Data Processing Agreement
This page summarises the Data Processing Agreement ("DPA") terms on which RepRoute processes personal data. For most individual users no separate DPA is required — our Privacy Policy and Terms of Service govern the relationship. Business or enterprise customers whose own clients or employees use RepRoute may request a fully executed DPA through our contact form.
1. Roles of the Parties
- Direct users (B2C): RepRoute acts as the data controller of the personal data you submit when you sign up and use the Service.
- Business customers (future B2B): when a business customer provisions accounts on behalf of its employees or clients, RepRoute acts as a data processor processing those end-users' personal data only on the business customer's documented instructions.
RepRoute is established in Thailand. An EU representative under GDPR Article 27 will be appointed and named here before the Service is actively offered to data subjects in the EU/EEA (appointment pending).
2. Subject Matter and Duration
The subject matter of the processing is the operation of the RepRoute fitness planning service, including account management, plan generation, exercise logging, and customer support. The DPA remains in force for as long as RepRoute processes personal data on the controller's behalf.
3. Categories of Data and Data Subjects
- Categories of data: account identifiers, profile attributes (age, weight, height), sensitive health attributes (injury flags), exercise log entries, AI prompts and outputs, audit metadata.
- Categories of data subjects: registered users of the Service, and (for B2B) the end-users authorised by the business customer.
4. Approved Sub-processors
RepRoute uses the sub-processors listed below. Each is bound by a written data-processing agreement and provides at least the level of data protection required by GDPR and PDPA. We will notify customers of any intended addition or replacement of a sub-processor at least 30 days in advance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database + Auth | Singapore (ap-southeast-1) |
| Cloudflare Workers | App hosting + edge runtime | Global edge |
| Cloudflare R2 | Static media storage | Global edge |
| Cloudflare Turnstile | Bot protection | Global edge |
| Resend | Transactional email | US / EU |
| Groq | Text AI inference (primary) | US |
| Cerebras | Text AI inference (fallback) | US |
| Cloudflare Workers AI | Image AI inference — gym, food & program photo scans | Global edge |
| Upstash Redis | Rate limiting | Global |
5. Technical and Organisational Security Measures
- Row-level security (RLS) enabled on every Supabase table.
- JWT-based authentication issued by Supabase Auth; no service-role keys exposed to client code.
- Server-side rate limiting through Upstash Redis on all sensitive endpoints.
- Cloudflare Turnstile bot protection on registration and authentication flows.
- Encryption in transit using TLS 1.2 or higher.
- Encryption at rest via Supabase's managed Postgres infrastructure.
- Principle of least privilege for internal access; admin operations require service-role keys held only in server runtime secrets.
- Logging and monitoring for unauthorised access; access logs retained for security investigations.
- Automated backups managed by Supabase with point-in-time recovery.
6. International Transfers
Where personal data is transferred outside Thailand or the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as applicable) and on equivalent transfer mechanisms required by PDPA. Transfer impact assessments are documented and reviewed annually.
7. Personal Data Breach Notification
In the event of a personal-data breach affecting your data, RepRoute will notify the relevant supervisory authority and, where required, affected data subjects within 72 hours of becoming aware of the breach, in line with GDPR Art. 33 / 34 and PDPA s.37(4). The notification will include the nature of the breach, categories and approximate volume of data affected, likely consequences, and mitigation steps.
8. Assistance with Data-subject Rights
We provide self-service data export and deletion in-app, and we assist controllers in responding to data-subject requests within statutory deadlines. Requests can be escalated through our contact form.
9. Audit Rights
Business customers may audit our compliance with this DPA once per calendar year, on at least 30 days' written notice, during normal business hours, and subject to confidentiality. We may satisfy audit requests by providing third-party audit reports (for example our sub-processors' SOC 2 reports) where these are reasonably sufficient.
10. Term and Termination
The DPA terminates automatically when the underlying services agreement ends. On termination we will, at the controller's choice, return or delete all personal data we hold on their behalf, except where retention is required by law.
11. Liability
Liability under this DPA is subject to the limitations set out in our Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited under applicable data-protection law.
12. Executing a Full DPA
To request a fully executed Data Processing Agreement (including SCCs where applicable) use our contact form and include your legal entity name, jurisdiction, and the categories of data subjects whose data you intend to process via RepRoute.