Data Processing Addendum
Last updated: May 26, 2025
This Data Processing Addendum outlines Approveit Inc.’s commitments concerning the processing of personal data, in accordance with applicable data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR).
Definitions
Unless otherwise defined herein, the following terms shall have these meanings:
Company Personal Data: Personal Data processed by a Subprocessor on behalf of a Company.
Contracted Processor: A Subprocessor.
Data Protection Laws: EU Data Protection Laws and, as applicable, data protection or privacy laws of other countries.
EEA: European Economic Area.
GDPR: EU General Data Protection Regulation 2016/679.
Data Transfer: Transfer of Company Personal Data where prohibited by Data Protection Laws without adequate safeguards.
Services: Services provided by Approveit Inc.
Subprocessor: An entity appointed by Approveit Inc. to process Personal Data.
Terms such as “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” follow GDPR definitions.
Processing of Personal Data
Approveit Inc. shall:
Comply with all applicable Data Protection Laws.
Process Personal Data strictly according to documented instructions from the respective data Controller.
Processor Personnel
Approveit Inc. will ensure reliability and limit access to Personal Data strictly to necessary personnel, who are bound by confidentiality obligations.
Security Measures
Approveit Inc. shall implement appropriate technical and organizational security measures, considering the state-of-the-art, risks involved, and GDPR Article 32(1) requirements, to protect Personal Data against breaches or unauthorized processing.
Subprocessing
Approveit Inc. will not appoint Subprocessors without prior authorization from the respective data Controller.
Data Subject Rights
Approveit Inc. will assist data Controllers in fulfilling Data Subject rights under Data Protection Laws, promptly informing Controllers of any requests received from Data Subjects.
Personal Data Breach
Approveit Inc. shall notify data Controllers immediately upon becoming aware of a Personal Data Breach, providing sufficient information to allow Controllers to meet reporting obligations. Approveit Inc. will cooperate fully in addressing any breaches.
Data Protection Impact Assessments
Approveit Inc. will reasonably assist Controllers with conducting data protection impact assessments and prior consultations as required under GDPR Articles 35 and 36.
Deletion or Return of Personal Data
Within 10 business days following cessation of Services, Approveit Inc. shall delete or procure deletion of all Personal Data copies, unless otherwise instructed.
Audit Rights
Approveit Inc. will provide Controllers with all necessary information demonstrating compliance with these commitments and will allow audits or inspections by Controllers or their authorized auditors.
Data Transfer
Approveit Inc. will not transfer Personal Data outside the EEA without prior written consent from the data Controller and will ensure appropriate safeguards (such as EU-approved Standard Contractual Clauses) are applied.
Confidentiality
Approveit Inc. will keep all data processing information confidential, disclosing only as required by law or if already public.
Notices
All communications regarding data processing shall be provided in writing, via personal delivery, post, or email.
Governing Law and Jurisdiction
These commitments are governed by the laws of Delaware, USA. Any unresolved disputes will be subject to the exclusive jurisdiction of the courts specified in individual agreements.
This Addendum is effective from the date of publication on the Approveit Inc. website.
