Data Processing Agreement (template)

Last updated: 2026-05-15

TEMPLATE NOTICE — LEGAL REVIEW PENDING

This DPA is a starting-point template surfaced for transparency. Before Apexium signs its first paid enterprise customer contract:

1. Counsel review of this document for jurisdiction-appropriate enforceability (tracked as D-C8 in the launch checklist — internal)
2. Countersigning workflow infrastructure (tracked as D-C7) must ship before first enterprise contract — admin counter-signs DPA per customer; signed copy stored in Supabase Storage; reference on customer tenant
3. Customer-specific addenda (sub-processor flow-down clauses, jurisdictional riders) replace placeholder content

The template content below is illustrative only and does NOT constitute a contract between you and Apexium until both parties execute a signed version. Contact legal@apexium.team to request a countersigned DPA.

1. Definitions

For purposes of this DPA:

• "Controller" means the customer (the entity that determines purposes and means of processing personal data).
• "Processor" means Apexium Inc., processing personal data on behalf of the Controller.
• "Personal Data" has the meaning set out in GDPR Article 4(1).
• "Sub-processor" means any third party engaged by Apexium to process Personal Data on behalf of the Controller (see Privacy Policy for the current sub-processor list).
• "Data Subject" means the natural person whose Personal Data is processed.

2. Scope + nature of processing

Apexium processes Personal Data uploaded by the Controller to the Apexium service:

• Categories of Personal Data: contact details (name, email, phone), CRM records (notes, deals, conversations), engagement metadata (open/click rates), any additional fields the Controller adds via custom_fields.
• Categories of Data Subjects: the Controller's customers, prospects, and business contacts.
• Nature + purposes: hosting, transmission, analysis, automation, and delivery to communication channels (email, SMS, voice) as configured by the Controller.
• Duration: for the term of the Controller's subscription + the 30-day grace period post-termination, after which Personal Data is permanently deleted (subject to Controller's right to request immediate deletion per GDPR Article 17).

3. Apexium's obligations as Processor

Apexium will:

• (a) process Personal Data only on the Controller's documented instructions;
• (b) ensure persons authorized to process Personal Data are bound by confidentiality;
• (c) implement appropriate technical + organizational security measures (Article 32) — including encryption at rest and in transit, tenant isolation via Postgres RLS, per-tenant JWT-claim-based access control, independent backup channels, audit logging;
• (d) assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, portability) within statutory time limits;
• (e) assist the Controller with security incident notifications per Articles 33 + 34;
• (f) make available to the Controller all information necessary to demonstrate compliance with Article 28;
• (g) on termination, return or delete all Personal Data per the Controller's election (default: delete after 30-day grace period);
• (h) notify the Controller of any data breach without undue delay (target: within 72 hours of discovery).

4. Sub-processors

The current sub-processor list is maintained in the Privacy Policy. Apexium:

• Has entered into written data-processing agreements with each sub-processor containing data-protection obligations no less protective than those in this DPA
• Will provide 30 days' advance notice via email of any new sub-processor; the Controller may object on reasonable grounds, in which case the parties will negotiate in good faith (or the Controller may terminate the subscription with pro-rata refund of prepaid fees)
• Remains liable for sub-processor performance of the data-protection obligations imposed via the upstream DPA

5. International data transfers

Personal Data may be transferred to and processed in the United States. The parties rely on:

• EU/UK → US transfers: EU Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor) + UK International Data Transfer Addendum (where applicable)
• Jurisdictional safeguards: encryption in transit + at rest; sub-processor flow-down of SCC obligations

6. Data Subject rights

Apexium will assist the Controller in responding to Data Subject rights requests:

• Article 15 (access): workspace settings expose Controller-level access; admin data export delivers a complete JSON bundle on request
• Article 16 (rectification): Controller may correct any Personal Data via workspace settings
• Article 17 (erasure): immediate hard-delete on Controller request via privacy@apexium.team; standard termination triggers 30-day grace then hard-delete
• Article 20 (portability): admin data export feature delivers machine-readable JSON bundle

7. Security incidents

Apexium will:

• Notify the Controller of any data breach affecting the Controller's Personal Data within 72 hours of discovery
• Include in the notification: nature of the breach, categories + approximate number of Data Subjects affected, categories + approximate number of records affected, likely consequences, measures taken or proposed
• Cooperate with the Controller's regulator notification obligations under GDPR Article 33

8. Audits

The Controller may, with at least 30 days' advance notice and no more than once per 12-month period, request an audit of Apexium's data-protection practices. Apexium may satisfy such audit by providing:

• A third-party SOC 2 Type II report (target: ship Type I report within 12 months of public launch; Type II report within 24 months)
• ISO 27001 certification (target: post-public-launch)
• Written responses to the Controller's specific data-protection questions

The Controller bears reasonable costs of additional onsite audits beyond annual.

9. Term + termination

This DPA terminates with the underlying subscription agreement. Apexium's data deletion obligations under §3(g) survive termination.

10. Liability + indemnification

The liability limits in the Terms of Service §8 apply to this DPA. Apexium indemnifies the Controller for direct damages arising from Apexium's material breach of this DPA, subject to those limits.

11. Governing law

This DPA is governed by the laws of the State of Delaware, USA, consistent with the Terms of Service. For EU/UK Controllers, the SCCs apply their own choice-of-law clauses, which prevail to the extent of any conflict.

To request a countersigned DPA, email legal@apexium.team with your company legal entity name, jurisdiction, and primary regulatory framework (GDPR / CCPA / other). We aim to return countersigned copies within 5 business days of receipt during normal business hours (D-C7 countersigning workflow infrastructure ships before first enterprise contract).