Legal · Data Processing Agreement

Data Processing Agreement (DPA)

Effective date: 1 April 2026 Last updated: 1 April 2026 Version: 1.0

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RPTX LLC ("RPTX", "Processor") and the customer ("Customer", "Controller") using AskFolder or any other RPTX service that processes Personal Data. It governs the processing of Personal Data by RPTX as a Processor on behalf of the Customer, in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK GDPR.

By subscribing to an RPTX service, the Customer accepts this DPA. A countersigned PDF copy is available on request at legal@rptxsoftware.com and will be returned within one business day.

1. Definitions

Terms used but not defined in this DPA have the meaning given to them in the GDPR or the Terms of Service.

"Controller" means the Customer, who determines the purposes and means of the processing of Personal Data.
"Processor" means RPTX LLC, processing Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed under the Agreement.
"Processing" has the meaning given in Article 4(2) GDPR.
"Subprocessor" means any third party engaged by RPTX to process Personal Data on behalf of the Customer.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021, and the UK International Data Transfer Addendum where applicable.
"Data Subject Request" means a request from a Data Subject to exercise rights under Chapter III of the GDPR.

2. Roles and scope

Under this DPA, the Customer is the Controller of Personal Data and RPTX is the Processor. The Customer instructs RPTX to process Personal Data solely for the purpose of providing the services described in the Terms of Service, and in accordance with the documented instructions of the Customer, which include instructions given through normal use of the services (for example, by configuring AskFolder to index a particular folder).

3. Subject matter, duration, nature and purpose of processing

Subject matter: the provision of the RPTX services, including AskFolder — a document retrieval and question-answering product.

Duration: the term of the Agreement plus any post-termination retention period required by law or explicitly agreed in the Terms of Service (currently a default of 60 days for data export, followed by deletion).

Nature and purpose: indexing, storing, and retrieving documents provided by the Controller; generating cited answers to queries; and operating customer accounts (including authentication, billing via a Merchant of Record, and support).

4. Categories of data subjects and personal data

Data subjects may include:

The Customer's employees, contractors, and other authorized users of RPTX services.
Any natural person whose Personal Data appears within documents or data sources that the Customer chooses to index with AskFolder.

Categories of Personal Data typically include:

Account data: name, email address, authentication credentials, IP address, device and browser information.
Billing data: processed by our Merchant of Record (Paddle.com, Inc.); RPTX does not store card numbers.
Content data: any Personal Data contained within documents that the Customer chooses to index.
Usage data: logs of queries, API calls, and administrative actions, used for security, abuse prevention, and service reliability.

The Customer is responsible for ensuring it has a lawful basis for processing any Personal Data contained in the documents it indexes via AskFolder and for informing Data Subjects as required.

5. Processor obligations

RPTX shall:

Process Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by applicable law (in which case RPTX will inform the Controller of that requirement unless the law prohibits it).
Ensure that persons authorized to process the Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organizational measures (see Annex II).
Take all measures required pursuant to Article 32 GDPR (security of processing).
Respect the conditions in paragraphs 2 and 4 of Article 28 for engaging subprocessors.
Assist the Controller, taking into account the nature of the processing, in fulfilling its obligation to respond to Data Subject Requests.
Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to the Processor.
Delete or return all Personal Data at the Controller's choice at the end of the provision of services, and delete existing copies unless retention is required by applicable law.
Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits (see section 11).

6. Security measures

RPTX shall implement and maintain the technical and organizational measures described in Annex II to this DPA, which are aligned with Article 32 GDPR. The authoritative, continuously-updated version of these measures is published at /trust. RPTX may update the specific measures over time, provided the updated measures provide a level of security equivalent to or greater than the measures in force at the effective date of this DPA.

7. Subprocessors

The Controller provides a general authorization for RPTX to engage the subprocessors listed at /subprocessors (the current list as of the effective date is set out in Annex III).

RPTX shall:

Impose on each Subprocessor, by written contract, data protection obligations equivalent to those set out in this DPA, including appropriate technical and organizational measures.
Remain fully liable to the Controller for the performance of its Subprocessors' obligations.
Give the Controller at least 30 days' prior notice of any intended addition or replacement of Subprocessors processing Personal Data, by email to the billing contact on file and by updating the subprocessors page. The Controller may object on reasonable data-protection grounds within that period; if the objection cannot be resolved, the Controller may terminate the affected service on written notice and receive a pro-rata refund of prepaid fees.

8. International data transfers

RPTX is established in the United States, and some Subprocessors are established in the United States or other jurisdictions outside the European Economic Area and the United Kingdom. Where Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision, the transfer shall be governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference:

EU SCCs: Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor) or Module Three (Processor to Processor) as applicable, with the Customer as the data exporter and RPTX as the data importer. Clause 17 option 1 is selected (governing law of the Republic of Ireland). Clause 18(b) selects the courts of Ireland as the competent forum.
UK Addendum: the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, version B1.0 in force 21 March 2022.
Swiss transfers: the EU SCCs apply with the adaptations described by the Swiss Federal Data Protection and Information Commissioner.

The parties agree that the information required by Annex I.A, Annex I.B, Annex I.C, and Annex II of the SCCs is populated as set out in the Annexes to this DPA.

9. Assistance with Data Subject Requests

Taking into account the nature of the processing, RPTX shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to Data Subject Requests under Chapter III of the GDPR. If RPTX receives a Data Subject Request directly and it relates to data processed on behalf of the Controller, RPTX shall promptly forward it to the Controller and shall not respond to the Data Subject except as instructed or as required by applicable law.

10. Personal Data breach notification

RPTX shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting the Controller's data. The notification shall, to the extent known at the time:

Describe the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
Communicate the name and contact details of RPTX's designated point of contact.
Describe the likely consequences of the breach.
Describe the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its adverse effects.

Where, and insofar as, it is not possible to provide all the information at once, the information may be provided in phases without further undue delay. A written post-incident report will be made available on the Controller's request.

11. Audits and inspections

RPTX shall make available to the Controller, on reasonable written request, all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. This obligation may be satisfied, at RPTX's option, by providing the Controller with:

The current public Trust & security overview;
Written responses to a reasonable security questionnaire, subject to any required confidentiality undertakings;
Summary results of any third-party audit or penetration test commissioned by RPTX, under a mutually acceptable NDA.

On-site audits shall be conducted only where the above does not reasonably satisfy the Controller's due-diligence obligations, no more than once in any twelve-month period except where required by a supervisory authority, during normal business hours, on not less than 30 days' prior written notice, subject to a mutually acceptable NDA, and at the Controller's expense. The parties shall work in good faith to minimize disruption to RPTX's services and other customers during any such audit.

12. Return or deletion of Personal Data

Upon termination or expiry of the Agreement, and at the Controller's written election, RPTX shall either return all Personal Data to the Controller or delete it. Deletion shall take place no later than 60 days after termination, unless applicable law requires longer retention, in which case RPTX shall inform the Controller of the retention obligation and shall continue to protect the Personal Data for the duration of the retention. Backups containing Personal Data will be overwritten in the normal rotation cycle within a further 90 days.

13. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under applicable data-protection law.

14. Term and termination

This DPA shall remain in force for as long as RPTX processes Personal Data on behalf of the Controller under the Agreement. Termination of this DPA shall not relieve either party of obligations that by their nature are intended to survive termination, including sections 10, 11, and 12.

15. Governing law and jurisdiction

Unless otherwise specified in the Terms of Service, this DPA is governed by the laws of the State of Wyoming, United States, without regard to conflict-of-laws principles. For transfers subject to the EU SCCs, the governing law and competent forum for the SCCs are as specified in section 8 above.

16. Miscellaneous

In the event of a conflict between this DPA and any other agreement between the parties, including the Terms of Service, this DPA prevails with respect to the processing of Personal Data.
If any provision of this DPA is held to be invalid or unenforceable, the remainder shall continue in full force and effect.
This DPA may be amended only in writing, including by a posted update that the Customer accepts by continued use of the services after the effective date of the update.

Annex I — Description of processing

I.A. List of parties

Data exporter (Controller): The Customer, as identified in the account registration and billing records held by the Merchant of Record.

Data importer (Processor): RPTX LLC, a limited liability company registered in the State of Wyoming, United States (publishing under the brand name “RPTX Software”), with contact point legal@rptxsoftware.com.

I.B. Description of transfer

Categories of data subjects: as described in section 4 above.

Categories of personal data: as described in section 4 above.

Sensitive data: RPTX does not seek to process special categories of Personal Data as defined in Article 9 GDPR. The Customer is responsible for ensuring it does not upload such data without first contacting RPTX to agree additional safeguards.

Frequency of transfer: continuous, for the duration of the Agreement.

Nature and purpose of processing: as described in section 3 above.

Retention period: as described in section 12 above and in the Terms of Service.

I.C. Competent supervisory authority

For transfers subject to the EU SCCs where the Controller is established in an EU/EEA member state, the competent supervisory authority is the one designated by Clause 13(a) of the SCCs. Where the Controller is established in the United Kingdom, the competent authority is the Information Commissioner's Office (ICO). Where the Controller is established in Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC).

Annex II — Technical and organizational measures

The current measures are described in full at /trust and summarized here for incorporation by reference into this DPA:

Encryption in transit: TLS 1.2+ on all public endpoints; HSTS enabled.
Encryption at rest: AES-256 at rest for primary databases and object storage via provider-managed keys.
Access control: multi-factor authentication enforced on all staff accounts; least-privilege access to production; scheduled credential rotation.
Authentication: OAuth 2.0 / OpenID Connect for connected sources; narrowest-scope permissions; refresh tokens stored encrypted and revocable.
Pseudonymization: automatic redaction of credentials and personal identifiers from ingested content where detected.
Network security: internal traffic over provider-enforced TLS; no public-facing databases.
Backups & recovery: continuous provider-managed backups, point-in-time recovery within the last 7 days, 30 days of daily snapshots; tested restoration.
Logging & monitoring: authentication events and administrative actions logged for 13 months; automated alerting on anomalies.
Change management: peer or self-review on all production changes with a documented checklist; strict separation of development, staging, and production environments.
Vendor management: subprocessors are subject to contractual data-protection obligations equivalent to those in this DPA; current list at /subprocessors.
Incident response: documented runbook; customer notification within 72 hours of confirming a Personal Data breach; written post-incident report on request.

Annex III — List of Subprocessors

The authoritative list is maintained at /subprocessors and is updated on material change with 30 days' advance notice per section 7 of this DPA. The list in force as of the effective date of this DPA includes the parties listed on that page, with the role and location described therein.

Acceptance

This DPA is accepted by the Customer on the earlier of (a) subscribing to an RPTX service, (b) creating an account, or (c) continuing to use an RPTX service after the effective date shown above. A countersigned PDF copy is available on request at legal@rptxsoftware.com.

← Back to rptxsoftware.com