Data Processing Agreement

Fixed-Fee AWIA Documentation Services & Customer Workspace

Last updated: July 2026

This Data Processing Agreement ("DPA") describes how Regris ("Processor") handles data provided by water utilities and municipal entities ("Controller") in connection with the use of the Regris compliance platform at getregris.com. This document is provided for procurement and records purposes.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed through the Regris platform, including utility staff names, titles, and contact information provided during registration or assessment.

"Service Data" means utility-provided RRA and ERP information, structured workspace responses, documentation-coverage status, gap descriptions, service-intake summaries, and customer documents processed through the platform.

"Sensitive Security Information" means RRA and ERP content protected under applicable AWIA data protection requirements.

2. Scope of Processing

Regris processes the following categories of data on behalf of the Controller:

3. Purpose and Legal Basis

Regris processes Controller data solely for the purpose of providing AWIA Section 1433 compliance documentation services. Data is not processed for any other purpose without explicit written consent.

4. Data Security

Regris implements the following technical and organizational measures:

5. AWIA Data Protection

Controller acknowledges that RRA and ERP content constitutes sensitive security information subject to applicable AWIA data protection requirements. Controller is responsible for maintaining the confidentiality of customer documents in accordance with applicable federal law. Regris uses the safeguards described above and discloses service data only as needed to its listed sub-processors or as required by law.

6. Data Retention

Regris retains Controller data for the duration of the active account and for a reasonable period thereafter to support account recovery. Controllers may request deletion of their data by contacting customerservice@getregris.com. Note: AWIA §1433(d) requires utilities to maintain copies of their RRA and ERP for five years after certification. Controllers are responsible for maintaining their own records independently of the Regris platform.

7. Sub-processors

Regris uses the following sub-processors in delivering the service:

8. Data Subject Rights

Controllers may request access to, correction of, or deletion of their data by contacting customerservice@getregris.com. Regris will respond to verified requests within 30 days.

9. Governing Law

This DPA is governed by the laws of the State of Alabama, consistent with the Regris Terms of Service and Privacy Policy.

10. Term

This DPA remains in effect for the duration of the Controller's use of the Regris platform and terminates upon account deletion or written notice by either party.