Draft for the July 6, 2026 launch. This policy is incorporated by reference into the Terms of Service and is being finalized with legal counsel. Items marked finalized at launch will carry committed figures by the Effective Date. Questions: [email protected].
Effective July 6, 2026. This Data Processing Addendum (the "DPA") forms part of the Terms of Service (the "Agreement") between ApexAVCloud LLC ("APEX", "we", "us", or "our"), a Delaware limited liability company with offices at 5009 N Ashland Ave #3E, Chicago, IL 60640 and Customer, and governs APEX's processing of Personal Data on Customer's behalf in connection with the Services. Capitalized terms not defined here have the meaning given in the Agreement. Where this DPA conflicts with the Agreement on the subject of data protection, this DPA controls.
1. Definitions
"Data Protection Laws" means all Laws applicable to the processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and U.S. state privacy laws such as the California Consumer Privacy Act as amended ("CCPA").
"Personal Data", "controller", "processor", "data subject", and "processing" have the meanings given in the GDPR (or the equivalent meanings under other applicable Data Protection Laws). "Customer Personal Data" means Personal Data within Customer Data that APEX processes on Customer's behalf.
2. Roles of the parties
As between the parties, Customer is the controller (or a processor acting on behalf of a third-party controller) of Customer Personal Data, and APEX acts as processor (or sub-processor). APEX processes Customer Personal Data only on Customer's documented instructions, which are set out in the Agreement, this DPA, and Customer's configuration and use of the Services, unless required to act otherwise by Law (in which case APEX will inform Customer, unless prohibited by Law).
3. APEX obligations
3.1. Confidentiality. APEX ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and process the data only as needed to provide the Services.
3.2. Security. APEX implements and maintains the technical and organizational measures described in Annex II, designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
3.3. Assistance. Taking into account the nature of the processing, APEX will provide reasonable assistance to enable Customer to (a) respond to requests from data subjects exercising their rights, and (b) meet its obligations regarding security, breach notification, data protection impact assessments, and prior consultation. The Services include self-service tools (export and deletion) that Customer can use to respond to many such requests directly.
3.4. Personal Data Breach. APEX will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to APEX to help Customer meet its notification obligations.
3.5. Deletion and return. On termination or expiry of the Agreement, APEX will delete Customer Personal Data in accordance with the data-lifecycle described on the Trust & Security page, except where retention is required by Law. Encrypted backups are rotated out on the schedule described there.
4. Subprocessors
Customer provides general authorization for APEX to engage subprocessors to process Customer Personal Data. APEX imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA, and remains responsible for each subprocessor's performance. The current subprocessors are:
- Cloudflare - CDN, WAF, and edge DNS (US points of presence in the routing path).
- PostgreSQL (self-hosted, US data center) - primary application database.
- Object storage (S3-compatible, US region) - attachment and document store (roadmap; attachments are stored on encrypted local disk today).
- Transactional email provider - sends invite, password-reset, and trial-reminder emails; does not store Customer workspace data.
APEX will give notice of any intended addition or replacement of a subprocessor (paid plans may subscribe to these notifications by email), giving Customer the opportunity to object on reasonable data-protection grounds.
5. International transfers
APEX stores and processes Customer Personal Data in the United States. Where Customer's transfer of Personal Data to APEX is subject to GDPR or UK data-transfer requirements, the parties agree that the applicable Standard Contractual Clauses (and the UK Addendum, where relevant) are incorporated by reference and apply to such transfers, with APEX acting as data importer. (The execution mechanics of the Clauses are being finalized at launch.)
6. Audits
APEX will make available information reasonably necessary to demonstrate compliance with this DPA, including third-party reports or certifications where available. On reasonable prior notice and no more than once per year (unless required by a supervisory authority), APEX will respond to a reasonable audit request, subject to confidentiality and to not compromising the security of other customers.
7. Annex I - Details of processing
Subject matter: provision of the Services. Duration: the term of the Agreement plus the deletion window described on the Trust & Security page. Nature and purpose: hosting, storage, monitoring, and processing of Customer Data to deliver AV operations, project management, field dispatch, device telemetry, vendor, asset, reporting, and related functionality. Types of Personal Data: account and User identifiers (name, work email, role), authentication data, and device- and event-level data that may identify individuals (for example room-occupancy events, device-usage patterns, and call-quality metrics). Categories of data subjects: Customer's Users, employees, contractors, visitors, and meeting participants.
8. Annex II - Technical and organizational measures
APEX maintains measures including: encryption of data at rest (full-disk/volume encryption on the database and attachment store) and in transit (TLS 1.2 or higher); per-tenant logical isolation enforced at the database layer (PostgreSQL row-level security) with a per-request tenant scope; role-based access control with signed (RS256 JWT) sessions; an append-only audit trail of significant actions; least-privilege administrative access; encrypted, rotated backups; and US-based data residency. The detailed control set is summarized on the Trust & Security page and in the technical documentation.