This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between Appfigures, Inc., a New York corporation ("Appfigures," "Processor," or "Service Provider"), and the entity agreeing to these terms ("Customer," "Controller," or "Business"), collectively the "Parties."
This DPA applies to the extent Appfigures processes Personal Data on behalf of Customer in connection with the Appfigures platform and related services (the "Services").
Definitions
1.1. "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection, as revised ("revDSG"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (e) other US state privacy laws, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and any similar laws enacted thereafter (collectively, "US State Privacy Laws").
1.2. "Personal Data" means any information relating to an identified or identifiable natural person that Appfigures processes on behalf of Customer in connection with the Services. Where the CCPA/CPRA applies, this includes "Personal Information" as defined therein.
1.3. "Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
1.4. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
1.5. "Sub-processor" means any third party engaged by Appfigures to process Personal Data on behalf of Customer.
1.6. "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
1.7. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced.
1.8. "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018.
Terms not defined herein have the meanings given to them in the Agreement or in Applicable Data Protection Laws.
2. Scope and Roles
2.1. Roles. With respect to Personal Data processed under this DPA: (a) Customer is the Controller (or Business under CCPA/CPRA) and Appfigures is the Processor (or Service Provider under CCPA/CPRA). (b) In limited circumstances where Appfigures determines the purposes and means of processing — specifically: billing and payment administration, fraud prevention, platform security, and generation of aggregated or anonymized usage statistics for service improvement — Appfigures acts as an independent Controller and will comply with Applicable Data Protection Laws in that capacity.
2.2. Scope. This DPA applies to all Personal Data processed by Appfigures on behalf of Customer as described in Appendix 1.
2.3. Precedence. In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.
3. Customer Obligations
3.1. Customer represents and warrants that: (a) it has provided all necessary notices to, and obtained all necessary consents or other legal bases from, Data Subjects for the processing of their Personal Data as contemplated by this DPA; (b) its instructions to Appfigures comply with Applicable Data Protection Laws; and (c) it has a lawful basis for transferring Personal Data to Appfigures.
4. Processing Instructions and Restrictions
4.1. Instructions. Appfigures will process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data outside the EEA, UK, or Switzerland, unless required to do so by applicable law—in which case Appfigures will inform Customer of that legal requirement before processing, unless prohibited by law. Appfigures will promptly inform Customer if, in Appfigures' opinion, an instruction from Customer infringes Applicable Data Protection Laws.
4.2. No Sale or Sharing. Appfigures will not: (a) sell or share Personal Data (as those terms are defined under the CCPA/CPRA or any US State Privacy Law); (b) retain, use, or disclose Personal Data for any purpose other than performing the Services under the Agreement; (c) retain, use, or disclose Personal Data outside the direct business relationship between Appfigures and Customer; or (d) combine Personal Data received from Customer with personal data received from other sources, except as permitted by the CCPA/CPRA for Service Providers.
4.3. Compliance Certification. Appfigures certifies that it understands and will comply with the restrictions in Section 4.2.
5. Confidentiality
5.1. Appfigures will ensure that any personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
6. Security
6.1. Security Measures. Appfigures will implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents, as described in Appendix 2. Appfigures may update these measures from time to time, provided that the overall level of security is not materially diminished.
6.2. Assistance. Appfigures will assist Customer, taking into account the nature of the processing and the information available to Appfigures, in ensuring compliance with Customer's security obligations under Applicable Data Protection Laws.
7. Sub-processing
7.1. Authorization. Customer provides general written authorization for Appfigures to engage Sub-processors to process Personal Data, subject to this Section 7.
7.2. Sub-processor List. Appfigures maintains a current list of Sub-processors in Appendix 3 of this DPA (the "Sub-processor List").
7.3. Notification of Changes. Appfigures will notify Customer by email at least seven (7) days before engaging a new Sub-processor or replacing an existing one. The notification will identify the Sub-processor, describe the processing to be performed, and state the Sub-processor's location.
7.4. Objection Right. If Customer has a reasonable, data-protection-related objection to a new or replacement Sub-processor, Customer must notify Appfigures in writing within seven (7) days of receiving notice. The Parties will discuss the objection in good faith. If the Parties cannot resolve the objection within a reasonable timeframe, Customer may terminate the affected Services without penalty by providing written notice.
7.5. Sub-processor Obligations. Appfigures will: (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA; and (b) remain fully liable to Customer for any Sub-processor's failure to fulfill its data protection obligations.
8. International Data Transfers
8.1. Transfers from the EEA. To the extent that the processing of Personal Data involves a transfer from the EEA to a country not subject to an adequacy decision by the European Commission, the Parties agree to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), which are incorporated by reference:
(a) Module Two (Controller to Processor) applies where Customer is a Controller and Appfigures is a Processor. Module Three (Processor to Processor) applies where Customer is itself a Processor acting on behalf of its own controller.
(b) For Module Two and Module Three (as applicable): Clause 7 (docking clause) is included; Clause 9, Option 2 (general written authorization) applies with a 7-day prior notice period; Clause 11 (optional redress language) is not included; Clause 17, Option 1 applies, with the governing law being that of Ireland; Clause 18(b): disputes will be resolved before the courts of Ireland.
(c) The information required for Annexes I and II of the SCCs is set out in Appendix 1 and Appendix 2 of this DPA, respectively.
8.2. Transfers from the UK. To the extent that the processing involves a transfer of Personal Data from the UK, the UK IDTA (as issued by the UK ICO, version in force at the time of transfer) is incorporated by reference and supplements the SCCs as required. In the event of any conflict between the UK IDTA and this DPA, the UK IDTA will prevail with respect to UK transfers. The "Exporter" is Customer and the "Importer" is Appfigures.
8.3. Transfers from Switzerland. To the extent that the processing involves a transfer from Switzerland, the SCCs apply with the following modifications: (a) references to "Regulation (EU) 2016/679" are interpreted as references to the revDSG; (b) references to "EU," "Union," and "Member State" are interpreted to include Switzerland; (c) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; (d) references to "competent courts" include the applicable courts of Switzerland; (e) Swiss law governs to the extent required by the revDSG, without prejudice to the governing law provisions of the SCCs themselves.
8.4. Transfer Impact Assessments. Upon Customer's reasonable request, Appfigures will provide information reasonably necessary for Customer to conduct a data transfer impact assessment (TIA) in connection with transfers under this Section 8, including information about Appfigures' data protection practices, the legal framework in the destination country, and any government access requests received (to the extent permitted by law).
8.5. Alternative Transfer Mechanisms. If any transfer mechanism described above is invalidated or superseded, or if a new adequacy decision, certification, or framework (such as the EU-U.S. Data Privacy Framework) provides a valid basis for transfer, the Parties may rely on such alternative mechanism without amending this DPA.
9. Data Subject Rights
9.1. Appfigures will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligations to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection, and rights under the CCPA/CPRA and US State Privacy Laws such as the right to know, delete, correct, and opt out).
9.2. If Appfigures receives a request directly from a Data Subject, Appfigures will redirect the Data Subject to Customer and notify Customer within five (5) business days, unless prohibited by law.
10. Security Incidents
10.1. Notification. Appfigures will notify Customer of any confirmed Security Incident without undue delay and in any event within forty-eight (48) hours of becoming aware of it.
10.2. Content. The notification will include, to the extent reasonably available: (a) the nature of the Security Incident, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the incident; and (d) a contact point for further information.
10.3. Cooperation. Appfigures will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident, and in meeting Customer's obligations to notify supervisory authorities and Data Subjects under Applicable Data Protection Laws.
10.4. No Admission. Notification of a Security Incident is not an acknowledgment of fault or liability.
11. Data Protection Impact Assessments
11.1. Appfigures will provide reasonable assistance to Customer in conducting data protection impact assessments and, where required, prior consultations with supervisory authorities, to the extent that such assistance is necessary and relates to the processing performed by Appfigures, taking into account the nature of the processing and the information available to Appfigures.
12. Supervisory Authority Inquiries
12.1. Appfigures will provide reasonable assistance to Customer in responding to inquiries from data protection supervisory authorities, to the extent such inquiries relate to the processing of Personal Data by Appfigures under this DPA.
13. Audits
13.1. Information. Appfigures will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.
13.2. Audit Right. Customer (or its authorized independent third-party auditor, bound by confidentiality obligations) may conduct an audit of Appfigures' processing activities under this DPA, subject to the following conditions:
(a) Customer must provide at least thirty (30) days' prior written notice.
(b) Audits will be conducted during normal business hours and will not unreasonably interfere with Appfigures' operations.
(c) Audits will be limited to once per twelve (12) month period, unless required by a supervisory authority or following a Security Incident.
(d) Audits are limited to Appfigures' processing of Personal Data under this DPA and do not extend to source code, proprietary algorithms, or systems unrelated to the processing.
(e) Remote audits (including written questionnaires and document review) are preferred where practicable.
(f) Customer will bear its own costs of the audit.
13.3. Third-Party Certifications. Appfigures may satisfy audit requests by providing relevant third-party certifications, audit reports, or summaries thereof, to the extent reasonably sufficient.
14. Data Retention and Deletion
14.1. During the Term. Appfigures will process and retain Personal Data only for the duration and purposes set out in Appendix 1 and as necessary to perform the Services.
14.2. Upon Termination. Upon termination or expiration of the Agreement, Appfigures will delete all Personal Data in its possession within thirty (30) days and will instruct its Sub-processors to delete Personal Data in accordance with their respective data processing agreements. Appfigures will confirm deletion in writing upon request.
14.3. Exceptions. Appfigures may retain Personal Data to the extent required by applicable law, provided that Appfigures will limit such processing to the purposes required by law, maintain confidentiality, and delete the data when the legal obligation expires.
14.4. Continued Protection. Any Personal Data retained after termination under Section 14.4 remains subject to the confidentiality and security obligations of this DPA until deleted.
15. US State Privacy Laws - Additional Terms
15.1. To the extent that Personal Data is subject to the CCPA/CPRA, Appfigures is a "Service Provider" as defined therein. The obligations in Section 4.2 apply in full.
15.2. To the extent that Personal Data is subject to US State Privacy Laws (including the Virginia CDPA, Colorado CPA, Connecticut Data Privacy Act, and similar laws), Appfigures will: (a) process Personal Data only as necessary to perform the Services and as set forth in the Agreement and this DPA; (b) provide the same level of privacy protection as required by such laws; (c) notify Customer if it determines it can no longer meet its obligations under such laws; and (d) allow Customer to take reasonable and appropriate steps to stop and remediate unauthorized processing.
16. General
16.1. Governing Law. This DPA is governed by the law governing the Agreement, except where Applicable Data Protection Laws require otherwise (e.g., SCCs or UK IDTA provisions).
16.2. Amendments. Appfigures may update this DPA to the extent necessary to reflect changes required by Applicable Data Protection Laws or supervisory authority guidance. Such changes will be notified to Customer at least thirty (30) days in advance. If Customer objects to a change, Customer may terminate the affected Services by providing written notice within thirty (30) days of the notification. If Customer does not object within that period, the updated DPA will apply. All other amendments require mutual written agreement.
16.3. Severability. If any provision of this DPA is found invalid or unenforceable, the remaining provisions will remain in full force and effect.
16.4. Entire DPA. This DPA, including its Appendices, constitutes the complete data processing terms between the Parties and supersedes any prior data processing addendum or agreement between them relating to the Services.
Appendix 1:
Details of Processing
Nature and Purpose of Processing: Processing of Personal Data as necessary to provide the Appfigures analytics and intelligence platform, including: account management; delivery of analytics dashboards and reports; sending automated alerts, notifications, and emails on behalf of Customer; providing API access; customer support (live chat and email); and related maintenance.
Processing Operations: Storage, retrieval, transmission, analysis, display, and deletion. Processing does not include profiling, automated decision-making, or monitoring of Data Subjects.
Duration of Processing: For the duration of the Agreement, plus the post-termination period described in Section 14.
Categories of Data Subjects: (a) Customer's authorized users (employees, contractors, agents) who access the Appfigures platform; (b) Recipients of automated alerts, reports, and emails configured by Customer.
Types of Personal Data: (a) Account information: name, email address, password (hashed), company name; (b) Alert/email recipient information: email address, name (if provided); (c) Usage data: IP address, browser/device information, platform activity logs. |
Sensitive Data: None expected. Customer must not submit sensitive or special category data to the Services unless expressly agreed in writing.
Frequency of Transfer: Continuous, for the duration of the Agreement.
Retention Period: As described in Section 14.
Appendix 2:
Technical and Organizational Security Measures
Appfigures implements and maintains appropriate technical and organizational security measures, which may include the following. These measures are reviewed and updated periodically to reflect industry standards and evolving threats.
1. Physical Security
1.1. Primary infrastructure is hosted with US-based co-location providers that maintain physical security controls, which may include: controlled facility access, surveillance systems, environmental controls, and redundant power.
1.2. Access to data center facilities is restricted to authorized personnel.
2. Access Controls
2.1. Role-based access controls (RBAC) limit access to Personal Data to personnel who require it for their job functions.
2.2. Authentication to production systems requires multi-factor authentication (MFA).
2.3. User access is reviewed periodically and revoked promptly upon role change or termination.
2.4. Customer authentication is supported via username/password with API key, or OAuth.
3. Encryption
3.1. In Transit. All data transmitted between Customer and the Services is encrypted using HTTPS/TLS (minimum TLS 1.2).
3.2. At Rest. Personal Data stored in production databases and backups is encrypted at rest using industry-standard encryption algorithms (AES-256 or equivalent).
4. Network Security
4.1. Web Application Firewall (WAF) is deployed to protect against common web-based attacks.
4.2. Network segmentation and firewall rules restrict access to internal systems.
4.3. Regular vulnerability scanning and static code analysis are performed.
5. Monitoring and Logging
5.1. Security-relevant events (authentication attempts, access to Personal Data, system changes) are logged.
5.2. Logs are retained for a reasonable period and reviewed for anomalies.
5.3. Alerting is configured for suspicious activity.
6. Incident Response
6.1. A documented incident response plan is maintained and tested.
6.2. Security incidents are escalated, investigated, and remediated in accordance with the plan.
6.3. Customer notification timelines are as set out in Section 10 of this DPA.
7. Employee Security
7.1. Personnel with access to Personal Data undergo security awareness training.
7.2. Personnel are bound by confidentiality obligations.
7.3. Access is granted on a need-to-know basis and subject to the principle of least privilege.
8. Application Security
8.1. Secure software development practices are followed, including static code analysis and code review.
8.2. A responsible disclosure program or bug bounty program is maintained to enable external reporting of vulnerabilities.
8.3. Dependencies and libraries are monitored for known vulnerabilities.
9. Business Continuity and Disaster Recovery
9.1. Regular backups are performed and tested for recoverability.
9.2. Redundant infrastructure is maintained to minimize service disruption.
9.3. A business continuity plan is maintained and reviewed periodically.
10. Multi-Tenancy
10.1. The Services use a multi-tenant architecture with logical separation of Customer data.
10.2. Controls are in place to prevent unauthorized cross-tenant access.
Appendix 3:
List of Sub-Processors
Primary data hosting is in the United States on Appfigures' own hardware at co-location facilities. Certain Sub-processors may process limited Personal Data (such as support interactions and session analytics) in other regions as indicated below.
Changes to this list are communicated to Customer as described in Section 7.3 of this DPA.
As of the effective date, the following Sub-processors are engaged:
