# Data Processing Agreement Data Processing Agreement for personal data in customer webhook payloads, including roles, sub-processors, transfers, security, and return or deletion. - Effective date: 2026-06-13 - Version: 2026-06-13-v1 - Canonical: https://repost.sh/dpa ## Parties and roles This Data Processing Agreement applies between LSC EUROPA Ltd. and the customer that accepts it for an organization. For personal data contained in customer webhook payloads, the customer acts as controller or processor, and Repost acts as processor or sub-processor. If the customer is a processor, the customer is responsible for ensuring its own controller authorizes Repost as a sub-processor. ## Instructions Repost processes customer payload personal data only on documented instructions in the Terms, this DPA, product configuration, and customer use of the service, unless Union or Member State law requires otherwise. ## Details of processing Subject matter: receiving, storing, indexing, searching, replaying, retrying, transmitting, securing, and deleting webhook payloads and related metadata. Duration: the term of the customer's use of Repost plus deletion, backup, audit, and legal-retention periods. Data subjects and categories: determined by the customer and by the payloads the customer sends to Repost. ## Confidentiality and security Personnel and contractors with access to personal data must be bound by confidentiality obligations. Repost will maintain technical and organizational measures appropriate to the risk, including access controls, TLS in transit, provider encryption at rest where verified, monitoring, backup controls, and incident-response processes. Per-organization envelope encryption is confirmed only for secret-manager secrets. It must not be treated as verified for webhook payloads, event history, request/response logs, or search indexes unless a separate technical review confirms it. ## Sub-processors The customer gives general authorization for Repost to use sub-processors listed on the [Sub-processors page](/subprocessors). Repost will provide a change-notification mechanism and an objection path. Repost remains responsible for sub-processor performance as required by GDPR Article 28. ## International transfers Customer data is processed in the United States and other locations listed on the Sub-processors page. Repost will use verified EU-US Data Privacy Framework participation where available, Standard Contractual Clauses where needed, onward-transfer controls, and a transfer-impact assessment posture. Customers may object to material sub-processor transfer changes and may terminate where required by the DPA or mandatory law. ## Assistance Repost will reasonably assist the customer with data-subject requests, security obligations, personal-data-breach obligations, DPIAs, and consultations with supervisory authorities, taking into account the nature of processing and available information. ## Personal-data breach Repost will notify the customer without undue delay after becoming aware of a personal-data breach affecting customer payload personal data and will provide information reasonably available to Repost. ## Data Act portability and switching Where the EU Data Act applies to Repost as a data-processing service, Repost will support export, portability, switching assistance, egress support, and transition information under Chapter VI, Articles 23-31. Article 28 contractual transparency for international access and transfer safeguards will be addressed where applicable. ## Return and deletion On termination or request, Repost will return or delete customer personal data according to the plan retention windows, export functionality, backup lifecycle, legal obligations, and technical feasibility. Data deleted according to plan retention windows may not be recoverable. ## Audit Repost will make information reasonably necessary to demonstrate compliance available to the customer and allow audits as required by GDPR Article 28, subject to confidentiality, security, scope, and frequency controls.