Appintellectlocal

Appintellect — Data Processing Addendum (DPA)

DRAFT — NOT LEGALLY REVIEWED. Fill in {{placeholders}}, have counsel review, then remove this banner. This template covers the scope of a typical B2B SaaS processor relationship (GDPR / UK GDPR / Swiss FADP) but is not lawyer-blessed.

Last updated: 2026-04-23

This Data Processing Addendum ("DPA") supplements the Appintellect Terms of Service or any pilot / master agreement ("Agreement") between {{LegalEntity}} ("Appintellect", "Processor") and the customer identified in the Agreement ("Customer", "Controller"). It applies whenever Appintellect processes Personal Data on Customer's behalf.

Where this DPA conflicts with the Agreement, this DPA controls for data protection matters.

1. Definitions

  • "GDPR" — Regulation (EU) 2016/679.
  • "UK GDPR" — the GDPR as incorporated into UK law by the Data Protection Act 2018.
  • "Swiss FADP" — the Swiss Federal Act on Data Protection.
  • "Data Protection Laws" — GDPR, UK GDPR, Swiss FADP, and any other applicable privacy legislation, as each may be amended.
  • "Personal Data", "Controller", "Processor", "Processing", "Data Subject", "Supervisory Authority" — as defined in the GDPR.
  • "Sub-processor" — any Processor engaged by Appintellect to process Personal Data on Customer's behalf.
  • "SCCs" — the Standard Contractual Clauses approved by the European Commission Decision 2021/914, as updated.

2. Roles

Customer is the Controller. Appintellect is the Processor. Appintellect processes Personal Data only on documented instructions from Customer. The Agreement + this DPA + the Customer's use of the Service (configuration, API calls, crawl targets selected) constitute Customer's documented instructions.

Appintellect will inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.

3. Scope of processing

Subject matter: provision of the Appintellect autonomous mobile QA service.

Duration: for the term of the Agreement plus the deletion period defined in Section 9.

Nature and purpose: exploring mobile applications the Customer submits for testing, capturing screenshots / accessibility trees / application logs, detecting anomalies, and surfacing results in the Customer's dashboard.

Categories of Data Subjects:

  • Customer's personnel using the Service (engineers, QA, product owners — business contact Personal Data only)
  • End users of the mobile applications Customer tests — only to the extent their Personal Data appears inside the application under test and is captured in a screenshot or log during the crawl

Categories of Personal Data:

  • Business contact details (name, email, organization) of Customer's personnel
  • Any Personal Data visible on-screen or in logs during a crawl — this depends entirely on what the Customer's app contains. Customer is responsible for minimizing this (e.g. using synthetic test accounts, not production user data). See Section 6.

Special categories: Appintellect does not solicit special-category data. If Customer's app exposes it during a crawl, Customer confirms it has a lawful basis for processing and understands Appintellect will handle it with the same measures applied to other Personal Data.

4. Customer responsibilities

Customer warrants that it:

  • Has a lawful basis for all Processing it instructs Appintellect to perform
  • Has provided all required notices and obtained all required consents from Data Subjects
  • Will not use production user data in a crawl where synthetic test data would suffice
  • Will not instruct processing that violates Data Protection Laws

5. Appintellect obligations

Appintellect will:

  • Process Personal Data only on Customer's documented instructions
  • Ensure personnel authorized to process Personal Data are bound by confidentiality
  • Implement and maintain the security measures in Annex II
  • Assist Customer with Data Subject requests (Section 7)
  • Assist Customer with DPIAs and consultations with Supervisory Authorities (Article 35 / 36 GDPR) to the extent the information is reasonably within Appintellect's control
  • Notify Customer of Personal Data Breaches per Section 8
  • Make available all information necessary to demonstrate compliance and allow audits per Section 11
  • At Customer's choice, delete or return Personal Data at end of service per Section 9

6. Data minimization for crawls

Appintellect provides features to help Customer minimize Personal Data captured during a crawl:

  • Login recipes — use synthetic test accounts, not real end-user credentials
  • Retention controls — set the default retention below the {{default_retention_days}} default if shorter is acceptable
  • Early deletionDELETE /projects/{id} purges crawl data on demand, retaining only the AI spend ledger (non-personal, per-tenant aggregate)

Customer is responsible for exercising these controls.

7. Data Subject requests

If a Data Subject contacts Appintellect directly with a request to exercise their rights (access, rectification, erasure, restriction, portability, objection), Appintellect will:

  • Not respond to the substance of the request itself
  • Forward it to Customer within 5 business days
  • Assist Customer with responding (providing exports, performing deletions inside Appintellect's systems at Customer's instruction)

8. Personal Data Breach notification

Appintellect will notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent known:

  • Nature of the breach, categories + approximate number of Data Subjects and records affected
  • Likely consequences
  • Measures taken or proposed to address the breach and mitigate harm
  • Contact point for further information

Appintellect maintains an internal incident-response plan covering detection, containment, eradication, recovery, and post-incident review.

9. Deletion or return

On termination or expiration of the Agreement, at Customer's choice Appintellect will either delete or return all Personal Data within 30 days. Copies retained only where required by law will be isolated from active processing and deleted when the legal basis for retention expires. AI spend ledger entries may be retained in aggregate, non-personal form for billing audit.

10. Sub-processors

Customer authorizes Appintellect to engage the Sub-processors listed in subprocessors.md. Appintellect will:

  • Flow down the obligations of this DPA to each Sub-processor in writing
  • Remain liable to Customer for each Sub-processor's performance
  • Give Customer at least 30 days' prior notice of any intended addition or replacement of a Sub-processor, by updating subprocessors.md and emailing active contacts
  • Allow Customer to object in writing on reasonable data-protection grounds; if the objection cannot be resolved, Customer may terminate the affected portion of the Service without penalty

11. Audits

Appintellect will make available to Customer, on reasonable request and no more than once per 12 months except where required by a Supervisory Authority or following a Personal Data Breach:

  • Current SOC 2 Type II report or equivalent third-party assessment (when available; during the pilot phase Appintellect will provide a written security summary instead)
  • Completed security questionnaire
  • Reasonable assistance with on-site audits where the above is insufficient; scope, timing, and duration to be agreed in advance

12. International transfers

Where Customer is in the EEA, UK, or Switzerland and Personal Data is transferred to a country without an adequacy decision:

  • The EU SCCs (Module Two: Controller-to-Processor) are incorporated by reference; Annex I / II / III of the SCCs are populated from the corresponding Annexes of this DPA
  • The UK International Data Transfer Addendum applies where UK Personal Data is transferred
  • The Swiss FADP supplements apply where Swiss Personal Data is transferred

Appintellect currently processes Personal Data in the United States (Google Cloud us-east1).

13. Liability

Liability under this DPA is subject to the limitations and exclusions in the Agreement. Nothing in this DPA excludes or limits liability that cannot lawfully be excluded.

14. Conflict

In case of conflict: (1) applicable law, (2) the SCCs, (3) this DPA, (4) the Agreement.

Annex I — Processing details

A. List of parties

  • Controller / data exporter: Customer, as identified in the Agreement
  • Processor / data importer: {{LegalEntity}}, {{company_postal_address}}

B. Description of processing — see Section 3 of this DPA.

C. Competent Supervisory Authority — {{lead_supervisory_authority}} (for EEA transfers), the ICO (for UK), the FDPIC (for Switzerland).

Annex II — Technical and organizational measures

Appintellect maintains the following measures, reviewed at least annually:

  • Encryption — TLS 1.3 in transit; GCP-managed encryption at rest; application-level encryption for customer-provided third-party API keys
  • Access control — per-tenant API keys for the service; SSO + 2FA for internal access; least-privilege IAM on production infrastructure; quarterly access review
  • Logging and monitoring — audit logs on production data access; alerting on anomalous access patterns
  • Network security — private VPC; production access through a bastion or IAP only; TLS-only public endpoints
  • Vulnerability management — automated dependency scanning; container base-image updates; responsible-disclosure policy at {{security_contact_email}}
  • Backups — daily encrypted backups, 30-day rolling, tested quarterly
  • Incident response — documented IR plan, breach notification procedure per Section 8
  • Personnel — confidentiality agreements, security training at hire and annually, background checks where legally permitted
  • Physical security — production infrastructure hosted on Google Cloud, inheriting GCP's physical-security controls

Annex III — Sub-processors

See subprocessors.md for the current list.