This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Customer”) and Appolius d.o.o. (“we”, “us”, or “our”) for use of the SOPX service (the “Agreement”). It applies whenever, in the course of providing SOPX to you, we process personal data on your behalf and you act as the controller of that personal data within the meaning of the EU General Data Protection Regulation 2016/679 (“GDPR”) or comparable data protection law.
By entering into the Agreement, you and we are deemed to have entered into this DPA. No counter-signature is required.
1. Roles and Scope
For the purposes of this DPA, you are the controller and we are the processor with respect to personal data that you, your end users, or your authorized agents submit to SOPX (the “Customer Personal Data”). We process Customer Personal Data only to provide and support the SOPX service to you, in accordance with your instructions and this DPA.
2. Subject Matter and Details of Processing
The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex 1 below.
3. Customer Instructions
We process Customer Personal Data only on your documented instructions, except where otherwise required by applicable law. The Agreement, this DPA, and the configuration and use of the SOPX service constitute your complete and final instructions to us. If we believe an instruction infringes the GDPR or another applicable data protection law, we will inform you.
4. Confidentiality
We ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality.
5. Security Measures
We implement and maintain the technical and organizational measures set out in Annex 2 below to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. We may update these measures from time to time provided the level of protection is not reduced.
6. Sub-processors
You grant us a general authorization to engage sub-processors to assist in providing the SOPX service. We remain responsible to you for the performance of any sub-processor we engage. Each sub-processor we engage is subject to data protection terms that are no less protective than those set out in this DPA so far as applicable to the services they provide.
A current list of named sub-processors is available on written request at [email protected].
If we add a new category of sub-processor or replace an existing sub-processor, we will provide you with reasonable advance notice. You may object to the change in good faith, in writing, within fourteen (14) days of the notice. If you object, we will work in good faith to find a workable alternative; if no alternative can be agreed within a reasonable period, you may terminate the affected portion of the SOPX service for cause.
7. Assistance with Data Subject Rights
We provide reasonable assistance to enable you to respond to requests from data subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection. Where feasible, this assistance is provided through self-service features of the SOPX product (for example, content export and account deletion). If a data subject contacts us directly with a request relating to your Customer Personal Data, we will refer them to you.
8. Personal Data Breach Notification
We will notify you of a personal data breach affecting Customer Personal Data without undue delay and in any event within seventy-two (72) hours after we become aware of the breach. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
9. Audits
You may, no more than once in any twelve (12) month period and on at least thirty (30) days’ prior written notice, request reasonable documentation evidencing our compliance with this DPA. We will respond to your request within a reasonable period and will provide responses, summary security documentation, or third-party reports (where available) as appropriate. On-site audits will not be required except where mandated by a competent supervisory authority. Any audit must be conducted in a manner that does not unreasonably interfere with our business operations and that protects the confidentiality of our other customers’ information.
10. Return or Deletion of Customer Personal Data
Upon termination or expiry of the Agreement, and except where retention is required by applicable law, we will delete Customer Personal Data within thirty (30) days. Backup copies will be deleted in accordance with our routine backup retention cycle. We will retain billing, invoice, and tax records as required by Slovenian tax and accounting law.
11. International Data Transfers
To the extent that the provision of SOPX involves the transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a third country that does not benefit from an adequacy decision, the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914, Module Three (Processor to Sub-processor), are incorporated into this DPA by reference and are deemed entered into between us and the relevant sub-processor on your behalf. Where SCCs are required between you (as controller) and us (as processor), Module Two (Controller to Processor) is incorporated by reference and deemed entered into between you and us. Optional clauses are not selected; the choice of supervisory authority is the supervisory authority of the European Union member state in which you are established or, if you are not established in the EU, the supervisory authority of the Republic of Slovenia.
12. Liability
Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
13. Order of Precedence
In the event of any conflict between the Agreement, this DPA, and the SCCs (where applicable), the SCCs prevail with respect to the matters they govern, then this DPA, then the Agreement.
Annex 1 — Description of Processing
| Subject matter | Provision of the SOPX service to the Customer, including AI-assisted generation, storage, and sharing of standard operating procedures from source material the Customer provides. |
| Duration | The term of the Agreement, plus any post-termination period required to return or delete Customer Personal Data. |
| Nature and purpose of the processing | Hosting, transmission, AI processing (transcription, content analysis, generation), storage, retrieval, sharing under the Customer’s control, deletion. |
| Types of personal data | Account data of the Customer’s users (name, email, organization, role); content data submitted by the Customer’s users (which may include images of individuals, voice recordings, names, role information visible in source material); usage and log data. |
| Categories of data subjects | The Customer’s employees and authorized end users; individuals appearing or speaking in source material the Customer uploads; recipients of SOPs the Customer chooses to share. |
| Frequency | Continuous for the duration of the Agreement. |
Annex 2 — Technical and Organizational Measures
We maintain measures designed to ensure a level of security appropriate to the risk presented by processing Customer Personal Data, including the following:
- Encryption in transit. All connections to the SOPX service use TLS 1.2 or higher.
- Encryption at rest. Customer Personal Data is encrypted at rest at the storage layer.
- Access controls. Access to production systems and Customer Personal Data is restricted to authorized personnel on a least-privilege basis. Access requires unique credentials and is reviewed regularly.
- Authentication. The SOPX product supports password-based authentication (with passwords stored in hashed form) and optional sign-in via Google or Microsoft accounts.
- Backups. Customer Personal Data is backed up periodically. Backups are encrypted at rest and retained on a defined cycle.
- Logging and monitoring. Administrative access to production systems is logged. Logs are reviewed for unusual activity.
- Sub-processor controls. Sub-processors are engaged only where they are subject to applicable data protection terms commensurate with their role.
- Incident response. We maintain procedures for responding to suspected security incidents and personal data breaches, including notification to the Customer in accordance with Section 8.
- Personnel. Personnel with access to Customer Personal Data are bound by confidentiality obligations and receive guidance on handling personal data appropriately.
We may update these measures from time to time provided the overall level of protection of Customer Personal Data is not reduced.