Relay.app Data Processing Addendum

Effective date: May 8, 2025

Relay.app Inc. (“Relay.app”) and the counterparty agreeing to these terms (“Customer”) have entered into a written or electronic agreement for the Services provided by Relay.app (the “Agreement”). This Data Processing Addendum (“DPA”) forms part of the Agreement.

  1. Subject Matter of the DPA

    1. The DPA applies to the processing of personal data subject to EU Data Protection Law under the Agreement.

    2. The term “EU Data Protection Law” shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

    3. Any capitalized terms not otherwise defined in this DPA shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. Other terms used in this DPA that have meaning ascribed to them in EU Data Protection Law, including but not limited to “Processing,” “Personal Data,” “Data Controller,” and “Processor” shall carry the meanings set forth under EU Data Protection Law.

    4. Insofar as Relay.app will be processing Personal Data subject to EU Data Protection Law on behalf of the Customer in the course of the performance of the Agreement, the terms of this DPA shall apply. In the event of a conflict between any provisions of the Agreement and the provisions of this DPA, the provisions of this DPA shall govern and control. An overview of the categories of Personal Data, the categories of Data Subjects, and the nature and purposes for which the Personal Data are being processed is provided in Annex 1.

  2. Relay.app as Data Processor and Customer as Data Controller

    1. Subject to the provisions of the Agreement, to the extent that Relay.app's data processing activities are not adequately described in the Agreement, Customer will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by Relay.app. Relay.app will process the Personal Data only as set forth in Customer’s documented instructions and no Personal Data will be processed unless explicitly instructed by Customer.

    2. Relay.app will only process the Personal Data on documented instructions of Customer to the extent that this is required for provision of the Services. Should Relay.app reasonably believe that a specific processing activity beyond the scope of Customer’s instructions is required to comply with a legal obligation to which Relay.app is subject, Relay.app shall inform Customer of that legal obligation and seek explicit authorization from Customer before undertaking such processing. Relay.app shall never process the Personal Data in a manner inconsistent with Customer’s documented instructions. Relay.app shall immediately notify Customer if, in its opinion, any instruction infringes EU Data Protection Law or other member state data protection provisions. Such notification will not constitute a general obligation on the part of Relay.app to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.

    3. The parties have entered into the Agreement in order to benefit from the capabilities of Relay.app in securing and processing the Personal Data for the purposes set out in Annex 1. Relay.app shall be allowed to exercise its discretion in the selection and use of such means as it considers necessary to promote those purposes, provided that all discretion is compatible with the requirements of this DPA, in particular Customer’s documented instructions.

    4. Customer warrants that it has all necessary rights to provide the Personal Data to Relay.app for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in EU Data Protection Law support the lawfulness of the processing. To the extent required by EU Data Protection Law, Customer is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in EU Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the processing are obtained, and that records of such consents are maintained. Should such a consent be revoked by a data subject, Customer is responsible for communicating the fact of such revocation to Relay.app, and Relay.app remains responsible for implementing Customer’s instruction with respect to the processing of that Personal Data.

  3. Confidentiality

    1. Without prejudice to any existing contractual arrangements between the parties, Relay.app shall treat all Personal Data as confidential and shall inform all its employees, agents, and/or approved subprocessors engaged in processing the Personal Data of the confidential nature of the Personal Data. Relay.app shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

  4. Security

    1. Relay.app and Customer shall implement appropriate technical and organizational measures to ensure a level of security of the processing of the Personal data appropriate to the risk, taking into account state of the art, costs of implementation, and nature, scope, context, and purposes of processing. These measures shall include, at a minimum, the security measures agreed upon by the parties in Annex 2.

    2. Both Relay.app and Customer shall maintain written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to Personal Data, conducting appropriate background checks, requiring employees, vendors, and other with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to Personal Data aware of the information security risks presented by the processing.

    3. The parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of security measures. Relay.app will evaluate measures as implemented in accordance with this section on an ongoing basis in order to maintain compliance with these requirements.

  5. Audit

    1. Relay.app conducts annual audits verifying adequacy of its security measures, and these annual audits will be performed according to SOC 2 by independent third party auditors. In addition to any information contained in this DPA, Relay.app will make available, upon Customer’s request, the following documents and information:
      1. Relay.app's latest SOC 2 Type 2 report,
      2. further information reasonably necessary to demonstrate Relay.app's compliance with this DPA.
    1. Where applicable, the parties agree that Customer shall exercise its audit rights under the Agreement and EU Data Protection Law by instructing Relay.app to comply with the audit measures described in this section.

  6. Data Transfers

    1. Relay.app is a US-based company, and Personal Data may be processed and stored in the United States and other locations. Where Personal Data protected by EU Data Protection Law is transferred, either directly or via onward transfer, to a country outside of Europe that is not subject to an adequacy decision, the EU Standard Contractual Clauses (as available at https://eur-lex.europa.eu/legal-content/EN/TXT/?locale-en=&uri=CELEX%3A32021D0915, and as may be amended or replaced by the European Commission from time to time) are incorporated by reference as described in Annex 3.
    2. Relay.app shall promptly notify Customer of any planned permanent or temporary transfers of Personal Data to a third country, including a country outside of the European Economic Area without an adequate level of protection, and shall only perform such a transfer after obtaining authorization from Customer, which may be refused at its own discretion by following the procedures in Section 8 herein. Other than the processing described in subsection (a), a list of transfers for which Customer grants its authorization upon the conclusion of this DPA can be found on Relay.app’s subprocessor page, located at https://www.relay.app/subprocessors.
    3. To the extent that Customer or Relay.app are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Customer and Relay.app agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

  7. Incident Management

    1. Upon discovering or becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, any Customer Data (hereinafter, “Data Incident”), Relay.app shall notify Customer without undue delay, take any additional steps reasonably necessary to mitigate the effects of the Data Incident, and reasonably cooperate in the investigation of the Data Incident. The term “Data Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

  8. Subprocessors

    1. Customer provides general authorization to Relay.app's use of subprocessors to provide Services-related processing activities on Personal Data in accordance with this section. A list of subprocessors currently engaged by Relay.app is available at https://www.relay.app/subprocessors. Relay.app will update the website and provide Customer with a mechanism to obtain notice of that update, at least 30 days before Relay.app engages a subprocessor. Customer may object to the use of the subprocessor within 90 days of notice, by terminating the Agreement for convenience.

    2. Relay.app shall restrict any subprocessor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Agreement, and Relay.app will prohibit the subprocessor from accessing Customer Data for any other purpose. To the extent a subprocessor processes Customer Data, Relay.app will impose the provisions of this DPA by written agreement with that subprocessor. Consistent with the terms of the Agreement, Relay.app will remain liable for all acts and omissions of the subprocessor that cause Relay.app to breach any of its obligations under this DPA.

  9. Return of Personal Data

    1. Upon termination of this DPA or upon Customer’s written request, Relay.app shall, at the discretion of Customer, either delete, destroy, or return all Personal Data to Customer, unless otherwise required to retain such data by EU Data Protection Law or other applicable law. Relay.app shall notify all third parties supporting its own processing of the Personal Data of the termination of the DPA and shall ensure that all such third parties delete, destroy, or return all Personal Data at Customer’s discretion.

  10. Assistance to Customer in Fulfilling Customer’s Data Controller Obligations

    1. Relay.app will enable Customer, consistent with the functionality of the Services, to access, rectify and restrict processing of Customer Data, and to export Customer Data.

    2. Relay.app shall assist Customer by appropriate technical and organizational measures, where possible, for the fulfillment of Customer’s obligation to respond to data subject requests relating to Customer Data under EU Data Protection Law. These measures may include the Services functionality described in subsection (a); if the functionality is insufficient, Relay.app shall provide Customer with additional reasonable cooperation and assistance.

Annex 1 – Categories of Personal Data, Data Subjects, and Processing Purposes

Categories of Data Subjects:

  • Individuals about whom data is provided to Relay.app via the Services by Customer or its users.

Categories of Personal Data:

  • Data relating to individuals about whom data is provided to Relay.app via the Services by Customer or its users.

Nature and Purpose of the Data Processing:

  • Performance of the Services pursuant to the Agreement.

Duration of Processing:

  • The Term provided under the Agreement.

Annex 2 – Security Measures

Relay.app shall implement and maintain the Security Measures described in this Annex 2.

  1. Infrastructure Security

    1. Maintenance and Monitoring. Relay.app regularly maintains and patches the service infrastructure against known vulnerabilities, uses real-time database replication and intrusion detection, and ensures the hardening of servers and early detection of security threats. Infrastructure performance is continuously monitored with alerts for predefined thresholds.
    2. Access and Data Security. Production systems, databases, and networks are accessed only through secure methods such as multi-factor authentication (MFA), encrypted connections, and unique authentication mechanisms. Access is strictly controlled and revoked upon employee termination. Production data is segmented from non-production environments, and encryption key access is restricted.

  2. Organizational Security

    1. Data Protection and Employee Policies. Relay.app employs encryption for portable media and anti-malware technology in susceptible environments. Employee background checks, mandatory security training, mobile device management (MDM), and confidentiality agreements for employees and contractors reinforce the security culture.
    2. Asset and Access Management. A formal inventory of production assets is maintained. Access to production deployment is restricted to authorized personnel, and a vendor management program is actively managed.

  3. Product and Internal Security

    1. Testing and Logging. Annual penetration tests are performed, and system activities, including user actions, are extensively logged. Regular vulnerability scans on external-facing systems and quarterly access reviews ensure the integrity of security measures.
    2. Incident and Change Management. An incident response plan is regularly tested, and a robust change management process is in place for software and infrastructure modifications. Configuration management procedures ensure consistent deployment across the environment.

  4. Data and Privacy

    1. Policies and Compliance. A comprehensive privacy policy, accessible to all stakeholders, outlines the handling of personal information. Customer data is securely managed, with deletion upon service termination and adherence to formal data retention and disposal procedures. Privacy-compliant processes are documented, and a data classification policy ensures the security of confidential data.

Annex 3 – International Data Transfers

  1. Data Subject to GDPR

    To the extent Relay.app processes Personal Data subject to the GDPR, Customer and Relay.app hereby incorporate the Module two: Transfers Controller to Processor of the EU Model Clauses by reference, which shall be deemed completed as follows:

    1. optional Clause 7 shall be deemed incorporated;
    2. in Clause 9(a), the parties choose Option 2, “General Written Authorisation”, with a time period of ten (10) days;
    3. in Clause 11, optional wording shall be deemed incorporated;
    4. in Clause 17, the parties choose Option 1, and agree that EU Model Clauses shall be governed by the law of the EU Member State where the Data Exporter is established;
    5. in Clause 18, the parties agree that any disputes arising from EU Model Clauses shall be resolved by the courts of the EU Member State where the Data Exporter is established;
    6. Annexes I.A, I.B and II shall be deemed completed with the information set out in Annex 1 and Annex 2 to this Addendum, the contents of which are hereby agreed by the Parties;
    7. for the purpose of Annex I.C, the competent supervisory authority in the EU Member State where the Data Exporter is established.
    8. If the Data Exporter is not established in the EEA and Personal Data shared under this DPA is subject to the EU Model Clauses by virtue of an onward transfer, the 1) applicable governing law under subsection (d); 2) courts under subsection (e); and 3) competent authority under subsection (g) shall be those of the EU Member State identified in the original EU Model Clauses to which the Data Exporter is subject. Data Exporter shall notify Data Importer of such EU Member State upon request.

  2. Data Subject to UK Data Protection Laws

    To the extent Relay.app processes Personal Data subject to the UK Data Protection Laws, Customer and Relay hereby incorporate the UK Addendum by reference, which shall be deemed completed as outlined below. For the avoidance of any doubt, where UK Addendum applies, the parties do not incorporate EU Model Clauses.

    1. Table 1 shall be deemed completed with the information set out in Annex 1 of this Addendum, as appropriate, the contents of which are hereby agreed by the parties;
    2. In Table 2, the parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and Section 3 of the accompanying table shall be deemed to be completed according to the parties’ preferences outlined in Section 1 of this Annex 3.
    3. Table 3 shall be deemed completed with the information set out in Annex 1 and Annex 2 to this Agreement, the contents of which are hereby agreed by the parties;
    4. In Table 4, the parties agree that only the Exporter may end the Addendum as set out in Section 19 of the UK Addendum.

  3. Data Subject to Swiss Federal Act on Data Protection

    To the extent the Processor processes Personal Data (also) subject to the Swiss Federal Act on Data Protection (“FADP”), UK Data Protection Laws, the Parties wish to incorporate the following clauses into the applicable EU Model Clauses:

    1. The term “member state,” as used in the EU Model Clauses, must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 c.
    2. With regard to Annex I.C of the EU Model Clauses, Swiss Federal Data Protection and Information Commissioner (the “FDPIC”) shall (also) be the competent Supervisory Authority. When transfer is subject to both the FADP and the GDPR/UK Data Protection Laws, parallel supervision should apply (i.e., FDPIC shall be competent insofar as the Personal Data transfer is governed by the FADP; competent EU Supervisory Authority/ICO shall be competent insofar as the Personal Data transfer is governed by the GDPR/UK Data Protection Laws).
    3. References to the GDPR should be understood as references to the FADP, as applicable.