Data Processing Agreement — REOS as Processor

Last updated: May 2026

This Data Processing Agreement (the “DPA”) forms part of and is incorporated into the underlying agreement(s) between REOS World Ltd, doing business as REOS Global (“REOS”, “Processor”, “we”, “us”) and the counterparty identified therein (“Controller”, “you”, “your”), and governs REOS’s processing of Personal Data on Controller’s documented instructions in connection with REOS’s marketplace collaboration tools, including chat, workflows, and document repositories (the “Services”). To the extent of any conflict between this DPA and the underlying agreement as it concerns the Processing of Personal Data, this DPA will prevail.

1. Definitions

  • Data Protection Laws — all applicable laws relating to Processing of Personal Data, privacy, and data security, including the EU GDPR, UK GDPR and Data Protection Act 2018, Swiss FADP, US state consumer privacy laws (e.g., CCPA/CPRA), and the Israeli Protection of Privacy Law and Data Security Regulations.
  • Personal Data — information relating to an identified or identifiable individual as protected under applicable Data Protection Laws.
  • Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • Controller — the entity that determines the purposes and means of Processing. Processor — an entity that Processes on behalf of a Controller.
  • Subprocessor— any Processor engaged by REOS to assist with Processing on Controller’s behalf.
  • Standard Contractual Clauses (SCCs)— the European Commission’s Decision (EU) 2021/914 modules as applicable to the parties’ roles.
  • UK Addendum — the International Data Transfer Addendum issued by the UK ICO, as amended.

2. Roles; Scope; Instructions

Roles.Controller determines the purposes and means of Processing Personal Data, and REOS acts as Processor solely on Controller’s documented instructions to provide the Services.

Scope and Instructions.REOS will Process Personal Data only (a) to provide and support the Services as described in Annex I and in the underlying agreement; (b) on Controller’s documented instructions; and (c) as required by law, in which case REOS will inform Controller of the legal requirement before Processing, unless prohibited.

Controller Responsibilities. Controller is responsible for the accuracy, quality, and legality of Personal Data and the means by which it was obtained; providing all required notices; obtaining all required consents; honoring applicable opt-outs; and ensuring its instructions comply with Data Protection Laws.

Prohibited Uses; No Sale/Share. REOS will not Sell, Share, or use Personal Data for cross-context behavioral or targeted advertising, nor will REOS combine Personal Data with other data except as necessary to provide the Services, to comply with law, or as expressly authorized by Controller.

3. Confidentiality and Personnel

REOS will ensure its personnel authorized to Process Personal Data are subject to obligations of confidentiality. REOS will provide appropriate training and limit access to Personal Data to personnel with a need to know for the purposes of this DPA.

4. Security

Technical and Organizational Measures. REOS will implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex II (Security Measures). REOS may update measures provided they do not materially diminish the overall protection.

Security by Subprocessors. REOS will require each Subprocessor to implement security measures at least as protective as those described in Annex II.

5. Subprocessors

Authorization. Controller provides a general authorization for REOS to engage Subprocessors to support the Services. REOS will maintain a list of current Subprocessors and will provide prior notice of material changes, allowing Controller to object on reasonable grounds related to data protection.

Flow-Down.REOS will enter into written agreements with Subprocessors imposing obligations substantially similar to those in this DPA. REOS remains responsible for Subprocessors’ performance.

Notice and Objection. REOS will notify Controller of new Subprocessors at least thirty (30) days in advance; if Controller reasonably objects, the parties will work in good faith to resolve; if unresolved, Controller may suspend the affected Processing without penalty.

6. Assistance; Data Subject Requests; DPIAs

Data Subject Requests.Taking into account the nature of Processing, REOS will assist Controller by appropriate technical and organizational measures to fulfill Controller’s obligation to respond to requests to exercise data subject rights. REOS will not respond directly to data subjects unless authorized by Controller or required by law.

DPIAs and Consultation. REOS will provide Controller with reasonable cooperation and information to support data protection impact assessments and consultations with supervisory authorities.

Complaints and Inquiries.REOS will promptly (within 48 hours of becoming aware) notify Controller of regulatory or data subject inquiries relating to Processing on Controller’s behalf, unless prohibited by law.

7. Security Incidents

Notification. REOS will notify Controller without undue delay and no less than 72 hours after becoming aware of a Personal Data Breach, and provide timely information to assist Controller in meeting its breach notification obligations.

Mitigation. REOS will promptly take steps to contain, investigate, and mitigate the effects of a Personal Data Breach, and will document responsive actions.

Communications. Controller has discretion to determine breach notifications required by law to regulators, data subjects, or others, unless otherwise explicitly required by applicable law; REOS will support such communications as reasonably requested.

8. Deletion and Return of Data

Termination.Within thirty (30) days following termination or expiration of the Services, REOS will delete or return Personal Data (including copies) at Controller’s choice, except to the extent retention is required by law or stored in back-ups, in which case REOS will isolate and protect it and delete in accordance with standard deletion practices.

Retrieval Window. Controller is responsible for retrieving its data before termination; REOS will provide reasonable assistance during the subscription term to facilitate export, subject to reasonable costs.

9. Demonstration of Compliance; Audits

Documentation.REOS will make available information reasonably necessary to demonstrate compliance with this DPA, which may (at REOS’s discretion) include security summaries and third-party assurance reports (e.g., SOC 2), under confidentiality.

Audit Framework.Where required by law, Controller (or its independent auditor) may audit REOS’s Processing in a manner that is proportionate and minimizes disruption, typically by reviewing current third-party attestations and written responses. Onsite inspections, if legally required, will be subject to reasonable advance notice, scope, and confidentiality.

10. International Transfers

General. REOS may Process Personal Data globally where REOS and its Subprocessors operate, provided that any international transfers comply with Data Protection Laws.

EEA/UK/Swiss Transfers. For Personal Data subject to EU/EEA, UK, or Swiss data protection law transferred to a country without an adequacy decision, the SCCs apply: Module Two (Controller-to-Processor) and, where applicable, Module Three (Processor-to-Processor), with the docking clause; Option 2 for Subprocessor changes; and governing law/forum as required by the SCCs and applicable addenda. The UK Addendum and Swiss modifications apply to UK and Swiss data, respectively.

Alternative Mechanisms. If an alternative lawful transfer mechanism supersedes or supplements the SCCs or is otherwise required, the parties will cooperate in good faith to implement it.

11. Jurisdiction-Specific Terms

EEA Addendum. The parties incorporate jurisdiction-specific terms in Annex III (EU/EEA).

UK Addendum. The parties incorporate the UK Addendum in Annex IV, identifying the ICO as the competent authority.

Swiss Addendum. Annex V incorporates Swiss-specific modifications (including FDPIC as the competent authority and Swiss law references).

US State Laws (Service Provider). Where US state consumer privacy laws apply, REOS will act as a Service Provider/Processor and will not Sell or Share Personal Data or use it for targeted advertising.

Israel Addendum. Annex VI incorporates Israel-specific terms addressing the Protection of Privacy Law and Data Security Regulations.

12. AI-Related Processing

Purpose Limitation.To the extent REOS provides AI-assisted features within the Services for Controller’s Processing context, REOS will Process Personal Data solely to deliver those features and will not use Personal Data to train generalized third-party foundation models.

Safeguards. REOS will implement technical and organizational measures to restrict unintended use or disclosure of Personal Data in AI-assisted workflows.

No Reliance. AI outputs may be incomplete or inaccurate and are not a substitute for human review or professional judgment by Controller; Controller remains responsible for determining how to use AI outputs.

13. Cookies and Tracking

Processor Context.REOS will not place or read cookies or similar tracking technologies on end-user devices for advertising or retargeting purposes when acting solely as Processor. Any cookies necessary to provide the Services (for example, for security, session management, or analytics strictly necessary to operate the Services) will be limited to the Processor role and configuration under Controller’s instructions.

14. Conflict; Changes; Liability

Conflict. If a provision of this DPA conflicts with a term of the underlying agreement as it concerns Processing of Personal Data, this DPA controls to the extent of conflict.

Changes in Law. The parties will negotiate in good faith to update this DPA as reasonably necessary to address changes in Data Protection Laws.

Limitation. Any limitations of liability agreed in the underlying agreement apply to this DPA, except as prohibited by applicable Data Protection Laws.

15. Term and Termination

Term.This DPA remains in effect for the term of the underlying agreement and thereafter as long as REOS Processes Personal Data on Controller’s behalf.

Survival. Sections addressing confidentiality, security, audits, deletion/return, international transfers, and limitations survive termination to the extent required to effectuate obligations herein.

Annex I — Details of Processing

A. Parties: Data Exporter: Controller (as defined in the underlying agreement). Data Importer: REOS.

B. Subject Matter and Duration:Processing Personal Data submitted to or collected via REOS’s marketplace collaboration tools, including chat, workflows, and document repositories, under Controller’s instructions. Duration: for the term of the underlying agreement.

C. Nature and Purpose:Hosting, storage, retrieval, transmission, display, collaboration, messaging, document management, support, security monitoring, and limited analytics necessary to provide and support the Services; AI-assisted features where enabled under Controller’s instructions.

D. Categories of Data Subjects:Controller’s end users; Buyers; Sellers; Supplier personnel; and other individuals whose data are submitted or shared through the Services.

E. Categories of Personal Data: Identification and contact details; account/profile data; licensure information (where relevant); communications content and metadata; repository documents and metadata; device/usage/telemetry data; limited transaction metadata from third-party payment and e-sign providers.

F. Special Categories: Not intended, but may be incidentally included in free-text or uploaded documents; Controller will avoid or minimize sensitive data unless strictly necessary and addressed in documented instructions.

G. Frequency and Transfers: Continuous Processing as necessary to provide the Services; international transfers as described in Section 10.

H. Competent Supervisory Authority: As required by the SCCs and applicable addenda (EU per GDPR; UK: ICO; Switzerland: FDPIC).

Annex II — Security Measures (Summary)

REOS maintains an information security program aligned to industry standards and proportionate to the nature, scope, and risks of Processing, including:

  • Organization of Information Security: Written policies; roles and responsibilities; workforce security awareness and training.
  • Access Controls: Identity and access management; least privilege; authentication and authorization controls; periodic access reviews.
  • Physical and Environmental Security: Data center controls (via hosting providers with independent attestations); secure office facilities.
  • Encryption: Encryption in transit using TLS; encryption at rest for stored data where feasible.
  • Network and Application Security: Network segmentation; firewalls; vulnerability management; secure development practices; third-party penetration testing.
  • Logging and Monitoring: Security event logging; intrusion detection/prevention; anomaly detection; anti-malware where applicable.
  • Business Continuity and Disaster Recovery: Backup and restoration processes; redundancy and resilience.
  • Incident Response: Documented incident response plan; breach escalation, investigation, and remediation processes; cooperation with Controller.
  • Vendor and Subprocessor Management: Risk-based due diligence; written contracts; monitoring of key vendors; change notifications.
  • Assurance and Testing: Periodic third-party audits/attestations (e.g., SOC 2) and penetration testing with summaries available under confidentiality.

Annex III — EU/EEA Addendum

SCCs. The SCCs are incorporated for cross-border transfers from the EEA: Module Two (Controller-to-Processor) and, where applicable, Module Three (Processor-to-Processor); docking clause enabled; Subprocessor changes under Option 2; Annexes completed by Annex I and Annex II of this DPA.

Governing Law and Forum (SCCs). As required by the SCCs; where selection is needed, apply an EU Member State law and forum consistent with the SCCs.

Supervisory Authority. Determined in accordance with GDPR and the SCCs.

Annex IV — UK Addendum

The UK Addendum modifies the SCCs for transfers from the UK; Tables completed by reference to Annex I/II; the ICO is the competent authority; governing law/forum per UK Addendum.

Annex V — Swiss Addendum

References to EU law in the SCCs are read as references to Swiss law; the FDPIC is the competent authority; Swiss courts are the competent forum as applicable.

Annex VI — Israel Addendum

For Processing subject to Israeli law, REOS will implement measures aligned with the Data Security Regulations; cooperate with Controller regarding database obligations, breach assessment/notifications, and other duties that may arise; and ensure international transfers comply with applicable Israeli requirements.

Annex VII — Subprocessors

REOS maintains an online list of Subprocessors used to support the Services, including functions and locations. See the subprocessor list in our Privacy Policy for the current list. Controller may subscribe to change notifications; changes will be notified at least thirty (30) days in advance.

This DPA reflects the lawyer-approved text (DPA - Reos as processor.docx). Hebrew translation pending counsel.