Legal

Data Processing Agreement

Last updated: July 3, 2026. This page summarises the DPA that governs Reglo's processing of personal data on behalf of its customers under GDPR Art. 28. The signed DPA — including the current subprocessor list and Standard Contractual Clauses where applicable — is available on request.

1. Roles

The customer is the data controller for personal data processed in its Reglo workspace. Reglo is the data processor and acts only on documented instructions from the customer, as reflected in these terms and the Service configuration.

2. Subject matter and duration

Reglo processes personal data for the purpose of providing the Service for the duration of the customer's subscription and any wind-down period required to return or delete data.

3. Nature and purpose of processing

Hosting, storage, transmission, access control, backup, analytics required to operate the Service, and support activities requested by the customer.

4. Categories of data subjects and data

Data subjects include the customer's employees, contractors, end-users and any individuals referenced in cases, complaints, CAPAs, attachments or messages. Categories typically include contact data, employment/role data, and case content that may include special-category data depending on how the customer uses the platform.

5. Security

Reglo maintains appropriate technical and organisational measures, including tenant-isolated storage, role-based access control, encryption in transit and at rest, audit logging, secret management, dependency scanning and access reviews.

6. Subprocessors

The current subprocessor list is available on request. Reglo will notify customers of new subprocessors with a reasonable opportunity to object on legitimate data-protection grounds.

7. International transfers

Application data is hosted in the EU. Where a subprocessor processes data outside the EEA, Reglo relies on the EU Standard Contractual Clauses and appropriate supplementary measures.

8. Data subject requests

Reglo assists the customer, to the extent reasonably possible, in responding to data subject requests. In-app export and deletion tools are provided.

9. Incident notification

Reglo notifies affected customers without undue delay after becoming aware of a personal data breach affecting Customer Data, and provides the information the customer needs to meet its own notification obligations.

10. Audits

Reglo makes available information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the customer or a mandated auditor, subject to reasonable notice and confidentiality.

11. Return and deletion

On termination, Customer Data is deleted or returned within 30 days, unless retention is required by law.

12. Request a countersigned DPA

Email privacy@reglosupport.com with your company details and we will send the full DPA and current subprocessor list.