for authentication, impersonation, and admin actions.
• Principle of least privilege for production access; reviewed periodically.
• Secrets (JWT keys, Apple/Google certificates, service-account keys, Twilio/Stripe credentials) stored in the platform secret manager; never in source control.

• Vercel, Inc. — application hosting, edge network (US).
• Neon, Inc. — managed PostgreSQL (US-West).
• Upstash, Inc. — Redis cache (US-West).
• Apple, Inc. — Apple Wallet pass issuance and APNs push delivery.
• Google LLC — Google Wallet API and Wallet Objects delivery (US).
• Twilio, Inc. — transactional SMS for phone-based card recovery.
• Stripe, Inc. — US payment processing (when enabled).
• Conekta, S.A.P.I. de C.V. — MX payment processing (when enabled).
• Facturapi, S.A.P.I. de C.V. — CFDI invoicing (when enabled).

[TBD by counsel] Confirm legal entity names, addresses, and data-residency locations before publishing this list publicly.

Email [PRIVACY_EMAIL]. Postal address: [ENTITY_REGISTERED_ADDRESS].