Data Processing Agreement
Effective Date: December 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service and End-User License Agreement between Memnarch Ltd. ("Relica", "we", "us", or "Processor") and the customer ("you", "Customer", or "Controller") using the Relica Backup service.
This DPA sets out the terms that apply when Personal Data is processed by Relica on behalf of the Customer in connection with the provision of the Relica Backup service. The purpose of this DPA is to ensure compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection legislation.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Relica as part of providing the backup service.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, and erasure.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Sub-processor" means any third party engaged by Relica to process Personal Data on behalf of the Customer.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Encrypted Backup Data" means Customer data that has been encrypted using zero-knowledge encryption prior to transmission to Relica's infrastructure.
3. Scope and Nature of Processing
3.1 Subject Matter
Relica provides a backup and recovery service that enables Customers to create encrypted backups of their data and store them either locally, on personal cloud accounts, or using the Relica Cloud service.
3.2 Categories of Data
The following categories of data may be processed:
- Account Data: Email address and name provided during registration.
- Billing Data: Payment information processed through our payment processor (Relica does not store payment card details).
- Encrypted Backup Data: Customer files that are encrypted locally before transmission. Relica cannot access, view, or decrypt this data.
- Service Metadata: Technical information such as backup sizes, timestamps, and device identifiers necessary for service operation.
- Support Correspondence: Communications between Customer and Relica support.
3.3 Duration
Processing will continue for the duration of the Customer's subscription and for any retention period required by law or as specified in Relica's Terms of Service.
4. Zero-Knowledge Architecture
This means:
- All Customer backup data is encrypted locally on the Customer's device before transmission to Relica.
- Encryption uses AES-256 in counter mode, authenticated using Poly1305-AES, as implemented by the open-source restic backup program.
- The encryption key is derived from a password known only to the Customer. Relica does not have access to this password or the encryption key.
- Relica cannot access, view, read, or decrypt the contents of Customer backups, including file names and folder structures.
- Even in the event of unauthorized access to Relica's infrastructure, the encrypted backup data remains protected and unreadable without the Customer's encryption key.
5. Controller Obligations
The Customer, as Controller, shall:
- Ensure that the processing of Personal Data is lawful under applicable data protection laws.
- Ensure appropriate legal basis exists for any Personal Data included in backups.
- Safeguard the encryption key/password, as Relica cannot recover data if the key is lost.
- Inform Data Subjects of processing activities as required by applicable law.
- Provide Relica with written instructions for processing where necessary.
6. Processor Obligations
Relica, as Processor, shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality.
- Implement appropriate technical and organizational security measures.
- Assist the Controller in responding to Data Subject requests.
- Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations.
- Delete or return all Personal Data at the end of the service relationship, as directed by the Controller.
- Make available information necessary to demonstrate compliance with this DPA.
7. Security Measures
Relica implements the following technical and organizational measures:
7.1 Encryption
- Zero-knowledge encryption using AES-256 in counter mode with Poly1305-AES authentication.
- All data encrypted on the Customer's device before transmission.
- TLS encryption for all data in transit.
7.2 Infrastructure Security
- Data center providers comply with SOC 2, ISO 27001, PCI-DSS, HIPAA, FERPA, GDPR, and MPA standards.
- Multi-cloud redundancy ensuring data availability and disaster recovery.
- Regular security assessments and monitoring.
7.3 Access Controls
- Role-based access controls for Relica personnel.
- No Relica personnel can access encrypted Customer backup data.
- Account-level authentication and session management.
8. Sub-processors
- The Customer provides general authorization for Relica to engage Sub-processors, subject to the conditions in this section.
- Relica shall maintain a list of current Sub-processors, available upon request.
- Relica shall notify the Customer of any intended changes to Sub-processors.
- Relica shall ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.
8.1 Current Sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| Payment Processor | United States | Payment and subscription billing |
| Cloud Infrastructure Providers | Various (US, EU) | Encrypted backup storage for Relica Cloud customers. These providers only receive encrypted data that they cannot decrypt. A current list of specific providers is available upon request. |
| Analytics Provider | European Union | Privacy-focused website analytics (no personal data collected) |
To request a detailed list of current Sub-processors, please contact support@relicabackup.com.
9. International Data Transfers
- Where Personal Data is transferred outside the European Economic Area, United Kingdom, or Switzerland, Relica shall ensure appropriate safeguards are in place.
- Such safeguards may include Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.
- For Encrypted Backup Data, the zero-knowledge architecture provides additional protection as the data remains encrypted and inaccessible even in jurisdictions with different data protection standards.
10. Data Subject Rights
- Relica shall assist the Controller in responding to Data Subject requests regarding access, rectification, erasure, restriction, portability, and objection.
- For Account Data and Service Metadata, Relica can directly fulfill applicable requests.
- For Encrypted Backup Data, only the Customer can access and fulfill such requests, as Relica cannot decrypt the data.
11. Data Breach Notification
In the event of a Data Breach affecting Personal Data processed on behalf of the Customer, Relica shall notify the Customer without undue delay after becoming aware of the breach. The notification shall include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects concerned, likely consequences, and measures taken or proposed to address the breach.
12. Audit Rights
Upon reasonable notice and subject to appropriate confidentiality obligations, Relica shall make available to the Controller information necessary to demonstrate compliance with this DPA. The Customer may request documentation of security measures, certifications, or third-party audit reports where available.
13. Term and Termination
This DPA shall remain in effect for the duration of the Customer's use of the Relica service. Upon termination, Relica shall, at the Customer's election, delete or return all Personal Data and delete existing copies, unless applicable law requires storage of the Personal Data. The Customer may export or delete their Encrypted Backup Data at any time using the Relica application or compatible tools such as restic.
14. Liability
Each party's liability under this DPA is subject to the limitations set forth in Relica's Terms of Service. Relica shall not be liable for any unauthorized access to Encrypted Backup Data where such data remains encrypted and protected by the Customer's encryption key.
15. General Provisions
15.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws specified in Relica's Terms of Service, without regard to conflicts of law principles.
15.2 Severability
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
15.3 Amendments
Relica reserves the right to update this DPA to reflect changes in law or business practices. Material changes will be communicated to Customers via the email address associated with their account.
15.4 Conflict
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
16. Contact Information
For questions or concerns regarding this DPA or data protection matters, please contact:
Memnarch Ltd.Email: support@relicabackup.com
Website: https://relicabackup.com