This Data Processing Addendum (DPA), including its Annexes, supplements the agreement between Office Data Apps sp. z o.o. (also referred to as Ablebits or Company) and the Customer governing the provision of the Ablebits Services (the Agreement). This DPA is subject to the terms of the Agreement, including its limitations of liability, which apply in aggregate to all claims arising under both the Agreement and this DPA, and not separately to each party. In the event of any conflict between the Agreement and this DPA, the terms of this DPA shall prevail.
2. Definitions
Applicable Data Protection Laws (Applicable Laws) means all applicable data protection and privacy laws, including, but not limited to, the European Data Protection Laws (GDPR), the California Consumer Privacy Act (CCPA), and similar U.S. state laws.
Controller shall be interpreted consistent with Applicable Data Protection Laws and includes "controller" as that term is defined under European Data Protection Laws and Applicable Data Protection Laws in the U.S. and "business" as defined in the CCPA.
Processor shall be interpreted consistent with Applicable Data Protection Laws and includes "processor" as the term is defined under European Data Protection Laws and "service provider" or "contractor" as defined in the CCPA.
Third-Party Controller means a Controller for which the Customer acts as a Processor.
Subprocessor means any person engaged by Ablebits to process personal data on behalf of the Customer in connection with the Agreement.
Personal Data means any information relating to an identified or identifiable natural person processed by Ablebits as a Processor on behalf of the Customer pursuant to the Agreement. This includes "Personal Data" under the GDPR and "Personal Information" under the CCPA.
Data Subject means an individual whose Personal Data is processed, as defined under Applicable Data Protection Laws, including the GDPR.
Data Subject Rights means the rights granted to Data Subjects under Applicable Data Protection Laws, which may include rights to access, rectification, erasure, data portability, objection, restriction of processing, withdrawal of consent, and protection from automated decision-making.
Data Transfer means any disclosure of Personal Data to a recipient in a country outside the European Economic Area (EEA), the UK, or Switzerland.
EU-US Data Privacy Framework means the adequacy decision laid down in the Commission Implementing Decision EU 2023/1795 of July 10 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023)4745.
SCCs means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time.
UK Addendum means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21 2022).
3. Scope
This DPA applies to the processing of Personal Data by Ablebits in connection with the Agreement. The subject matter, nature, and purpose of the processing, along with the types of Personal Data and categories of Data Subjects, are detailed in Annex 1, which forms an integral part of this DPA.
The Customer acts as a Controller of the Personal Data and appoints Ablebits as a Processor of such data. The Customer is responsible for complying with the obligations of Controllers under Applicable Data Protection Laws. Where required, the Customer shall provide appropriate notice to Data Subjects regarding the processing of their Personal Data by Ablebits and shall obtain any necessary consents to ensure lawful processing in accordance with Applicable Data Protection Laws.
Ablebits acts as a Processor of the Personal Data on behalf of the Customer or a Third-Party Controller pursuant to the Agreement. Ablebits shall process Personal Data in accordance with Applicable Data Protection Laws and shall ensure a level of protection consistent with its obligations under this DPA.
Where the Customer acts as a Processor on behalf of a Third-Party Controller, the Customer shall:
serve as the sole point of contact for Ablebits;
obtain all necessary authorizations from the Third-Party Controller to engage Ablebits as a Subprocessor;
ensure that the Third-Party Controller has provided the required notices and obtained any necessary consents from Data Subjects for the processing described in this DPA;
issue all instructions and exercise all rights on behalf of the Third-Party Controller under this DPA.
4. Processing of personal data
Ablebits shall process Personal Data only on the Customer's documented instructions, unless otherwise required by Applicable Laws. Such instructions are set forth in this DPA, the Agreement, and any applicable statement of work. Ablebits shall process Personal Data solely for the limited and specific purposes described in those documents or as otherwise permitted under Applicable Data Protection Laws.
Where permitted by Applicable Data Protection Laws, the Customer may take reasonable and appropriate steps to ensure that Ablebits processes Personal Data in a manner consistent with the Customer's own legal obligations as a Controller.
For purposes of the California Consumer Privacy Act (CCPA), and except as expressly permitted by the CCPA, Ablebits shall not:
sell or share Personal Data;
retain, use, or disclose Personal Data for any purpose other than performing the Services;
retain, use, or disclose Personal Data outside of the direct business relationship with the Customer.
The parties further acknowledge and agree that any exchange of Personal Data under the Agreement does not constitute consideration for any goods or services provided and therefore does not form part of the commercial value exchanged between the parties.
If Ablebits is required by Applicable Laws to process Personal Data in a manner that conflicts with the Customer's instructions, Ablebits shall, unless legally prohibited, inform the Customer of such obligation prior to processing.
5. Security
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ablebits shall in relation to the Personal Data implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to that risk, including, as appropriate, the measures listed in Annex 2.
In assessing the appropriate level of security, Ablebits shall take account in particular of the risks that are presented by processing, in particular from a Personal Data breach.
6. Subprocessing
The Customer hereby authorizes Ablebits to engage Subprocessors for the processing of Personal Data. A current list of authorized Subprocessors is available at https://www.ablebits.com/docs/ablebits-subprocessors/.
Ablebits shall enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those set forth in this DPA and as required under Applicable Data Protection Laws.
Ablebits will provide prior written notice to the Customer of any intended addition or replacement of Subprocessors. The Customer may object to such changes by submitting a written objection, including reasonable grounds relating to data protection, within thirty (30) days of receiving the notice.
Upon receiving a valid objection, the parties will work together in good faith to reach a mutually acceptable resolution. If no resolution is reached and Ablebits elects to proceed with the Subprocessor, Ablebits shall notify the Customer of its intention at least thirty (30) days before authorizing the Subprocessor to process Personal Data. In such a case, the Customer may stop using the Services and terminate the Agreement by providing written notice within thirty (30) days following Ablebits' notification.
7. Data subject rights
Taking into account the nature of the processing and the information available to Ablebits, the Company shall assist the Customer in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Laws. This assistance shall include the implementation of appropriate technical and organizational measures, where feasible.
Ablebits shall:
promptly notify the Customer upon receiving a request from a Data Subject relating to Personal Data, including requests to access, rectify, erase, restrict, object to processing, or exercise any other rights under Applicable Data Protection Laws;
not respond to any such request directly, unless instructed to do so by the Customer in writing or required to do so by Applicable Laws;
where legally required to respond independently, inform the Customer of such obligation prior to responding, unless prohibited by law;
provide reasonable assistance to the Customer in fulfilling its obligations to respond to such requests, to the extent Ablebits is able and permitted.
8. Data protection impact assessments and prior consultation
Upon request, Ablebits shall provide reasonable assistance to the Customer in carrying out data protection impact assessments and, where applicable, prior consultation with supervisory authorities, in accordance with Articles 35 and 36 of the GDPR or equivalent provisions of Applicable Data Protection Laws.
9. Deletion or return of personal data
Upon termination of the Agreement, this DPA shall also terminate. The Customer may request the return of Personal Data held by Ablebits or its Subprocessors within ninety (90) days of such termination. Following such return or, if no request is made, after the expiration of the 90-day period, Ablebits shall delete all remaining copies of Personal Data within one hundred eighty (180) days, unless retention is required or permitted by Applicable Data Protection Laws. In such cases, Ablebits shall retain the data only to the extent and for the duration required by law and shall ensure the confidentiality and security of all retained data in accordance with this DPA.
10. Audit rights and compliance
Subject to this Section, and upon reasonable written request of the Customer, Ablebits shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. Where applicable and permitted by law, Ablebits may satisfy this obligation by providing a summary of its most recent third-party audit reports, certifications, or assessments relevant to the Services and Ablebits' data protection practices.
Where required by Applicable Data Protection Laws, or otherwise agreed between the parties, the Customer may conduct reasonable audits or inspections (including through a designated independent auditor, bound by confidentiality) to verify Ablebits’ compliance with this DPA. Any such audit shall be conducted with reasonable prior notice, during normal business hours, and in a manner that does not unreasonably interfere with Ablebits' business operations. The Customer shall bear all costs associated with the audit.
Solely for the purposes of the CCPA, Ablebits shall promptly notify the Customer if it determines that it can no longer meet its obligations under the CCPA. Upon receiving such notice, the Customer may direct Ablebits to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
11. Personal data breach
Ablebits shall notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Personal Data. The notification shall include sufficient information to enable the Customer to comply with the Customer's obligations to notify supervisory authorities and/or affected Data Subjects under Applicable Data Protection Laws.
Such notification shall, to the extent reasonably possible, include:
A description of the nature of the breach, including, where feasible, the categories and approximate number of affected Data Subjects and records;
Likely consequences of the breach;
Measures taken or proposed by Ablebits to address the breach, including measures to mitigate its possible adverse effects;
Contact details for further inquiries.
Ablebits shall cooperate fully with the Customer and take all reasonable and commercially appropriate steps, as directed by the Customer, to assist in the investigation, containment, mitigation, and remediation of the breach, including any communications required by Applicable Data Protection Laws.
12. Data transfers
The Customer authorizes Ablebits to transfer Personal Data to:
any country recognized by the European Commission, UK authorities, or Swiss authorities as providing an adequate level of data protection, including transfers made pursuant to the EU-US Data Privacy Framework;
recipients located in countries not deemed adequate, provided that such transfers are made using appropriate safeguards in accordance with European Data Protection Laws, including the SCCs and the UK Addendum, as further described below.
12.1. Standard Contractual Clauses (SCCs)
By entering into this DPA, the parties agree to incorporate the EU SCCs annexed to the European Commission Implementing Decision (EU) 2021/914 of June 4 2021 as follows:
Clause 8 Module Two ("Transfer controller to processor") applies where the Customer acts as a Controller and Ablebits acts as a Processor.
Clause 8 Module Three ("Transfer processor to processor") applies where the Customer is a Processor acting on behalf of a Third-Party Controller and Ablebits is engaged as a Subprocessor.
The "data exporter" is the Customer; the "data importer" is Ablebits.
The following options and terms apply to the SCCs:
Clause 7 ("Docking clause"): Included.
Option 2 of Clause 9(a) ("Use of Sub-processors") is selected. The notification period is as specified in Section 6 of this DPA.
The optional redress in Clause 11(a) is excluded.
Option 1 of Clause 17 ("Governing law") is selected. The governing law is the law of the Republic of Poland.
Clause 18(b) ("Choice of forum and jurisdiction"): The courts of the Republic of Poland shall have jurisdiction.
Annexes I and II of the SCCs are set forth in Annexes 1 and 2 of this DPA.
For Data Transfers from Switzerland, Data Subjects habitually residing in Switzerland may bring claims before the courts of Switzerland, in accordance with the SCCs.
12.2. UK Addendum
By entering into this DPA, the parties agree to incorporate the UK International Data Transfer Addendum to the EU Commission SCCs (version B1.0, in force March 21 2022), which applies to transfers of Personal Data from the United Kingdom. The Addendum is completed as follows:
Table 1: The "Exporter" is the Customer; the "Importer" is Ablebits. The relevant details are set forth in this DPA and the Agreement.
Table 2: The first option is selected; the "Approved EU SCCs" are the SCCs referred to in Section 12.1 of this DPA.
Table 3: Annexes 1A and 1B are Annex 1A and 1B of this DPA. Annex II is Annex 2 of this DPA.
Table 4: Both the "Exporter" and the "Importer" may terminate the Addendum.
Annex 1. Data processing description
A. List of parties
Controller / Data Exporter (Customer):
Name: [Insert Customer's full legal name]
Address: [Insert Customer's address]
Contact Person: [Insert name, title, and email address]
Activities relevant to the data transferred under these Clauses: Processing of Personal Data for the pure purpose of the Agreement
Role: Controller (or Processor acting on behalf of a Controller)
Signature and date:
Processor / Data Importer (Company):
Name: Office Data Apps sp. z o.o.
Address: Brukowa 3, 05-092 Lomianki, Poland
Contact Person: [Insert name, title, and email address]
Activities relevant to the data transferred under these Clauses: Processing of Personal Data for the pure purpose of the Agreement
Role: Processor (or Subprocessor, where applicable)
Signature and date:
B. Description of transfer
Categories of Data Subjects:
Employees or contractors of the Customer.
Categories of Personal Data Transferred:
Names, email addresses, and contact details;
Communication metadata (for example IP addresses, timestamps, email headers);
User-generated content submitted via the Ablebits Services;
Account identifiers or login-related data;
Any other Personal Data submitted by the Customer through the use of the Services.
Special Categories of Data (if applicable):
Not intended to be transferred. The Services are not designed to process special categories of data (for example health, biometric, or political opinion data). Any such processing occurs only if initiated by the Customer.
Nature of the Processing:
Collection, storage, access, use, transmission, and deletion of Personal Data as necessary to provide the Services in accordance with the Agreement.
Purposes of the Processing:
To provide and support the Ablebits Services as described in the Agreement;
To ensure service functionality, reliability, performance, and security;
To fulfill legal or regulatory obligations, where applicable.
Duration of the Processing:
For the duration of the Agreement, unless otherwise required by law.
Frequency of the Transfer:
Continuous or as determined by the Customer's use of the Services.
For Data Transfers governed by the GDPR, the competent supervisory authority shall be the supervisory authority of the EU Member State in which the Customer is established.
For Data Transfers from Switzerland, the Swiss Federal Data Protection and Information Commissioner (FDPIC) shall apply.
For Data Transfers from the UK, the UK Information Commissioner's Office (ICO) shall apply.
Annex 2. Technical and organizational measures
These measures are subject to change as part of the Company's continuous improvement and security governance programs. Material changes impacting the security of Personal Data will be communicated as outlined in the Agreement.
A. Organizational measures
This section outlines the foundational security governance practices implemented by the Company. They include leadership assignments, formalized policies, and internal oversight processes that ensure data protection responsibilities are clearly defined, documented, and enforced. The following organizational measures are in place:
Annual review and approval of internal security and privacy procedures;
Internal audits and risk assessments to evaluate policy effectiveness;
Defined roles and responsibilities for incident response and escalation.
B. Physical security
This section covers the protections in place to physically secure the Company's facilities, hardware, and storage media. Physical security measures help prevent unauthorized access to data processing environments and ensure sensitive materials are disposed of securely. The physical security measures in place include:
Restricted access to office and secure zones;
Face-recognition entry systems and access logging;
Visitor escort requirements and physical sign-in procedures;
CCTV monitoring and controlled access to infrastructure facilities;
These measures govern how users are identified, authenticated, and authorized to access systems and data. To prevent unauthorized or excessive access to Personal Data, the Company enforces least privilege, role-based access, and regular access reviews. The following access control measures are implemented:
Centralized identity and access management (IAM) with individual credentials;
Role-Based Access Control (RBAC) with periodic review;
Strong password requirements and regular credential rotation;
Mandatory Multi-Factor Authentication (MFA) across all sensitive systems;
Temporary and third-party access with expiration and audit trail;
Regular review and revocation of unnecessary access.
D. Training and awareness
To support a strong security culture, the Company conducts regular cybersecurity training and awareness activities. These programs are tailored to user roles and responsibilities, ensuring personnel understand how to handle Personal Data securely and respond to emerging threats. The following training and awareness initiatives are conducted:
Mandatory data protection and privacy training for employees;
Role-specific privacy and security training;
Regular awareness campaigns;
Policy acceptance and acknowledgment tracking;
Post-incident and ad hoc training after major events or policy updates.
E. Asset and operations management
These measures describe how the Company manages devices, software, and operational security controls. They include requirements for antivirus protection, endpoint compliance, BYOD enforcement, and backup operations to maintain the integrity and availability of systems and data. The Company has implemented the following measures:
Inventory management of data processing systems and devices;
Regular patching and vulnerability remediation;
Antivirus and XDR agents required on all devices;
Data classification and handling guidelines;
Backup and recovery procedures;
A BYOD policy, including full-disk encryption, VPN, remote wipe, and firewall.
F. Application and infrastructure security
This section defines the security practices integrated into software development, deployment, and infrastructure management. This includes secure coding, CI/CD controls, vulnerability management, patching, and secrets handling to reduce the risk of exploitable system weaknesses. The following security practices are applied across applications and infrastructure:
Secure Software Development Lifecycle (SDLC) incorporating Static Application Security Testing (SAST) and secure coding standards based on the OWASP Top 10;
Regular code reviews and automated security testing;
CI/CD pipelines with enforced peer reviews and artifact signing;
Infrastructure as Code (IaC) version-controlled and reviewed;
A web application firewall (WAF) in production environments;
Patch management and baseline hardening;
Secrets managed through an approved vault system.
G. Encryption and data protection
The Company protects Personal Data through encryption and strict data handling protocols. This includes strong cryptographic standards, secure key management, and data classification rules to ensure data confidentiality and compliance with regulatory requirements. The Company applies the following encryption and protection techniques:
Encryption of data at rest and in transit using AES-256 and TLS 1.2+;
Full-disk encryption on all company-managed and BYOD devices;
Prohibition of insecure protocols;
Key management using vaults, HSMs, and access-restricted tools.
H. Monitoring and logging
These controls ensure the Company can detect, investigate, and respond to unauthorized activity. System access, administrative actions, and deployment events are logged and monitored in real time, with retention periods and alerting processes that support incident response. The following monitoring and logging controls are in effect:
Centralized logging of user activity, admin actions, and access events;
Real-time monitoring and alerting for authentication anomalies and policy violations;
CI/CD audit trails for deployments, infrastructure changes, and privileged actions;
Log retention for a minimum of ninety (90) days (general) and one (1) year (privileged).
I. Incident management
This section describes the Company's ability to detect, respond to, and recover from security incidents and operational disruptions. It includes defined response procedures, Disaster Recovery testing, and Business Continuity plans to minimize downtime and data loss. The following incident response and recovery practices are in place:
A documented incident response plan;
24/7 monitoring and alerting systems;
Defined roles and responsibilities during incidents;
Breach notification procedures aligned with GDPR/CCPA;
Root cause analysis and post-incident review;
Disaster Recovery and Business Continuity tests conducted regularly.
Annex 3. Regional data hosting locations
The following regions are currently available but may be subject to change depending on customers and users' requests:
Please contact us here