This Data Processing Agreement ("DPA") forms part of the agreement between Apex Academy d.o.o. (the "Processor") and the customer identified in the Digital Worker account ("Controller") and governs the Processor's processing of personal data on the Controller's behalf under GDPR Article 28.

By creating a Digital Worker account and accepting the Terms of Service, the Controller accepts this DPA. For an executed PDF copy on company letterhead, write to privacy@apexacademy.hr.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller strictly for the purpose of delivering the Digital Worker service. Processing lasts for the duration of the underlying subscription plus the wind-down period set out in clause 9.

2. Nature and purpose of processing

Provision of an AI agent platform: storing user accounts, agent configurations, conversation transcripts, files, vector embeddings, tool executions, billing data, and associated security/audit logs.

3. Categories of data subjects

• Controller's own employees and users with platform accounts
• Controller's customers / end users who interact with agents published by the Controller
• Other natural persons whose data the Controller chooses to input into agents

4. Categories of personal data

• Identification and contact data (name, email, phone, address)
• Authentication data (password hash, session tokens, MFA factors)
• Conversation content (transcripts, voice recordings where opted in, uploaded files, images, tool inputs/outputs)
• Usage metadata (IP, user agent, timestamps, agent identifiers)
• Any further data the Controller instructs the Processor to process through configuration

5. Processor obligations

1. Process personal data only on the Controller's documented instructions, including the configurations the Controller sets in the platform UI / API.
2. Ensure personnel authorised to process personal data are bound by confidentiality.
3. Implement appropriate technical and organisational measures (GDPR Art. 32) — see Annex 1.
4. Use sub-processors only as listed at /legal/sub-processors.html, with the safeguards stated there.
5. Assist the Controller in responding to data-subject requests (Arts. 12–22), in completing DPIAs (Art. 35), and in cooperating with supervisory authorities (Art. 31).
6. Notify the Controller of personal data breaches without undue delay and in any event within 72 hours of becoming aware (Art. 33).
7. At the Controller's choice, delete or return all personal data at the end of the subscription, subject to any statutory retention obligations (see clause 9).
8. Make available all information necessary to demonstrate compliance and allow for audits (see clause 8).

6. Sub-processors

The Controller grants general authorisation for the Processor to engage the sub-processors listed at /legal/sub-processors.html. The Processor will provide at least 30 days' prior notice of any addition or replacement, during which the Controller may object on reasonable data-protection grounds. If the parties cannot agree on a resolution, the Controller may terminate the affected service.

7. International transfers

Where the Processor or any sub-processor transfers personal data outside the EEA, the transfer is covered by EU Standard Contractual Clauses (Decision (EU) 2021/914) or another lawful mechanism listed in GDPR Chapter V, including any required supplementary measures.

8. Audits

The Processor makes available summary audit reports, security documentation, and the latest penetration-test summary on request. The Controller may carry out an on-site audit no more than once per calendar year, at the Controller's cost and with at least 30 days' written notice, subject to a reasonable confidentiality undertaking. Audits triggered by a supervisory-authority order or a personal-data breach are not restricted by frequency.

9. Return or deletion of data

On termination, the Controller may export all of its personal data via the platform's data-export endpoint (GET /api/user/data-export) for up to 30 days after termination. After that period the Processor deletes the data from active systems within 30 days, and from backups in the ordinary backup rotation (up to 90 days). Data the Processor is legally required to retain (e.g. invoices, audit logs needed for security investigations) is kept for the statutory minimum and then deleted.

10. Liability and term

The liability and term clauses of the Terms of Service apply to this DPA.

Annex 1 — Technical and organisational measures (TOMs)

• Encryption — TLS 1.2+ in transit; AES-256-GCM for credentials at rest; MySQL encrypted backups
• Access control — role-based access, MFA for administrative accounts where configured, session timeout, deactivation propagates within 60 seconds
• Authentication — bcrypt password hashing, SSO (SAML/OIDC) supported, SCIM provisioning
• Isolation — per-tenant user_id scoping on every persisted resource; isolated-vm sandboxing for customer-authored tool code
• Network protection — TLS termination, security headers (HSTS, X-Frame-Options, Referrer-Policy), rate limiting, reverse-proxy hardening
• Logging — append-only audit log of admin actions, security events, and rights requests
• Personnel and process — confidentiality undertakings, principle of least privilege, change-management, breach-response runbook
• Backups — daily database backup, offsite copy retained 30 days, restore procedure tested at least annually
• Sub-processors — closed list with executed data-protection terms; see sub-processors page

Annex 2 — Controller information

The Controller is the legal entity identified in the Digital Worker billing account. Contact details and authorised data-protection representatives are kept current by the Controller in the platform admin settings.