The DPA between Reline AI, Inc. and customers acting as data controllers.

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the agreement between you ("Customer", the data controller) and Reline AI, Inc. ("Reline", the processor) governing Customer's use of the Reline service (the "Agreement"). It records the parties' obligations under Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the Swiss FADP (together, "Data Protection Law") with respect to Customer Personal Data that Reline processes on Customer's behalf.

Where there is a conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA prevails. This DPA takes effect on the date the Agreement is entered into, or, if executed separately, on its signature date, and remains in force for as long as Reline processes Customer Personal Data.

Capitalized terms not defined here have the meaning given in Data Protection Law. "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" each have the meaning given in the GDPR.

"Customer Personal Data" means Personal Data contained within Customer's workspace content and account that Reline processes solely on Customer's behalf as a Processor. "Sub-processor" means any third party engaged by Reline to process Customer Personal Data. "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.

Customer is the Controller of Customer Personal Data and Reline is the Processor. Each party complies with its respective obligations under Data Protection Law.

Reline processes Customer Personal Data only on Customer's documented instructions — including with regard to international transfers — unless required to do otherwise by applicable law, in which case Reline informs Customer of that legal requirement before processing (unless the law prohibits such information on important grounds of public interest). The Agreement, this DPA, Customer's configuration of the service, and Customer's use of the service constitute Customer's complete and documented instructions. Reline will inform Customer if, in its opinion, an instruction infringes Data Protection Law.

Subject matter & duration. Processing of Customer Personal Data as necessary to provide the Reline service under the Agreement, for the duration of the Agreement plus the deletion period in Section 11.

Nature & purpose. Recording and transcribing audio, generating AI summaries and answers, storing and syncing notes, enabling search, sharing and collaboration, and the related hosting, security, and support activities that operate the service.

Types of Personal Data. Account identifiers (name, email, profile image, SSO identifiers); workspace content authored or uploaded by users (notes, audio recordings, transcripts, summaries, chat threads, uploaded files); calendar metadata and derived contact/company records where Customer connects a calendar; and operational/usage metadata. Customer controls the content it submits and may include other categories at its discretion.

Special categories. Reline does not require special-category data. Because Customer controls recording and content, such data may incidentally be present; Customer is responsible for ensuring an appropriate legal basis and any additional safeguards for such data.

Categories of Data Subjects. Customer's authorized users, and individuals whose Personal Data appears in Customer's content (e.g. meeting participants, contacts, and people referenced in notes).

Reline ensures that persons authorized to process Customer Personal Data are bound by an appropriate obligation of confidentiality (whether contractual or statutory) and process the data only as instructed. Access is limited to personnel who require it to operate or support the service.

Reline implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These include: encryption of Customer Personal Data in transit (TLS 1.2+) and at rest; a private-by-default permission model with role-based access control and per-resource grants; short-lived, scoped credentials for third-party processors; signed, replay-protected webhooks; an append-only audit log of security-relevant actions; least-privilege administrative access; and a software development lifecycle with code review and automated checks.

See the security page for the live posture matrix. Reline may update its measures over time provided the level of protection is not materially reduced.

Customer provides general authorization for Reline to engage Sub-processors to process Customer Personal Data. Reline imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for each Sub-processor's performance. The current Sub-processors are:

• Convex (USA) — primary database, file storage, authentication, and realtime sync.
• Cloudflare R2 (USA) — object storage for audio recordings and uploaded files.
• Soniox (USA) — real-time speech-to-text transcription of audio streamed during a recording.
• OpenAI, Anthropic, and DeepSeek — large language model providers for summaries and chat answers, accessed via the AI SDK gateway, processing content only to return the requested result.
• Vercel (USA) — hosting for the web application.
• WorkOS (USA) — enterprise SSO and directory authentication, where Customer enables it.
• Lemon Squeezy (USA, a Stripe company) — merchant of record and payment processing for billing.
• Resend (USA) — transactional email delivery.
• PostHog (USA/EU) — first-party product analytics, where enabled and consented.

Reline notifies Customer at least 30 days before adding or replacing a Sub-processor (Customer may subscribe to updates by emailing legal@reline.so). Customer may object on reasonable data-protection grounds within that period; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected service.

Taking into account the nature of the processing, Reline assists Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, and objection). Customer can action most such requests directly in the product (including self-serve data export and account deletion); where Reline receives a request directed to Customer's data, it promptly forwards it to Customer and does not respond directly except on Customer's instruction or as legally required.

Taking into account the nature of processing and the information available to it, Reline assists Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR, including security of processing, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities.

Reline notifies Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides sufficient information to enable Customer to meet its own notification obligations to Supervisory Authorities and Data Subjects.

At Customer's choice, Reline deletes or returns all Customer Personal Data after the end of the provision of the service, and deletes existing copies, unless storage is required by applicable law. Customer may export its data at any time during the term in a machine-readable format. On termination, Customer content is deleted in accordance with Reline's retention practices (deleted content is purged from trash after 30 days; backups expire on their ordinary cycle), and on written request Reline will confirm deletion.

Reline makes available to Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To satisfy this obligation, Reline may make available third-party certifications, audit reports, and security documentation; on-site inspections are limited to once per year (absent a Personal Data Breach or Supervisory Authority requirement), on reasonable notice, during business hours, and subject to confidentiality.

Reline and its Sub-processors are primarily located in the United States. For transfers of Customer Personal Data from the EEA, UK, or Switzerland, Reline relies on the EU Standard Contractual Clauses (Module Two, controller-to-processor), the UK International Data Transfer Addendum, and the Swiss adaptations as applicable, which are incorporated into this DPA by reference, together with supplementary measures where required. Where a Sub-processor is certified under the EU-U.S. Data Privacy Framework, that mechanism may also apply.

This DPA is offered as a pre-signed agreement on Reline's behalf and takes effect for Customer on acceptance of the Agreement. If your organization requires a counter-signed copy or a negotiated version, email legal@reline.so with your organization name and signing authority. We countersign within two business days. Reline's registered postal address is available on request.