All legal documents
Legal

Data Processing Addendum

Data processing terms covering Reala's processor commitments, current subprocessors, transfer language, and baseline security measures.

Effective date: April 12, 2026

1. Purpose

This Data Processing Addendum ("DPA") forms part of the agreement between Avestan Ltd., the operator of Reala ("Reala"), and the customer that entered into the applicable services agreement with Reala ("Customer").

This DPA applies when Reala processes Customer Personal Data on behalf of Customer in connection with the Service.

2. Roles

  • Customer acts as the controller, business, or equivalent organization that determines the purposes and means of processing Customer Personal Data.
  • Reala acts as the processor, service provider, or equivalent organization processing Customer Personal Data on Customer's behalf.

3. Subject Matter and Duration

The subject matter of the processing is the provision of the Reala Service, including hosting, support, security, analytics, automation, and AI-assisted workflow features requested by Customer.

The duration of processing is the term of the underlying services agreement plus any limited post-termination retention period described in that agreement or required by law.

4. Nature and Purpose of Processing

Reala may process Customer Personal Data to:

  • host and organize workspace records;
  • store and retrieve files, notes, and prompts;
  • generate summaries, drafts, and workflow suggestions;
  • authenticate users and manage permissions;
  • provide support and troubleshoot issues; and
  • secure, monitor, and maintain the Service.

5. Categories of Data and Data Subjects

Customer determines the categories of Customer Personal Data it chooses to upload. The data may include:

  • business contact information;
  • lead, client, prospect, or referral details;
  • communications content;
  • property and listing context;
  • uploaded documents and attachments; and
  • usage, device, and support data tied to authorized users.

Data subjects may include Customer personnel, leads, clients, prospects, vendors, or other individuals whose information Customer submits to the Service.

6. Reala Obligations

Reala will:

  • process Customer Personal Data only on documented instructions from Customer, unless otherwise required by law;
  • ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
  • implement reasonable technical and organizational measures designed to protect Customer Personal Data;
  • assist Customer, taking into account the nature of processing, with reasonable requests related to data subject rights, security incidents, impact assessments, and regulator inquiries;
  • notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data; and
  • delete or return Customer Personal Data upon termination, subject to limited retention required for legal, security, backup, or compliance reasons.

7. Customer Obligations

Customer is responsible for:

  • providing lawful instructions;
  • establishing a legal basis for processing;
  • providing required notices and obtaining required consents;
  • responding to data subject requests where Customer is the controller or business; and
  • determining whether the Service and security measures are appropriate for the Customer Personal Data submitted.

8. Subprocessors

Customer authorizes Reala to use subprocessors to provide the Service. Reala will maintain a current list of subprocessors at /legal/subprocessors.

If Reala intends to add or replace a subprocessor in a way that materially affects Customer Personal Data processing, Reala will update the published subprocessor list before the change takes effect. Customers with reasonable data protection concerns may contact contact@reala.agency.

9. International Transfers

If Customer Personal Data is transferred across borders, the parties will rely on a lawful transfer mechanism where required, such as:

  • the Standard Contractual Clauses;
  • the UK International Data Transfer Addendum;
  • other approved transfer clauses; or
  • another lawful mechanism recognized by the applicable jurisdiction.

Where EU or UK transfer mechanisms are required, the parties agree that:

  • the EU Standard Contractual Clauses 2021/914 are incorporated by reference using Module Two for controller-to-processor transfers and Module Three for processor-to-processor transfers, as applicable;
  • the optional docking clause applies;
  • the governing law for the SCCs is Ireland unless a mandatory local law requires another permitted EU member state; and
  • the UK International Data Transfer Addendum applies to restricted UK transfers built on those SCCs.

10. Security Measures

Reala will maintain security measures appropriate to the risks presented by the processing, which may include:

  • access controls and role-based permissions;
  • encryption in transit using HTTPS/TLS for the live service;
  • authentication and session controls provided through Clerk for product access;
  • managed database and storage controls through Supabase for hosted data services;
  • hosted infrastructure controls enforced on the live Hetzner environment;
  • secret-managed production environment configuration;
  • backup, recovery, and availability controls provided through Reala's infrastructure and managed vendors; and
  • incident investigation and remediation workflows appropriate to the service.

11. Audits

Reala will make available reasonable information necessary to demonstrate compliance with this DPA and, where required by applicable law, allow reasonable audits or assessments subject to confidentiality, frequency, scope, and cost controls.

Audit requests must be reasonable, limited to once per twelve-month period unless a Security Incident or regulator request justifies more, and may be satisfied through a current security questionnaire, policy packet, subprocessor list, architecture summary, or similar written materials before a more intrusive review is considered.

12. Order of Precedence

If this DPA conflicts with the underlying services agreement with respect to processing of Customer Personal Data, this DPA controls to the extent of that conflict.

13. Annex A - Processing Details

  • Controller / business: the Customer identified in the applicable services agreement.
  • Processor / service provider: Avestan Ltd.
  • Subject matter: delivery of Reala's marketing, onboarding, communication, and product workflows.
  • Duration: the subscription term plus any limited retention period required for lawful business, security, backup, or compliance reasons.
  • Categories of data subjects: Customer personnel, leads, prospects, clients, vendors, and other individuals whose information Customer submits to the Service.
  • Categories of personal data: names, email addresses, phone numbers, brokerage or team details, listing and property context, communications, notes, uploaded files, account data, support records, usage logs, and related metadata.

14. Annex B - Current Subprocessors

Reala's current subprocessors are listed at /legal/subprocessors and currently include Hetzner, Clerk, Supabase, Resend, Calendly, Tally, and Anthropic.

15. Annex C - Contact

Questions about this DPA may be sent to contact@reala.agency.