This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", the data controller) and Reline AI, Inc. ("Reline", the processor) covering Customer's use of the Reline service.

Customer is the controller of the personal data processed via Reline. Reline is the processor and processes that data only on Customer's documented instructions.

Reline engages the following sub-processors. The current list is mirrored on the privacy page.

• Convex — primary database, file storage, authentication, realtime sync.
• Soniox — real-time speech-to-text.
• OpenAI / Anthropic / DeepSeek — AI model providers via the AI SDK gateway.
• Vercel — hosting for the web application.

We notify Customer at least 30 days before adding a new sub-processor. Customer may object on reasonable grounds; we will work with Customer in good faith to address the objection.

Reline maintains technical and organizational measures appropriate to the risk. See the security page for the live posture matrix.

Reline relies on the EU Standard Contractual Clauses for personal data transfers from the EEA, UK, and Switzerland. The SCCs are incorporated by reference into this DPA.

Reline will notify Customer without undue delay (and within 72 hours) of becoming aware of a personal data breach affecting Customer data, with sufficient information to enable Customer's own regulatory obligations.

To execute this DPA, email legal@reline.so with your organization name and signing authority. We countersign within two business days.