Data Processing Agreement

This Data Processing Agreement ("DPA") describes how Regris ("Processor") handles data provided by water utilities and municipal entities ("Controller") in connection with the use of the Regris compliance platform at getregris.com. This document is provided for procurement and records purposes.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed through the Regris platform, including utility staff names, titles, and contact information provided during registration or assessment.

"Assessment Data" means Risk and Resilience Assessment responses, Emergency Response Plan responses, compliance scores, gap analysis data, and generated compliance reports submitted through the platform.

"Sensitive Security Information" means RRA and ERP content protected under applicable AWIA data protection requirements.

2. Scope of Processing

Regris processes the following categories of data on behalf of the Controller:

• Utility profile information (name, PWSID, service population, state)
• Staff contact information (names, titles, email addresses)
• Assessment responses across all §1433(a) and §1433(b) categories
• Generated RRA and ERP compliance documents
• Payment transaction records (processed by Stripe — not stored by Regris)

3. Purpose and Legal Basis

Regris processes Controller data solely for the purpose of providing AWIA Section 1433 compliance documentation services. Data is not processed for any other purpose without explicit written consent.

4. Data Security

Regris implements the following technical and organizational measures:

• All data encrypted at rest and in transit using Supabase with TLS 1.2+ encryption
• Access controls limiting data access to authorized personnel only
• Passwords hashed using bcrypt and never stored in plain text
• No sale or transfer of Controller data to third parties
• AI-assisted report generation uses Anthropic Claude API — assessment data is transmitted to Anthropic's API for report generation purposes only. Anthropic does not use API inputs to train its models. Subject to Anthropic's data handling policies at anthropic.com/policies

5. AWIA Data Protection

Controller acknowledges that RRA and ERP content constitutes sensitive security information subject to applicable AWIA data protection requirements. Controller is responsible for maintaining the confidentiality of generated compliance documents in accordance with applicable federal law. Regris stores assessment data in encrypted form and does not disclose RRA or ERP content to any third party except as required by law.

6. Data Retention

Regris retains Controller data for the duration of the active account and for a reasonable period thereafter to support account recovery. Controllers may request deletion of their data by contacting customerservice@getregris.com. Note: AWIA §1433(d) requires utilities to maintain copies of their RRA and ERP for five years after certification. Controllers are responsible for maintaining their own records independently of the Regris platform.

7. Sub-processors

Regris uses the following sub-processors in delivering the service:

• Supabase Inc. — database hosting and encryption
• Anthropic PBC — AI-assisted report generation
• Stripe Inc. — payment processing

8. Data Subject Rights

Controllers may request access to, correction of, or deletion of their data by contacting customerservice@getregris.com. Regris will respond to verified requests within 30 days.

9. Governing Law

This DPA is governed by the laws of the State of Alabama, consistent with the Regris Terms of Service and Privacy Policy.

10. Term

This DPA remains in effect for the duration of the Controller's use of the Regris platform and terminates upon account deletion or written notice by either party.