Legal

Data Processing Agreement

Last updated 13 July 2026. This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Controller”) and ApexX ApS (the “Processor”) for the use of Kvix, and reflects the parties’ obligations under Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679).

1. Parties

Controller: the customer entity that has entered into the Kvix subscription agreement.
Processor: ApexX ApS, Copenhagen, Denmark, CVR 44 84 25 05.

2. Subject matter & duration

The Processor processes personal data on behalf of the Controller only as necessary to provide the Kvix service. The DPA remains in force as long as the Processor processes personal data for the Controller.

3. Nature & purpose of processing

The Processor receives, stores, routes, analyses (including via AI), and transmits personal data submitted to the helpdesk by the Controller’s end users (customers contacting the Controller for support).

4. Types of personal data

  • Identifiers: name, email address, optionally phone number.
  • Communications content: subject lines, message bodies, attachments.
  • Technical metadata: IP addresses, timestamps, message headers.
  • Optionally, any further data the end user volunteers in a support request.

5. Categories of data subjects

End-users and customers of the Controller who contact the Controller through Kvix.

6. Processor’s obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Art. 32 GDPR), including encryption in transit and at rest, access controls, regular backups, and audit logging.
  • Assist the Controller in responding to data subject requests.
  • Assist the Controller with breach notifications, data protection impact assessments, and consultations with supervisory authorities.
  • Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach.
  • At the Controller’s choice, delete or return all personal data at the end of the service, unless retention is required by EU or Member State law.
  • Make available all information necessary to demonstrate compliance, and allow audits, as reasonably requested by the Controller.

7. Sub-processors

The Controller authorises the Processor to engage sub-processors, listed below. The Processor will inform the Controller of any intended changes by email at least 30 days in advance, giving the Controller an opportunity to object. The current sub-processors are:

  • Amazon Web Services EMEA SARL — hosting, storage (eu-west-1, Ireland).
  • Amazon Web Services EMEA SARL (SES) — outbound and inbound email delivery (eu-west-1, Ireland).
  • Stripe Payments Europe Ltd. — billing (Ireland).
  • Anthropic PBC — AI inference for ticket suggestions (United States; SCCs in place; data not retained for model training).
  • OpenAI Ireland Ltd. — embeddings for knowledge-base search (Ireland; data not retained for model training).
  • Cloudflare Inc. — CDN, WAF, and TLS termination (United States; SCCs in place).
  • Sentry GmbH — error monitoring (Germany).

8. International transfers

Where a sub-processor processes personal data outside the European Economic Area, the Processor relies on the European Commission’s Standard Contractual Clauses (Decision 2021/914) together with supplementary measures, including encryption and contractual prohibitions on use of the data for any purpose other than providing the service.

9. Security measures (Art. 32)

  • TLS 1.2+ for all data in transit.
  • AES-256 encryption at rest for primary data stores and backups.
  • Principle of least privilege for staff access, with audit logs.
  • Mandatory MFA on all internal systems.
  • Daily encrypted backups with point-in-time recovery for 30 days.
  • Regular vulnerability scanning and dependency patching.
  • Documented incident response procedure with defined roles and timelines.

10. Audits

The Controller may, on reasonable notice and subject to confidentiality, audit the Processor’s compliance with this DPA, no more than once per calendar year, except where required more frequently by a supervisory authority. Standard third-party audit reports (where available) may be used to satisfy this obligation.

11. Deletion & return

On termination of the service, the Controller may export all of its data via the product’s export tools. The Processor will delete all personal data within 30 days of termination, subject to any legal retention obligations on the Processor.

12. Contact

For DPA matters, data subject requests forwarded by the Controller, or breach notifications, contact: [email protected].