Legal
Data Processing Agreement
Last updated: July 3, 2026. This page summarises the DPA that governs Reglo's processing of personal data on behalf of its customers under GDPR Art. 28. The signed DPA — including the current subprocessor list and Standard Contractual Clauses where applicable — is available on request.
1. Roles
The customer is the data controller for personal data processed in its Reglo workspace. Reglo is the data processor and acts only on documented instructions from the customer, as reflected in these terms and the Service configuration.
2. Subject matter and duration
Reglo processes personal data for the purpose of providing the Service for the duration of the customer's subscription and any wind-down period required to return or delete data.
3. Nature and purpose of processing
Hosting, storage, transmission, access control, backup, analytics required to operate the Service, and support activities requested by the customer.
4. Categories of data subjects and data
Data subjects include the customer's employees, contractors, end-users and any individuals referenced in cases, complaints, CAPAs, attachments or messages. Categories typically include contact data, employment/role data, and case content that may include special-category data depending on how the customer uses the platform.
5. Security
Reglo maintains appropriate technical and organisational measures, including tenant-isolated storage, role-based access control, encryption in transit and at rest, audit logging, secret management, dependency scanning and access reviews.
6. Subprocessors
The current subprocessor list is available on request. Reglo will notify customers of new subprocessors with a reasonable opportunity to object on legitimate data-protection grounds.
7. International transfers
Application data is hosted in the EU. Where a subprocessor processes data outside the EEA, Reglo relies on the EU Standard Contractual Clauses and appropriate supplementary measures.
8. Data subject requests
Reglo assists the customer, to the extent reasonably possible, in responding to data subject requests. In-app export and deletion tools are provided.
9. Incident notification
Reglo notifies affected customers without undue delay after becoming aware of a personal data breach affecting Customer Data, and provides the information the customer needs to meet its own notification obligations.
10. Audits
Reglo makes available information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the customer or a mandated auditor, subject to reasonable notice and confidentiality.
11. Return and deletion
On termination, Customer Data is deleted or returned within 30 days, unless retention is required by law.
12. Request a countersigned DPA
Email privacy@reglosupport.com with your company details and we will send the full DPA and current subprocessor list.