Security
Pricing Sign In Book a Demo

Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

This Data Processing Agreement (DPA) explains how personal data is processed, protected and managed when customers use the Appesco platform. The agreement defines controller and processor responsibilities, security measures, subprocessors, GDPR compliance obligations and data protection commitments.

Last updated: May 3rd, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Appesco B.V. (“Appesco”, “Processor”, “we”, “us”) and the customer using the Appesco services (“Customer”, “Controller”).

This DPA applies where Appesco processes Personal Data on behalf of the Customer in connection with the Appesco platform and services.

This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (“GDPR”).

1. Definitions

For the purposes of this DPA:

  • “Controller” means the entity determining the purposes and means of processing Personal Data.
  • “Processor” means the entity processing Personal Data on behalf of the Controller.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, including collection, storage, access, use, disclosure or deletion.
  • “Subprocessor” means a third party engaged by Processor to process Personal Data on behalf of Controller.
  • “GDPR” means Regulation (EU) 2016/679.

Capitalized terms not defined in this DPA have the meaning given in the applicable agreement between the parties.

2. Scope & Roles

2.1 The Customer acts as the Controller of Personal Data processed through the Appesco services.

2.2 Appesco acts as the Processor and processes Personal Data only on behalf of and according to the documented instructions of the Customer.

2.3 This DPA applies only to Personal Data processed by Appesco on behalf of the Customer in connection with the Services.

3. Subject Matter & Duration

3.1 Subject matter of processing:

Provision of the Appesco platform and related services.

3.2 Duration of processing:

For the duration of the applicable service agreement and any limited retention period required for backups, legal obligations or operational continuity.

4. Nature & Purpose of Processing

Appesco processes Personal Data for the purpose of:

  • providing and maintaining the Services;
  • hosting and storing Customer Data;
  • enabling workflows and collaboration;
  • authentication and account management;
  • customer support;
  • security monitoring;
  • backup and recovery;
  • infrastructure management;
  • complying with legal obligations.

5. Categories of Personal Data

Depending on Customer use of the Services, Personal Data may include:

  • names;
  • business contact information;
  • email addresses;
  • phone numbers;
  • job titles;
  • signatures;
  • employee information;
  • supplier information;
  • contract-related information;
  • billing information;
  • user-generated content;
  • metadata and usage logs.

6. Categories of Data Subjects

Data subjects may include:

  • Customer employees;
  • contractors;
  • suppliers;
  • customers;
  • partners;
  • representatives;
  • users authorized by Customer;
  • other individuals whose data is uploaded to the Services by Customer.

7. Customer Obligations

The Customer represents and warrants that:

  • it has a lawful basis for processing Personal Data;
  • it has provided required notices to data subjects;
  • it has obtained necessary consents where required;
  • its instructions comply with applicable data protection laws.

The Customer is responsible for:

  • the legality, quality and accuracy of Personal Data;
  • user access management;
  • responding to data subject requests unless otherwise required by law.

8. Processor Obligations

Appesco shall:

  • process Personal Data only according to Customer instructions;
  • ensure personnel are subject to confidentiality obligations;
  • implement appropriate technical and organizational security measures;
  • assist Customer where reasonably required to comply with GDPR obligations;
  • notify Customer of Personal Data breaches where required by law;
  • delete or return Personal Data upon termination, subject to legal retention obligations;
  • maintain appropriate records and operational safeguards.

9. Security Measures

Appesco implements technical and organizational measures designed to protect Personal Data, including where appropriate:

  • encryption in transit;
  • access controls;
  • authentication mechanisms;
  • role-based permissions;
  • logging and monitoring;
  • infrastructure security;
  • vulnerability management;
  • backup procedures;
  • environment isolation;
  • restricted personnel access.

Security measures may evolve over time provided the overall level of security is not materially reduced.

10. Subprocessors

10.1 Customer authorizes Appesco to use subprocessors for hosting, infrastructure, analytics, email delivery, monitoring, support and related operational services.

10.2 Appesco shall ensure subprocessors are subject to appropriate confidentiality and data protection obligations.

10.3 A current list of subprocessors is available on the Subprocessors page.

10.4 Appesco remains responsible for subprocessors to the extent required under applicable law.

11. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), Appesco shall implement appropriate safeguards as required by GDPR, which may include:

  • Standard Contractual Clauses;
  • adequacy decisions;
  • supplementary technical and organizational measures.

12. Data Subject Requests

Where Appesco receives a request directly from a data subject relating to Personal Data processed on behalf of Customer, Appesco may:

  • forward the request to Customer;
  • advise the data subject to contact Customer directly.

Appesco shall reasonably assist Customer in responding to valid requests where required by applicable law.

13. Personal Data Breaches

Appesco shall notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Personal Data, unless notification is not legally required.

Notification may include:

  • nature of the breach;
  • categories of affected data;
  • likely consequences;
  • measures taken or proposed.

14. Audits & Information Requests

Upon reasonable written request and subject to confidentiality obligations, Appesco may provide information reasonably necessary to demonstrate compliance with this DPA.

Any audit rights shall:

  • be reasonable and proportionate;
  • avoid disruption to operations;
  • protect confidential information and security of other customers.

15. Deletion & Return of Data

Upon termination of Services and upon Customer request, Appesco shall delete or return Customer Personal Data unless retention is required by law or necessary for limited backup retention periods.

Customer acknowledges that residual copies may temporarily remain in backups before deletion through normal overwrite cycles.

16. Confidentiality

Appesco shall ensure that persons authorized to process Personal Data are bound by confidentiality obligations.

17. Limitation of Liability

Liability arising under this DPA shall be subject to the limitations and exclusions of liability set out in the applicable Terms of Service or agreement between the parties, unless prohibited by applicable law.

18. Governing Law

This DPA shall be governed by the laws of The Netherlands unless otherwise required by applicable data protection laws.

19. Contact Information

For privacy or data protection matters, contact:

[email protected]

Appesco B.V.
Voorburg, 2275 AL, The Netherlands
KvK/CoC: 82619468
VAT: NL862541499B01

Thank you!

We will keep in touch soon :)