Sign up Log in
Sign up Log in

Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the provisions of the Terms of Use (“Terms”), updated periodically between you (together with your subsidiary(ies) and affiliated entities, collectively “Customer”) and Apresly (together with its subsidiary(ies) and affiliated entities, collectively “Apresly”) (hereinafter referred to collectively as “Parties” and each individually as “Party”), where GDPR applies to Customer’s use of Apresly Services for processing Customer Data. If GDPR does not apply to Customer, Personal Data provided by Customer is processed and protected in a manner analogous to that described in this DPA.

This DPA becomes effective on the date Customer accepts the Terms of Use. In the event of a conflict between this DPA and the Terms of Use, the applicable provisions of this DPA shall prevail.

1. Definitions

1.1. “Account Data” means information about Customer that Customer provides to Apresly in connection with creating or managing accounts in Apresly, such as name, username, and email address of Authorized Users or Customer’s billing contact information. Customer is responsible for the accuracy and compliance of all Account Data throughout the term of the Terms of Use.

1.2. “Authorized User” means an individual employee, agent, or contractor of Customer who has been granted subscriptions to the Services in accordance with the Terms of Use.

1.3. “Customer Credentials” means passwords, access keys, or other authentication data used by Customer when using the Services.

1.4. “Customer Data” means any Personal Data that Apresly processes on behalf of Customer as a Data Processor in connection with providing its Services.

1.5. “Data Controller” means the entity that determines the purposes and means of Processing Personal Data.

1.6. “Data Processor” means an entity that processes Personal Data on behalf of the Data Controller.

1.7. “Data Protection Law” means all laws and regulations relating to data protection and privacy applicable in the EU, EEA, and their member states as applied to the Processing of Personal Data.

1.8. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

1.9. “EEA” means the European Economic Area, the United Kingdom, and Switzerland.

1.10. “EU” means the European Union.

1.11. “GDPR” means (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and (b) the UK Data Protection Act.

1.12. “Personal Data” means any information relating to an identified or identifiable natural person as defined in GDPR.

1.13. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process”, “Processes”, and “Processed” shall be interpreted accordingly.

1.14. “SCCs” means the standard contractual clauses approved by the European Commission.

1.15. “Services” means any product or service provided by Apresly in accordance with Apresly’s Terms of Use.

1.16. “Sub-Processor” means any external Data Processor engaged by Apresly.

2. Scope and Roles

2.1. Apresly has developed this DPA based on Customer’s assumption that Customer Data may contain Personal Data originating from the EU/EEA and/or otherwise subject to GDPR. Accordingly, this DPA supplements the Terms of Use and applies exclusively to the Processing of Customer Data by Apresly in connection with providing Services to Customer under the Terms of Use.

2.2. Apresly undertakes to comply with the following provisions regarding any Personal Data processed on behalf of Customer in connection with providing the Services.

2.3. The Parties agree that with respect to the Processing of Personal Data, Customer acts as Data Controller and Apresly acts as Data Processor, acting on behalf of Customer, as described in Annex 1 (“Data Processing Details”) to this DPA. Each Party undertakes to comply with its obligations under EU data protection law.

3. Processing of Personal Data by Customer

3.1. Customer is responsible for controlling Personal Data and must fulfill its obligations as Data Controller under data protection law, particularly regarding the justification for any transfer of Customer Data to Apresly and its decisions and actions regarding the Processing and use of Personal Data.

3.2. Customer confirms that it has provided all necessary information and obtained all required consents and authorizations under data protection law to enable Apresly to process Customer Data and provide the Services.

4. Processing of Customer Data by Apresly

4.1. By accepting the application of this DPA, Customer instructs Apresly to Process Customer Data for the purpose of providing the Services in accordance with the characteristics and functionality of the Services.

4.2. In connection with Apresly’s provision of Services to Customer, Apresly processes certain categories and types of Customer Data solely for the purposes described in this DPA and solely in accordance with Customer’s documented lawful instructions, including regarding transfers of Customer Data to third countries or international organizations, unless required to do so by EU law or Member State law to which Apresly is subject. In such case, Apresly shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.3. The Parties agree that this DPA constitutes Customer’s complete and final instructions to Apresly regarding the Processing of Customer Data. Processing outside the scope of these instructions requires prior written agreement between Customer and Apresly. Notwithstanding the above, Apresly shall promptly inform Customer if it determines that Customer’s instructions may violate applicable EU data protection law.

5. Customer Obligations and Restrictions

5.1. Without limiting its obligations under the Terms of Use, Customer is solely responsible for: (a) Account Data, Customer Data, and Customer Credentials (including actions taken using Customer Credentials), subject to Apresly’s Data Processing obligations under the Terms of Use and this DPA; (b) providing all notices required by EU data protection law to individuals whose Personal Data may be contained in Account Data, Customer Data, or Customer Credentials, and obtaining all consents and authorizations required by EU data protection law from them; and (c) ensuring that no Personal Data concerning criminal convictions and offenses (Article 10 GDPR) is transferred for Processing by the Services.

6. Security

6.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Apresly implements appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including measures set out in Annex 2 “Security Measures”) in relation to Customer Data. In assessing the appropriate level of security, Apresly takes into account the risks presented by Processing Customer Data, particularly risks related to Customer Data Breach (as defined in Section 10). Apresly may periodically make changes to Security Measures that it deems necessary or appropriate, including to maintain compliance with applicable law, but no such changes will reduce the overall level of protection for Customer Data. Apresly takes appropriate steps to ensure compliance with Security Measures by its employees, contractors, and Sub-Processors within the scope applicable to their area of operation, including ensuring that all persons authorized to Process Customer Data have committed to maintain appropriate confidentiality.

6.2. The Parties shall take steps to ensure that any individual acting under the authority of Customer or Apresly and having access to Personal Data processes it only on Customer’s instructions, unless required to do so by EU law or Member State law.

6.3. Customer is responsible for reviewing information made available by Apresly regarding data security and undertakes to conduct an independent assessment to determine whether the Services meet its requirements and legal obligations under data protection law. Customer acknowledges that Apresly may periodically update or modify Apresly’s security standards, provided that such updates and modifications do not reduce the overall security of the Services purchased by Customer.

6.4. Customer assumes responsibility for secure use of the Services, including securing Customer Credentials, protecting the security of Customer Data during transmission to and from Apresly, and taking all appropriate steps to securely encrypt or backup Customer Data transmitted to Apresly.

7. Sub-Processors

7.1. Customer acknowledges and consents to Apresly engaging external Sub-Processors in connection with providing the Services and hereby consents to Apresly’s use of Sub-Processors. As a condition for enabling external Sub-Processors to Process Customer Data, Apresly shall enter into a written agreement with the Sub-Processor containing data protection obligations that provide a level of protection no less than described in this DPA regarding Customer Data. Apresly shall limit its Sub-Processors’ access to what is necessary to provide the Services or deliver Services to Customers. Subject to this Section 7, Apresly reserves the right to engage and replace Sub-Processors as it deems appropriate, provided that: (a) Apresly remains responsible to Customer for providing the Services and (b) is liable for the acts and omissions of its Sub-Processors undertaken in connection with Apresly’s performance of this DPA to the same extent as Apresly would be liable if providing the Services directly.

7.2. Upon Customer’s request sent by email, Apresly shall provide Customer with a current list of external Sub-Processors describing the nature of services they provide. The current list of Sub-Processors is available to Customer in Annex 3 to this DPA. Customer may object to any new Sub-Processor on reasonable legal grounds (“Objection Notice”) related to the protection of Customer Data, in which case Apresly has the right to satisfy the objection through one of the following:

(a) Apresly will cancel its plans to use the Sub-Processor regarding Customer Data or offer an alternative to provide the Services without that Sub-Processor;

(b) Apresly will take corrective steps requested by Customer in its Objection Notice (which removes Customer’s objection) and proceed to use the Sub-Processor regarding Customer Data; or

(c) Apresly may cease providing or Customer may agree to temporarily or permanently not use the particular aspect of the Services that would involve using that Sub-Processor regarding Personal Data, subject to mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope.

7.3. All Objection Notices in accordance with Section 7.2 must be sent to Apresly at [email protected]. If none of the options listed in subsections (a), (b), or (c) of Section 7.2 are available, and Customer’s objection is not resolved satisfactorily to both parties within 30 days of Apresly’s receipt of the Objection Notice, either party may terminate the relevant Services, and Apresly shall refund Customer a proportional amount of any unused amounts prepaid by Customer. The refund will be calculated proportionally to the Services provided until Customer notified Apresly of termination of use of the Services. Apresly provides no refunds if the Objection Notice does not specify reasonable legal grounds.

8. Data Subject Rights

8.1. If Apresly receives a request from a Data Subject regarding Customer Data, then, to the extent permitted by law, Apresly shall inform the Data Subject to redirect their request to Customer, and Customer shall be responsible for responding to any such request, including, where necessary, by using the functionality of the Services. Customer hereby consents to Apresly confirming to the Data Subject that their requests concern Customer. To the extent that Customer is unable to respond to a specific Data Subject request through using the Services, Apresly, upon Customer’s request and taking into account the nature of the Customer Data being processed, shall provide reasonable assistance in responding to the Data Subject request (provided that Apresly is legally authorized to do so and that the Data Subject request was made in accordance with EU data protection law). To the extent permitted by applicable law, Customer is responsible for covering any costs arising from such assistance provided by Apresly.

9. Data Deletion Upon Termination

9.1. Upon termination of the Terms of Use and/or this Data Processing Agreement, which may occur through deletion of the Apresly account or by contacting Apresly for this purpose, Apresly shall initiate the process of deleting Customer Data in its possession or under its control. This requirement does not apply to the extent that Apresly is required by applicable law to retain some or all Customer Data or Customer Data archived in backup systems, which Apresly will securely isolate and protect from further processing, except to the extent required by applicable law. More information about Apresly’s data retention practices can be found in Apresly’s Privacy Policy.

10. Customer Data Breach Management

10.1. Apresly shall notify Customer without undue delay after Apresly becomes aware of a Personal Data Breach regarding Customer Data transmitted, stored, or otherwise Processed by Apresly or its Sub-Processors (“Customer Data Breach”). Such notification may be delivered (1) by posting a notification in the Services; (2) by sending an email to the email address on which the Authorized User’s account was created; and/or (3) in accordance with the notification provisions contained in the Terms of Use. Customer is responsible for the accuracy and compliance of all contact information throughout the term of this DPA. Apresly shall immediately take all actions related to its Security Measures (and Sub-Processors’ Security Measures) that it deems necessary and appropriate to identify and remedy the cause of the Customer Data Breach. Additionally, Apresly shall immediately provide Customer with: (i) reasonable cooperation and assistance regarding the Customer Data Breach, (ii) reasonable information in Apresly’s possession regarding the Customer Data Breach to the extent it concerns Customer, including remedial actions and any supervisory authority notifications, and (iii) to the extent known: (a) possible cause of the Customer Data Breach; (b) categories of Customer Data affected; and (c) possible consequences for Data Subjects. Apresly’s notification of a Customer Data Breach or response thereto in accordance with this section shall not constitute an admission of fault or liability regarding the Customer Data Breach, and the obligations contained herein do not apply to Personal Data Breaches caused by Customer, Authorized Users, or Customer’s component providers (such as systems, platforms, services, software, devices, etc.). If Customer chooses to notify a Supervisory Authority, Data Subjects, or the public about a Customer Data Breach, Customer shall provide Apresly with advance copies of proposed notifications and, in accordance with applicable law (including any mandatory deadlines under EU data protection law), allow Apresly to provide any explanations or corrections to such notifications. In accordance with applicable law, Apresly shall not refer to Customer in any public records, notifications, or press releases related to the Customer Data Breach without Customer’s prior consent.

11. Compliance and Impact Assessment

11.1. Apresly shall provide written responses with confidentiality protections to all reasonable requests from Customer for information to confirm Apresly’s compliance with this DPA.

11.2. Apresly shall enable Customer to conduct an audit of Apresly’s procedures relevant to the protection of Customer Data to verify Apresly’s compliance with obligations under this DPA and shall participate in such audit. The audit may be conducted directly by Customer or through an external auditor subject to written confidentiality obligations.

11.3. Apresly shall provide Customer with reasonable cooperation and assistance necessary to fulfill Customer’s obligations under EU data protection law, to the extent possible and with available resources, including:

(a) Conducting data protection impact assessments related to Customer’s use of the Services, to the extent that Customer does not have other access to relevant information and to the extent that such information is available to Apresly.

(b) Providing Customer with reasonable assistance in cooperating or consulting with a Supervisory Authority in the performance of its tasks related to this section to the extent required by EU data protection law.

12. International Data Transfers

12.1. Customer acknowledges that Apresly may transfer and process Customer Data anywhere in the world where Apresly, its affiliated entities, or its Sub-Processors conduct data processing activities. Apresly ensures that such data flows always occur in accordance with data protection law requirements and this DPA.

12.2. To the extent that Apresly is a recipient of Customer Data protected by EU data protection law (“EU Data”) in a country outside Europe that is not recognized as providing an adequate level of personal data security (as described in applicable EU data protection law), the parties agree that Apresly shall comply with and process EU Data in accordance with SCCs in the form specified in Annex 3. For the purposes of descriptions in the SCCs, Apresly acknowledges that it is the “data recipient” and Customer is the “data exporter” (regardless of Customer potentially being an entity located outside Europe).

12.3. Sub-Processors used by Apresly to Process any Customer Data protected by data protection law and/or originating from the EEA, in a country that has not been designated by the European Commission, shall provide the required level of Personal Data security and shall have SCCs incorporated into their data processing agreements.

13. Data Processing as Controller

13.1. The Parties acknowledge that regarding Customer Data, Apresly serves as Data Processor. Regarding Processing of Account Data and to the extent (if any) that Apresly may be considered a Controller regarding certain instances of Customer Personal Data Processing, each Party shall fulfill its obligations as Controller and agrees to provide reasonable assistance: (a) to each other, to enable each Party to address any requests for access to Personal Data and respond to any other inquiries or complaints from Data Subjects in accordance with EU data protection law; and (b) to each other, to facilitate handling of any Personal Data Breaches in accordance with EU data protection law requirements.

14. Limitation of Liability and Governing Law

14.1. The total liability of each party arising from or related to this DPA, whether contractual, tort-based, or arising from any other basis of liability, is subject to the limitation of liability provisions contained in the Terms of Use.

15. Miscellaneous Provisions

15.1. Any claims brought under or in connection with this DPA are subject to the provisions, including but not limited to the exclusions and limitations specified in the Terms of Use.

15.2. No one other than a party to this DPA, its legal successors, and permitted assignees shall have the right to enforce any of its provisions.

15.3. Any claims against Apresly under this DPA shall be brought exclusively against the entity that is a party to this DPA. Neither Party shall limit its liability regarding data protection rights belonging to any natural person under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by Apresly in connection with Customer Data that arose as a result of or in connection with Customer’s non-compliance with obligations under this DPA or any data protection law provisions shall be credited toward and reduce Apresly’s liability under this DPA.

15.4. This DPA is governed by and interpreted in accordance with the applicable law and jurisdiction provisions contained in the Terms of Use, unless applicable data protection law provides otherwise.

15.4.1. This Data Processing Agreement is governed by the law of the Republic of Poland, excluding its conflict of law provisions.

15.4.2. Regarding personal data processing, directly applicable provisions of Regulation (EU) 2016/679 (“GDPR”) and other absolutely binding acts of European Union law take precedence.

15.4.3. Any disputes arising from or related to this Agreement shall be resolved by the competent court with jurisdiction over Apresly’s registered office, unless absolutely binding provisions provide otherwise.

15.5. Customer ensures that the decision to consent to the terms of this DPA was made in accordance with law by Customer, if Customer is an individual, or by Customer’s director, authorized representative, or other person with authority to represent, if Customer is a legal entity.

15.6. This DPA supersedes all previous DPA agreements entered into between Apresly and Customer.

15.7. This Data Processing Agreement becomes effective:

15.7.1. on the date the user accepted the Terms of Use and remains in effect indefinitely; or

15.7.2. on July 1, 2025, if the user became our customer before that date and remains in effect indefinitely.

Annex 1 – Data Processing Details

Subject Matter of Data Processing: The subject matter of data processing under this DPA is Customer Data.

Duration of Data Processing: Apresly will Process Customer Data for the duration of the Services, as described in the Terms of Use.

Nature of Data Processing: Apresly provides technological solutions and SaaS services and other related services, as described in the Terms of Use.

Purpose of Data Processing: The purpose of data processing under this DPA is to provide the Services.

Categories of Data Subjects:

5.1. “Users” – any natural person accessing and/or using the Services through Customer’s account;

5.2. “End Customers” – any natural person whose data is stored or collected through the Services / with whom Users communicate or engage through the Services.

Types of Customer Data:

6.1. Users: identification and contact data (name, contact details including email address, username); billing information (billing address, payment information); organizational data (name, address, geographic location, area of responsibility, VAT identification number), IT information (IP address, usage data, cookie data, online navigation data, location data, browser data, access device information);

6.2. End Customers: contact data and any other additional information that Customer provides to Apresly.

Customer acknowledges that Apresly has the right to use and disclose data regarding operation, support, and/or use of the Services for its legitimate business purposes, such as account management, technical support, product development, or others. To the extent that such data is considered Personal Data under data protection law, Apresly is the Controller of such data and accordingly will process it in accordance with Apresly’s Privacy Policy and data protection law.

Customer acknowledges that in connection with providing the Services, Apresly uses cookies, unique identifiers, beacons, and similar tracking technologies. Customer ensures appropriate notification mechanisms, consent mechanisms, opt-in and opt-out mechanisms required by data protection law to enable Apresly to lawfully implement the aforementioned tracking technologies and collect data from End Customers’ devices.

Annex 2 – Security Measures

Please refer to the DPA Annex – Security Measures.

Annex 3 – List of Data Processing Sub-Processors

Currently, Apresly does not use external Sub-Processors. Apresly may use EU/EEA hosting infrastructure providers who act solely as infrastructure trustees without access to unencrypted data.

 

Sign up to receive exclusive access to test Apresly for free!

We value your privacy. Your email and personal information will never be shared with third parties. You can unsubscribe at any time. More info in Privacy Policy.