Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms of Servicebetween you (the “Controller”) and Jan Haratek, a sole proprietor based in the Czech Republic, operating Approvella (the “Processor”). It applies where Approvella processes personal data on your behalf in connection with the personal data of the clients and other individuals you add to the Service. It reflects the requirements of Article 28 of the GDPR.

1. Definitions

• Controller— the party that determines the purposes and means of processing personal data. Under this DPA, the User is the Controller of its clients’ personal data.
• Processor — the party that processes personal data on behalf of the Controller. Under this DPA, Approvella is the Processor.
• Sub-processor — a third party engaged by the Processor to process personal data on its behalf.
• Personal Data — any information relating to an identified or identifiable natural person, as defined by the GDPR.
• Processing — any operation performed on personal data, such as collection, storage, use, disclosure, or deletion, as defined by the GDPR.

2. Scope & Roles

With respect to the personal data of the clients and individuals you add to the Service, you act as the Controller and Approvella acts as the Processor. Approvella processes such personal data only on your documented instructions, which include your use of the features and settings of the Service and these legal documents, unless required to do otherwise by applicable law (in which case Approvella will inform you, where legally permitted). Approvella remains the controller of your own account data, as described in the Privacy Policy.

3. Processor Obligations

Approvella will:

• process personal data only on your documented instructions and for the purpose of providing the Service;
• ensure that persons authorized to process the personal data are bound by an appropriate duty of confidentiality;
• implement appropriate technical and organizational security measures as described in section 6 (Article 32 GDPR);
• taking into account the nature of the processing, assist you by appropriate measures in responding to requests from data subjects exercising their rights;
• assist you in ensuring compliance with your obligations regarding security of processing, breach notification, and, where applicable, data protection impact assessments;
• at your choice, delete or return the personal data on termination of the Service, except where storage is required by law.

4. Sub-processors

You authorize Approvella to engage the sub-processors listed in our Privacy Policy — currently Supabase, Resend, Vercel, and Anthropic — to process personal data in connection with the Service. Approvella imposes data-protection obligations on its sub-processors that are consistent with this DPA and remains responsible for their performance. If Approvella intends to add or replace a sub-processor, it will provide reasonable notice (for example, by updating the Privacy Policy or notifying you), giving you the opportunity to object on reasonable data-protection grounds.

5. Data Subject Rights

Taking into account the nature of the processing, Approvella will assist you by appropriate technical and organizational measures, insofar as possible, in fulfilling your obligation to respond to requests from data subjects seeking to exercise their rights (such as access, rectification, erasure, restriction, portability, and objection). If Approvella receives such a request directly from a data subject relating to your data, it will, where permitted, refer the request to you.

6. Security Measures

Approvella implements appropriate technical and organizational measures to protect personal data, taking into account the state of the art and the risks of processing (Article 32 GDPR). These measures include:

• AES-256 encryption of data at rest;
• TLS encryption of data in transit;
• access controls, including database row-level security (RLS) to segregate data between accounts;
• restricting access to personal data to authorized purposes.

7. Personal Data Breach

Approvella will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide information reasonably available to it to assist you in meeting your own breach notification obligations under the GDPR.

8. Data Deletion

On termination of the Service or deletion of your account, the personal data processed on your behalf is deleted, except where retention is required by applicable law. You can initiate deletion using the delete-account feature in your account settings; doing so removes your associated data in accordance with the Privacy Policy.

9. International Transfers

Personal data is primarily hosted within the European Union. Where a sub-processor processes personal data outside the EU, Approvella relies on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, to ensure an adequate level of protection in accordance with the GDPR.

10. Audit

Approvella will make available to you information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audits must be requested on reasonable prior notice, conducted during normal business hours, no more than once per year (except where required by a supervisory authority or following a breach), and in a manner that does not unreasonably disrupt Approvella’s operations or compromise the confidentiality of other customers’ data.

11. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, to the extent permitted by applicable law.

12. Term

This DPA takes effect when you begin using the Service and remains in force for as long as Approvella processes personal data on your behalf. Provisions intended to survive termination — including those relating to confidentiality, data deletion, and liability — will continue to apply after this DPA ends.

13. Contact

For any questions about this DPA, contact us at jan@approvella.com.