1. Scope, parties, and roles
This Data Processing Addendum ("DPA") is between the customer identified by the RealLink AI account or order ("Customer" or "Controller") and Warm Binary, operating RealLink AI, 6F L8, 78 Jungdong-ro 254beon-gil, Wonmi-gu, Bucheon-si, Gyeonggi-do, Republic of Korea ("RealLink AI" or "Processor"). It supplements the Terms of Service.
Customer determines the purposes and essential means of processing Customer Content and End User Personal Data. RealLink AI processes that data on Customer's behalf. For RealLink AI account administration, security, billing, and its own legal obligations, each party may act as an independent controller as described in the Privacy Policy.
Terms such as Personal Data, Process, Controller, Processor, Data Subject, and Supervisory Authority have the meanings given by applicable data protection law, including the GDPR where applicable.
2. Documented instructions
Customer instructs RealLink AI to process Personal Data only as necessary to provide, secure, support, troubleshoot, and maintain the Service; produce Customer-requested analytics; prevent abuse; comply with law; and perform the actions configured by Customer. The Terms, Customer's settings and lawful support requests are documented instructions.
RealLink AI will notify Customer if an instruction appears to violate applicable data protection law, unless prohibited by law. Customer will not submit special-category data, government identifiers, payment-card data, medical records, or other highly sensitive data unless a separate written agreement expressly permits it.
3. Processor obligations
- Process Personal Data only on documented instructions, including for international transfers.
- Ensure persons authorized to process Personal Data are bound by confidentiality.
- Apply the technical and organizational measures in Annex 2.
- Taking into account the nature of processing, assist Customer with Data Subject requests through available product controls and reasonable support.
- Assist Customer with security, breach notification, DPIAs, and supervisory consultation, considering the nature of processing and information available to RealLink AI.
- Maintain records required of processors and make information necessary to demonstrate compliance available as described below.
4. Subprocessors
Customer gives RealLink AI general written authorization to use the subprocessors listed at reallinkai.com/subprocessors. RealLink AI will impose data-protection obligations substantially equivalent to those in this DPA and remains responsible for their processing to the extent required by law.
RealLink AI will provide at least 30 days' advance notice of a new or replacement subprocessor by email, dashboard notice, or an update notice on the subprocessor page. Customer may object during that period on reasonable data-protection grounds. The parties will work in good faith on a reasonable solution; if none is available, either party may terminate the affected Service before the change takes effect.
5. International transfers
Customer authorizes processing in the locations listed in the Subprocessor Register. Transfers from the EU/EEA to eligible recipients in the Republic of Korea may rely on the European Commission adequacy decision (Implementing Decision (EU) 2022/254). Onward transfers by RealLink AI to Google Cloud, Cloudflare, or another destination are governed by the applicable provider DPA and an adequacy decision, the European Commission Standard Contractual Clauses (Decision 2021/914), or another lawful mechanism as required.
If the Korean adequacy decision does not cover a transfer, the parties will complete and rely on the appropriate SCC module or another valid safeguard before that transfer. RealLink AI will provide reasonable information needed for a transfer assessment and apply supplementary safeguards where appropriate.
6. Requests and incidents
If RealLink AI receives a request from an End User concerning Customer-controlled data, it will direct the requester to Customer unless legally required to respond. RealLink AI will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data and provide available information needed for Customer's legal obligations. Notice is not an admission of fault.
7. Security
RealLink AI maintains measures appropriate to the risk, including transport encryption, access controls, tenant-scoped storage and authorization checks, credential and secret protection, logging, rate limiting and bot protection, backup and recovery controls, deletion workflows, and supplier review. Customer remains responsible for account credentials, lawful configuration, uploaded content, and its own endpoints and devices.
8. Return, deletion, and retention
During the Service term Customer may use available export and deletion controls. At termination or verified account deletion, RealLink AI will delete or return Customer Personal Data in accordance with Customer's choice where technically available, except where law requires limited retention. Backup copies are isolated from ordinary use and expire under backup cycles. Inquiry records expire after 21 days; reservation records expire no later than 30 days after the scheduled reservation ends. Other Service Data is retained while needed to provide the account and is deleted or de-identified under the Privacy Policy and internal retention schedule.
9. Compliance information and audit
On reasonable written request, RealLink AI will provide information necessary to demonstrate compliance, including this DPA, security summaries, subprocessor information, and relevant independent materials then available. If that information is insufficient and applicable law requires an audit, Customer may request an audit no more than once annually, except after a material incident or regulator request. Audits must protect other customers, security, and confidential information; use an independent auditor; avoid unreasonable disruption; and be at Customer's cost unless the audit identifies a material breach by RealLink AI.
If this DPA conflicts with the Terms regarding processing of Customer Personal Data, this DPA controls. Mandatory law and the SCCs control over both. The DPA remains effective while RealLink AI processes Customer Personal Data.
Annex 1: Processing details
| Item | Details |
|---|---|
| Subject and duration | Provision of the Service for the subscription/account term plus deletion and backup cycles. |
| Nature and purpose | Collection, hosting, storage, retrieval, embedding, AI inference, display, organization, analytics, transmission, support, security, export, anonymization, and deletion as configured by Customer. |
| Data subjects | Customer personnel; visitors and End Users of Customer's public AI pages; inquiry and reservation submitters; persons mentioned in Customer Content. |
| Personal Data | Account identifiers; uploaded business content; questions and conversation content; language, timestamps, source/QR metadata, IP/device/security logs; inquiry and reservation fields such as name, contact details, requested date/time, party/seat choice, and free-text requests; consent/version records; derived topic and usage analytics. |
| Special categories | Not intended or permitted absent a separate written agreement and appropriate legal basis. |
| Frequency | Continuous or event-based while the Service is used. |
| Customer rights | As provided by applicable law and the Terms, including configuration, access, correction, export, deletion, and termination instructions. |
Annex 2: Technical and organizational measures
- Access control: authenticated administrative access, tenant and resource authorization, least-privilege service credentials, and restricted production access.
- Transmission and storage: HTTPS/TLS in transit; encryption and platform security controls supplied by Cloudflare and Google Cloud; secrets kept outside public client code.
- Application security: validation, rate limits, Turnstile/bot controls, scoped APIs, private chatbot controls, and abuse monitoring.
- Availability: managed cloud infrastructure, backup/recovery processes, monitoring, and staged deletion where required for reliable recovery.
- Data lifecycle: purpose-specific retention, inquiry and reservation expiry, visitor cancellation anonymization/deletion, account deletion workflow, and restricted legal retention.
- Supplier management: DPA/terms review, public register, change notice, and periodic review of transfer and security terms.
- Incident management: investigation, containment, evidence preservation, risk assessment, notification support, remediation, and post-incident review.
한국어 요약
사업자가 공개 챗봇에 넣은 자료와 고객 질문·문의·예약 정보에 대해서는 사업자가 개인정보처리자(Controller), RealLink AI가 수탁처리자(Processor)가 됩니다. RealLink AI는 서비스 제공, 보안, 통계, 삭제 등 사업자의 지시에 필요한 범위에서만 처리합니다.
문의는 21일, 예약은 예약 종료 후 최대 30일까지 보관됩니다. 현재 핵심 하위처리업체는 Cloudflare와 Google Cloud이며, 결제사 Creem과 Google 로그인·YouTube는 상황에 따라 독립 개인정보처리자로 별도 표시합니다. 영문 원문이 계약상 기준이며 이 요약은 이해를 돕기 위한 것입니다.
Contact
Privacy and DPA requests: [email protected]
Warm Binary, 6F L8, 78 Jungdong-ro 254beon-gil, Wonmi-gu, Bucheon-si, Gyeonggi-do, Republic of Korea.