Data Processing Agreement
Last updated: April 1, 2026
Previous versions:
This Data Processing Agreement ("DPA") forms part of and is incorporated into the Replit Commercial Agreement (the "Agreement") between Replit, Inc. ("Company") and the entity identified as Customer in the Agreement ("Customer") and reflects the Parties' agreement with respect to the Processing of Personal Data by Company on behalf of Customer. This DPA shall control with respect to the Parties' rights and obligations regarding the Processing of Customer Personal Data. The DPA will take effect on the effective date of the Agreement.
1. Definitions
"Data Subject", "Personal Data", "Processing", "Processor", and "Supervisory Authority" have the meaning given to them in applicable Data Protection Law;
"Controller" means the party that determines the purpose and means for Processing Personal Data;
"Customer Personal Data" means any Customer Data that constitutes Personal Data and which is Processed by Company to provide the Services;
"Data Protection Law" means all applicable laws and regulations applicable to Company's Processing of Customer Personal Data under the Agreement, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations ("CCPA"), the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), and the United Kingdom Data Protection Act of 2018, as such laws may be amended from time to time. For the avoidance of doubt, a law applies only to the extent it is applicable to Company's role in Processing Customer Personal Data under the Agreement.
"Data Subject Rights" means Data Subjects' rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
"International Data Transfer" means any transfer of Customer Personal Data to a third country that requires appropriate safeguards under applicable Data Protection Law;
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
"Services" means the services provided by Company to Customer under the Agreement;
"Subprocessor" means a Processor engaged by Company that Processes Customer Personal Data for or on behalf of Company; and
"Standard Contractual Clauses" means, as applicable: (a) the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council; (b) the UK Addendum to the EEA SCCs adopted pursuant to or permitted under Article 46 of the UK GDPR; and/or (c) the UK International Data Transfer Agreement (IDTA) adopted pursuant to or permitted under Article 46 of the UK GDPR.
2. Processing of Personal Data
This DPA applies to Processing of Customer Personal Data by Company to provide the Services as described in this DPA, the Agreement, and any applicable statement of work. The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 1.
In the Standard Contractual Clauses, Module 2 (Controller to Processor) will apply where Customer is a Controller of Personal Data and Company is a Processor of Personal Data. Module 3 (Processor to Processor) will apply where Customer is a Processor and Company is engaged as a Subprocessor. To the extent Customer acts as a Controller, Customer appoints Company as a Processor with respect to the Personal Data provided by Customer to Company to perform the Services on Customer's behalf. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers or Processors, as applicable.
As required by applicable law, Company will inform Customer if Company believes it is subject to a legal obligation that would require Company to Process Customer Personal Data in contravention of Customer's documented instructions.
Company will not sell Customer Personal Data, nor use or disclose Customer Personal Data for any purpose other than for the specific purposes set forth in the Agreement and this DPA. For purposes of this paragraph, "sell" shall have the meaning as defined by applicable Data Protection Law.
3. Data Subject Request
If Company receives a Data Subject request relating to Customer Personal Data, Company will promptly notify Customer. Company will not respond to such a Data Subject request itself except as required by applicable law or to redirect the Data Subject to Customer. Where the Customer cannot respond to the request itself, and upon Customer's request, Company will provide reasonable assistance to enable Customer to respond to the request.
4. Security and Personal Data Breaches
Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
Company will comply with the security obligations set forth in applicable Data Protection Law. Company will further implement commercially reasonable technical and organizational security measures. The measures implemented will include, without limitation, those listed in Appendix 2. Company may update or modify such security measures from time to time, provided that such updates do not materially reduce the overall security of the Services.
Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. Upon becoming aware of a Personal Data Breach, Company will investigate the Personal Data Breach and take measures Company deems necessary and reasonable to respond to the Personal Data Breach. Company will provide Customer with timely information reasonably available to Company regarding the Personal Data Breach, including, where known, the categories of Personal Data and Data Subjects impacted.
5. Subprocessing
Customer hereby agrees, and grants a general authorization, to Company to engage Subprocessors. A list of Company's current Subprocessors is available at https://repl.it/site/subprocessors.
Company will enter into a written agreement with Subprocessors which imposes data protection obligations on the Subprocessors that are no less protective of Customer Personal Data than those set forth in this DPA. Customer may object to a change of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection following Company's change to the Subprocessors. Customer and Company will work together in good faith to address Customer's objection. The parties will discuss the objection in good faith with the objective of achieving a commercially reasonable resolution. If the parties are unable to reach a resolution, Customer may terminate the affected portion of the Services upon written notice, which will be Customer's sole and exclusive remedy with respect to the objection.
6. Audit and Compliance
Upon written request, no more than once every twelve (12) months, and subject to the confidentiality agreements in the Agreement, Company will make available to Customer information necessary to demonstrate compliance with the obligations of this DPA. This may include information pertaining to any applicable certifications (e.g. SOC 2) and other information reasonably necessary to demonstrate compliance with this DPA. Company may satisfy this obligation by providing summaries of the results and/or reports, at its sole discretion.
7. International Data Transfers
This Section 7 on "International Data Transfers" applies only to the extent that International Data Transfers of Customer Personal Data require appropriate safeguards under applicable Data Protection Law (for example, transfers subject to the GDPR).
Customer hereby authorizes Company to perform International Data Transfers to any country deemed adequate by the EU Commission or other competent authority under applicable Data Protection Law; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in this Section 7.
Customer and Company conclude the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the "data exporter" is Customer; the "data importer" is Company; Module 2 (Controller to Processor) shall apply where Customer is a Controller and Company is a Processor; Module 3 (Processor to Processor) shall apply where Customer is a Processor and Company is engaged as a Subprocessor; in Clause 7 of the Standard Contractual Clauses, the option docking clause will not apply; in Clause 9 of the Standard Contractual Clauses, Option 2 will apply; in Clause 11 of the Standard Contractual Clauses, the option will not apply; and Appendix 1 and Appendix 2 to the Standard Contractual Clauses are provided at Appendix 1 and 2 to this DPA, respectively.
All authorizations of International Data Transfers in this Section 7 are expressly conditioned upon Company's ongoing compliance with the requirements of Data Protection Law applicable to International Data Transfers, and any applicable legal instrument for International Data Transfers. If such compliance is affected by circumstances outside of Company's control, including circumstances affecting the validity of an applicable legal instrument, Company and Customer will work together in good faith to reasonably resolve such non-compliance.
8. Limitation of Liability
Each party's liability arising out of or relating to this DPA (including the Standard Contractual Clauses, if applicable) shall be subject to the limitations and exclusions of liability set forth in the Agreement. For the avoidance of doubt, any reference in such provisions to the liability of a party shall include liability arising under this DPA.
9. Notifications
All notices made under this DPA shall be made to Customer at the contact information provided in the Agreement.
10. Termination and return or deletion
This DPA will terminate automatically upon termination or expiration of the Agreement. Customer may request return or deletion of Customer Personal Data up to ninety (90) days after termination of the Agreement. Notwithstanding the foregoing, Company may retain Customer Personal Data where required by applicable law.
Appendix 1
A. List of Parties
The Agreement contains information on the parties and below is a description of the data exporter and the data importer.
1. Data Exporter
Name: Customer and its authorized affiliates
Address: Customer's address is set out in the Agreement or will be disclosed upon request.
Contact: Customer's contact details are set out in the Agreement or will be disclosed upon request.
Activities: Performance of the Services as set out in the Agreement.
Role: Controller / Processor
2. Data Importer
Name: Replit, Inc.
Address: 1001 E Hillsdale Blvd, Foster City, CA 94404, USA
Contact Person: AGC Product and Privacy, [email protected]
Activities: Performance of the Services as set out in the Agreement.
Role: Processor
B. Description of the Processing
1. Data Subjects
The Customer Personal Data Processed concern the following categories of Data Subjects:
- Prospects, clients, customers, users, business partners, and vendors
- Employees, contractors, agents, advisors, and other third parties
- Any other party whose Personal Data is submitted to the Services by or on behalf of Customer
2. Categories of Customer Personal Data
The Customer Personal Data Processed is determined and controlled by the data exporter at its sole discretion. The information may include, but is not limited to, full name, contact information (e.g. email, phone, address), unique identifier, and other Personal Data.
3. Sensitive data (if applicable)
The special categories of Personal Data Processed are determined and controlled by the data exporter at its sole discretion.
4. Frequency of Transfers
The frequency of transfer is continuous throughout the duration of the Agreement and may also be determined and controlled by the data exporter at its sole discretion.
5. Processing Purpose
The Customer Personal Data will be subject to the following basic Processing activities: Company will Process the Customer Personal Data for purposes of providing Services pursuant to the Agreement and this DPA.
6. Subprocessors
Subprocessors may be used to provide the Services.
Appendix 2
Security Measures
Company will implement and maintain administrative, technical, physical, and organizational security measures to safeguard Personal Data. This Appendix describes examples of the safeguards in place to protect Personal Data and does not constitute a representation that every listed control applies to every component of the Services.
a. Information Security Policies and Standards. Company will maintain information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be updated from time to time to reflect changes made to the information systems that use or store Personal Data.
b. Physical Security. Company will maintain commercially reasonable security systems at all Company sites at which an information system that uses or stores Personal Data is located ("Processing Locations"), including measures to restrict access to authorized individuals and to detect, prevent, and respond to physical security threats.
c. Incident Response. Company will maintain information security policies and procedures for responding to security incidents. Company will maintain a channel through which security incidents may be reported, triaged, and responded to in accordance with its policies.
d. Network Security. Company maintains commercially reasonable information security policies and procedures addressing network security, including measures designed to protect against unauthorized access, alteration, disclosure, or destruction of Customer Personal Data.
e. Access Control. Company implements measures to restrict access to data to authorized Company staff who need access to perform their job responsibilities. The Company reviews user access rights periodically and has a process in place to deprovision access as part of its offboarding measures.
f. Virus and Malware Controls. Company takes commercially reasonable measures to protect Personal Data from malicious code, including installing and maintaining anti-virus and malware protection software where appropriate.
g. Personnel. Company maintains a security awareness program to train employees about their security obligations. Personnel with access to Customer Personal Data receive appropriate security training upon hire and periodically thereafter. In addition, Company personnel follow established security policies and procedures. Failure to comply with security policies and procedures may, where appropriate, result in disciplinary action, which may include termination.
h. Subcontractor security. Company shall only select and contract with subcontractors that are capable of maintaining appropriate security safeguards that are no less onerous than those contained in the DPA and this Appendix.
i. Business Continuity. Company implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Company also adjusts its Information Security Program in light of new laws and circumstances, including as Company's business and Processing change.