Data Processing Addendum

1. Scope and Roles

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Apivom Technology FZ-LLC ("Apivom", "Processor") and the customer ("Controller") and governs the processing of Personal Data by Apivom on behalf of the Controller in connection with the APIVOM Customer Success Platform and the Apivom MCP service.

When EU/UK General Data Protection Regulation ("GDPR") applies, Apivom acts as Processor under Article 28 GDPR. When the California Consumer Privacy Act ("CCPA") applies, Apivom acts as Service Provider under Cal. Civ. Code § 1798.140(ag).

2. Definitions

Terms not defined in this DPA have the meaning given in the GDPR. "Personal Data", "Controller", "Processor", "Processing", "Data Subject", and "Subprocessor" carry their GDPR meaning.

3. Subject Matter and Duration

The subject matter is the provision of the APIVOM Customer Success Platform, including the Apivom MCP endpoint. The duration of processing is for the term of the Agreement plus any retention period required by law or instructed by Controller (see Section 10).

4. Nature and Purpose of Processing

Apivom processes Personal Data solely to provide the contracted services: hosting customer data, executing MCP tool calls on behalf of authenticated end-users, generating analytics over Controller-owned data, sending operational communications, and providing customer support.

5. Categories of Data Subjects and Personal Data

• Data subjects: Controller's employees, contractors, customers, leads, and end-users.
• Personal data categories: identifiers (name, email, phone), professional details (role, employer), authentication metadata (Keycloak sub, organization, scopes), CRM records (companies, contacts, opportunities, quotes, subscriptions, activities), and technical data (IP address, browser fingerprint, request timestamps).
• Special categories: Apivom does not require Controller to upload special categories of Personal Data and asks Controller not to do so.

6. Controller Obligations

Controller warrants that it has a valid legal basis for the Processing instructed and that it has provided required notices to data subjects.

7. Processor Obligations

Apivom shall:

• (a) Process Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required by applicable law;
• (b) Ensure persons authorised to process Personal Data are bound by confidentiality;
• (c) Implement the technical and organisational measures set out in the Security page;
• (d) Engage Subprocessors only under written contract that imposes equivalent data-protection obligations and inform Controller of additions or changes (see Section 8 and the Subprocessors page);
• (e) Taking into account the nature of the Processing, assist Controller in responding to data-subject requests under GDPR Articles 15–22 within thirty (30) days of Controller's written request;
• (f) Notify Controller of any Personal Data breach affecting Controller's data without undue delay and in any event within 72 hours of becoming aware, including the information required by Article 33(3) GDPR;
• (g) On termination, and at Controller's choice, delete or return all Personal Data within 90 days, except where retention is required by law;
• (h) Make available all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 11.

8. Subprocessors

Controller grants Apivom general authorisation to engage Subprocessors. The current list is published at /subprocessors. Apivom shall give Controller at least thirty (30) days' notice of any new Subprocessor by updating that page. Controller may object on reasonable grounds; absent agreement, either party may terminate the affected service.

9. International Data Transfers

Where Personal Data originating in the European Economic Area or the United Kingdom is transferred to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Decision 2021/914) — Module Two (Controller-to-Processor) — and the UK International Data Transfer Addendum as applicable. The same Clauses apply to onward transfers to Subprocessors.

10. Data Retention and Return

Audit logs of MCP tool invocations are retained for 365 days then automatically deleted. Operational backups are retained for 30 days rolling. Upon written request, Apivom will export or delete a customer's Personal Data within 90 days.

11. Audits

Apivom shall, no more than once per calendar year and on at least sixty (60) days' written notice, allow Controller (or an independent auditor mandated by Controller and bound by confidentiality) to inspect Apivom's compliance with this DPA. Controller bears reasonable audit costs.

12. CCPA Service Provider Terms

Apivom certifies that, with respect to Personal Information received from a Controller subject to the CCPA, it shall not (i) sell or share such Personal Information, (ii) retain, use, or disclose it for any purpose other than the specific purpose of performing the services, (iii) retain, use, or disclose it outside the direct business relationship, or (iv) combine it with Personal Information received from other sources, except as permitted by Cal. Civ. Code § 1798.140(ag).

13. Governing Law

This DPA is governed by the laws of the United Arab Emirates. Disputes are subject to the exclusive jurisdiction of the Dubai courts.

14. Contact

For any DPA-related request, including data-subject requests routed to Apivom, contact:

Apivom Technology FZ-LLC

DMC-BLD-VD-G00-706, Building 5, Dubai Media City, Al Sofouh Second, Dubai, UAE

Email: privacy@apivom.com

General: info@apivom.com