Data Processing Agreement (DPA)
1. Parties
Controller (the "Customer")
The legal entity holding the active APower Flex subscription, identified by its tenant code and registered company details provided at sign-up.
Processor
| Company | AConsultIT OÜ |
|---|---|
| Operating product | APower Flex (SaaS ERP) |
| Country of establishment | Republic of Estonia (EU) |
| General contact | legal@apowerflex.com |
| Privacy contact | privacy@apowerflex.com |
| Security contact | security@apowerflex.com |
2. Subject matter, nature and purpose
The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the APower Flex SaaS platform and the modules activated under the Customer's subscription (order management, invoicing, HR, fleet, IT services, scheduling, accounting, communication and related operational features).
2.1 Duration
This DPA remains in force for the duration of the subscription and until all Personal Data has been returned or deleted in accordance with Section 9.
3. Categories of data subjects and Personal Data
3.1 Categories of data subjects
- Customer's employees and contractors using the platform
- Customer's customers, suppliers, drivers and business contacts
- Customer's job applicants (if HR module is used)
3.2 Categories of Personal Data
- Identification: name, username, email, role
- Contact: phone number, address, company affiliation
- Operational: orders, invoices, working hours, project assignments, vehicle/driver records
- Authentication: hashed passwords (PBKDF2-SHA256), JWT session metadata
- Audit: action logs (who did what, when), IP address of administrative actions
No special categories of data (Art. 9 GDPR) are required by the platform. The Customer is responsible for ensuring no such data is uploaded into free-text fields without an appropriate legal basis.
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including the Customer's use of the platform interface (Art. 28(3)(a) GDPR);
- Ensure that personnel authorised to process the Personal Data have committed themselves to confidentiality (Art. 28(3)(b));
- Implement the technical and organisational measures (TOMs) described in Section 7 (Art. 32);
- Respect the conditions in Section 6 for engaging sub-processors (Art. 28(2) & (4));
- Assist the Controller in responding to data subject requests (Art. 28(3)(e));
- Assist the Controller in ensuring compliance with Art. 32–36 GDPR (Art. 28(3)(f));
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services (Section 9);
- Make available all information necessary to demonstrate compliance and allow for audits conducted by the Controller (Art. 28(3)(h)).
5. Obligations of the Controller
- Ensure a valid legal basis (Art. 6 GDPR) for all Personal Data uploaded into the platform.
- Inform its own data subjects about the processing performed via APower Flex.
- Configure user roles, retention periods and access controls appropriately.
- Promptly notify the Processor of any change that affects the lawful processing.
6. Sub-processors
The Controller grants the Processor a general authorisation to engage sub-processors, provided that the conditions of Art. 28(2) and 28(4) GDPR are met. The current list of approved sub-processors is published at /pages/subprocessors.html and forms an annex to this DPA.
The Processor shall notify the Controller by email at least 14 days before adding or replacing a sub-processor. The Controller may object on reasonable, documented data-protection grounds; in that case the parties shall negotiate a solution in good faith and, failing agreement, the Controller may terminate the affected service.
7. Technical & organisational measures (Art. 32 GDPR)
- Encryption in transit: TLS 1.2+ enforced, HSTS, modern ciphers only.
- Encryption at rest: Azure SQL Transparent Data Encryption (AES-256), encrypted backups.
- Password hashing: PBKDF2-SHA256, 100,000 iterations, 32-byte random salt, fixed-time verification.
- Secret management: Azure Key Vault via DefaultAzureCredential; no secrets in source.
- Authentication: JWT Bearer with 256-bit symmetric key, validated issuer/audience/lifetime.
- Tenant isolation: TenantId enforced server-side in every query; cross-tenant access denied at the data layer.
- Access control: Role-based access (user / admin / platform_admin), least-privilege.
- Web hardening: CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy.
- Rate limiting: Login 6/min/IP, API 300/min/IP, setup-init 2/10min/IP.
- Audit logging: immutable trail of administrative, privacy and DSR actions; JSON export.
- Hosting: Microsoft Azure EU regions only.
- Backups: automated, encrypted, geo-redundant within the EU; tested restores.
- Patch management: .NET runtime and dependencies kept current; security advisories monitored.
Detailed and up-to-date measures are published at /pages/trust-security.html.
8. Personal data breach notification (Art. 33)
The Processor shall notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a Personal Data breach, providing at minimum:
- the nature of the breach, categories and approximate number of data subjects affected;
- the likely consequences;
- the measures taken or proposed to address the breach and mitigate its effects.
9. Return or deletion of data
Upon termination of the services, the Controller may, within 30 days, export all data via the built-in export functions or request an export from the Processor. After this 30-day grace period, the Processor will securely delete all Personal Data from production systems. Encrypted backups are rotated and overwritten according to the standard backup retention cycle (maximum 35 days).
10. International transfers
Personal Data is stored and processed exclusively within the European Union. Where a sub-processor unavoidably operates outside the EU, transfers shall only take place on the basis of an adequacy decision or the most recent EU Standard Contractual Clauses, complemented by supplementary measures as required by Schrems II.
11. Audit
The Controller may, no more than once per calendar year (or after a documented incident), request evidence of compliance — including ISO 27001 / SOC 2 reports of sub-processors, the current TOMs document and the sub-processor list. On-site audits may be performed by a mutually agreed independent auditor under appropriate confidentiality terms.
12. Governing law & jurisdiction
This DPA is governed by the laws of the Republic of Estonia. Any dispute shall be subject to the exclusive jurisdiction of the courts of the registered office of AConsultIT OÜ, without prejudice to mandatory provisions of the GDPR.
13. Signatures
By activating an APower Flex subscription, the Controller accepts this DPA. A counter-signed paper or PDF copy can be requested at any time at legal@apowerflex.com.
| Processor | AConsultIT OÜ — authorised representative Date: ____________________ |
|---|---|
| Controller | Customer legal entity — authorised representative Date: ____________________ |