Data Processing Agreement | Apex Growth Data

This Data Processing Agreement ("DPA") forms part of the Service Agreement between Apex Growth Data (the "Processor") and the entity engaging our research services (the "Controller").

1. Subject Matter and Duration

The Processor provides bespoke market research services. This DPA applies to all personal data (professional B2B contact info) processed by the Processor on behalf of the Controller during the term of the service.

2. Roles and Instructions

The Setup:

The Controller defines the target criteria (e.g., specific industries or roles). The Processor executes the research instructions to find and verify this data.

The Processor shall process data only on documented instructions from the Controller, unless required to do so by European Union or Member State law.

3. Security of Processing

Taking into account the state of the art and the nature of processing, Apex Growth Data implements strict Technical and Organizational Measures (TOMs) to ensure a level of security appropriate to the risk, including:

Encryption of data in transit and at rest.
Strict access controls restricted to authorized analysts.
Periodic security audits of research pipelines.
Ensuring the ongoing confidentiality, integrity, and availability of processing systems.

4. Sub-processors

The Controller grants a general authorization to the Processor to engage sub-processors (e.g., cloud hosting, email verification tools). A list of current sub-processors is available upon request. The Processor shall remain fully liable to the Controller for the performance of sub-processors' obligations.

5. Rights of Data Subjects

The Processor shall, to the extent possible, assist the Controller in fulfilling its obligations to respond to requests for exercising data subjects' rights (e.g., access, deletion, or rectification requests) as set out in Chapter III of the GDPR.

6. Notification of Data Breach

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. We will provide all necessary information to help the Controller meet their notification obligations.

7. Deletion or Return of Data

Upon completion of the research project, the Processor shall, at the choice of the Controller, delete or return all personal data processed on their behalf, unless statutory laws require the storage of the personal data.

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits or inspections.

9. Liability

The liability of the parties under this DPA shall be subject to the limitations of liability set out in the Provider's Terms of Service.