← Back

Data Processing Addendum

Effective: May 27, 2026

This Data Processing Addendum ("DPA") forms part of the Apex Terms of Service between Apex ("Processor") and the customer ("Controller") and applies where Apex processes Personal Data on behalf of the Controller subject to the GDPR, UK GDPR, or equivalent data protection laws.

1. Subject matter and duration

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Service. Processing continues for the term of the underlying agreement.

2. Nature and purpose

Hosting, storage, access control, billing, and operational support for construction financial workflows.

3. Types of data and data subjects

  • Identifiers: name, email, account metadata.
  • Business records: project, billing, lien, and document data submitted by the Controller.
  • Data subjects: Controller's employees, contractors, and counterparties.

4. Processor obligations

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure persons authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller with data subject requests and incident response.
  • Notify the Controller without undue delay of any Personal Data Breach.

5. Subprocessors

The Controller authorizes the Processor to engage subprocessors for hosting, payments, and email delivery. A current list is available on request. The Processor remains liable for subprocessor performance.

6. International transfers

Where Personal Data is transferred outside the EEA/UK, the parties rely on Standard Contractual Clauses or other approved transfer mechanisms.

7. Deletion or return

On termination, the Processor will delete or return all Personal Data within 90 days, except where storage is required by law.

8. Audits

The Processor will make available all information reasonably necessary to demonstrate compliance and allow for audits, including by Controller-mandated auditors, on reasonable notice and subject to confidentiality.

Contact

dpo@billslash.app