Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of, and is governed by, the Terms of Service between you (the “Customer”) and AppSolutely (“AppSolutely”, “we”, “us”). It governs our processing of personal data on your behalf in connection with the Service and reflects the requirements of Article 28 of the EU General Data Protection Regulation (“GDPR”). Where there is a conflict between this DPA and the Terms of Service in respect of the processing of personal data, this DPA prevails.
1. Roles of the parties
For personal data processed to build and operate your website, you act as the data controller and AppSolutely acts as your data processor. You are responsible for the lawfulness of the data you provide and of your instructions. Where AppSolutely determines the purposes and means of processing for its own account (for example, account administration and billing), it acts as a controller and that processing is described in our Privacy Policy, not this DPA.
2. Subject matter and duration
The subject matter is the provision of the Service. Processing continues for the duration of the Terms of Service and for any period afterwards required to return or delete personal data as set out in this DPA or required by law.
3. Nature and purpose of processing
We process personal data solely to provide, maintain, secure, and support the Service — that is, to build, change, host, and operate your website in accordance with your documented instructions, which include the requests you submit and the configuration you choose.
4. Categories of data and data subjects
- Data subjects: your representatives and end users, and any individuals whose personal data you include in your content or requests.
- Categories of personal data: identification and contact details, account and authentication identifiers, content you submit, and usage and technical data. You must not submit special categories of personal data unless expressly agreed in writing.
5. Our obligations as processor
We will:
- process personal data only on your documented instructions, including for transfers, unless required to do otherwise by law (in which case we will inform you, where legally permitted);
- ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations;
- implement appropriate technical and organisational security measures, taking account of the state of the art and the risks of processing (Art. 32);
- engage sub-processors only under Section 6 and impose data-protection obligations on them no less protective than those in this DPA;
- assist you, taking into account the nature of the processing, in responding to data-subject requests to exercise their rights;
- assist you with your obligations regarding security, breach notification, data-protection impact assessments, and prior consultation (Arts. 32–36);
- at your choice, delete or return all personal data after the end of the provision of the Service, and delete existing copies unless retention is required by law; and
- make available the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits as described in Section 9.
6. Sub-processors
You provide general authorisation for us to engage sub-processors to deliver the Service. We use a small number of trusted infrastructure providers, by function: cloud hosting, database, transactional email, authentication, file storage, payment processing, and AI model inference. These providers process personal data only on our instructions and under appropriate data-processing terms. We will inform you of intended changes to our sub-processors and give you the opportunity to object on reasonable data-protection grounds.
7. International transfers
Where personal data is transferred outside the European Economic Area, we rely on an adequacy decision or appropriate safeguards such as the European Commission’s Standard Contractual Clauses, together with any supplementary measures required.
8. Personal-data breach notification
We will notify you without undue delay after becoming aware of a personal-data breach affecting personal data processed on your behalf, and will provide the information reasonably available to help you meet your own notification obligations.
9. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA. Where you require further audit, the parties will agree on reasonable scope, timing, and confidentiality in advance, conducted so as not to disrupt the Service or compromise the security of other customers’ data.
10. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, to the extent permitted by law.
11. Changes and contact
We may update this DPA from time to time and will post the updated version here and revise the effective date above. For any question about this DPA or our processing of personal data, email info@appsolutely.services or use our contact form.