AppDNA AI DPA
Data Processing Agreement
between AppDNA AI, Inc. (Processor) and the Client (Controller)
Version 1.3 — Public Self-Service Version
Effective Date: Published: 1st January 2026. This DPA takes effect for each Customer as set out in the "Acceptance and Auto-Execution" section at the end of this document.
1. Parties
This Data Processing Agreement (the "DPA") is entered into by and between:
AppDNA AI, Inc., a Delaware corporation with offices at 1007 N Orange St., 4th Floor Suite #4331, Wilmington, DE 19801, United States ("AppDNA," "Provider," or "Processor"); and
Customer (the "Client" or "Controller"), being the entity that has accepted the AppDNA Terms of Service or signed a Statement of Work with AppDNA, and whose legal entity, address, and contact details are those provided by Customer at registration with AppDNA or as updated in the Console (or, where a Statement of Work has been signed, as set forth in that Statement of Work),
each a "Party" and together the "Parties."
2. Background and Scope
2.1 The Parties have entered into a commercial relationship under (a) the AppDNA Terms of Service available at https://appdna.ai/legal/terms (the "Terms"), (b) the AppDNA SDK End User License Agreement available at https://appdna.ai/legal/sdk-eula (the "EULA") where Customer uses the SDK, and/or (c) a signed Statement of Work between Customer and AppDNA (the "SOW") (collectively, the "Commercial Agreement"), under which AppDNA provides app growth and marketing services, including the AppDNA AI web platform (the "Console") and the AppDNA SDK (the "SDK") (collectively, the "Services").
2.2 In the course of providing the Services, AppDNA processes Personal Data on behalf of Client. This DPA sets forth the terms on which AppDNA processes such Personal Data and complies with the Parties’ obligations under applicable Data Protection Laws.
2.3 This DPA is incorporated into and forms an integral part of the Commercial Agreement. In the event of any conflict between the Commercial Agreement and this DPA on data-protection matters, this DPA controls.
3. Definitions
Capitalized terms used but not defined in this DPA have the meanings given to them in the Commercial Agreement or, if not defined there, in the applicable Data Protection Laws. The following terms have the meanings set forth below:
Term | Definition |
"Affiliate" | any entity that directly or indirectly controls, is controlled by, or is under common control with a Party. |
"Aggregated Data" | data that has been de-identified and/or aggregated such that it does not, and cannot reasonably be used to, identify any natural person. |
"Authorized Affiliate" | an Affiliate of Client that has signed an Order or otherwise receives Services under the Commercial Agreement. |
"CCPA / CPRA" | the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act, and its implementing regulations. |
"Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Personal Data Breach" | have the meanings given in the GDPR (and the UK GDPR where applicable); equivalent terms under other Data Protection Laws (such as "Business," "Service Provider," "Consumer," and "Personal Information" under CCPA/CPRA) have the corresponding meanings. |
"Data Protection Laws" | all laws and regulations applicable to a Party’s processing of Personal Data under this DPA, including (as applicable): (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (b) the UK Data Protection Act 2018 and the UK GDPR; (c) the Swiss Federal Act on Data Protection; (d) the CCPA/CPRA; (e) the Polish Personal Data Protection Act of 10 May 2018; and (f) any other applicable national or sub-national data protection or privacy law. |
"EEA" | the European Economic Area. |
"Restricted Transfer" | a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country not subject to an adequacy decision by the relevant authority. |
"SCCs" / "Standard Contractual Clauses" | the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and any successor thereto. |
"Sub-processor" | any third-party processor (including AppDNA Affiliates) engaged by AppDNA to process Personal Data on behalf of Client. |
"UK Addendum" | the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, version B1.0 (in force 21 March 2022) as amended. |
4. Roles and Scope of Processing
4.1 Roles. With respect to Personal Data processed under this DPA, the Parties acknowledge and agree that, as between the Parties: (a) Client is the Controller (or, where Client is itself a Processor for a third-party Controller, Client acts as Processor and AppDNA acts as Sub-processor; in such case, Client represents that it has authority to engage AppDNA on terms equivalent to those agreed between Client and the third-party Controller); and (b) AppDNA acts as Processor and processes Personal Data only on documented instructions from Client.
4.2 CCPA Status. To the extent CCPA/CPRA applies, Client is a "Business" and AppDNA is a "Service Provider." AppDNA shall not: (a) "sell" or "share" (as those terms are defined under CCPA/CPRA) Personal Data; (b) retain, use, or disclose Personal Data outside the direct business relationship between AppDNA and Client; or (c) combine Personal Data received from Client with Personal Data received from other sources, except as permitted by CCPA/CPRA. AppDNA certifies that it understands these restrictions and shall comply with them.
4.3 Subject Matter, Duration, Nature, and Purpose. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects of the Processing are set out in Annex 1 (Description of Processing).
4.4 AppDNA as Controller of Limited Data. AppDNA acts as an independent Controller (and not as Processor under this DPA) for: (a) account, login, billing, and contact data of Client’s personnel who use the Console; and (b) operational logs generated by AppDNA’s systems for security, billing, and service-improvement purposes. AppDNA’s processing of such data is governed by AppDNA’s Privacy Policy.
5. AppDNA Obligations as Processor
5.1 Documented Instructions. AppDNA shall process Personal Data only on documented instructions from Client. Client’s instructions are set out in this DPA, the Commercial Agreement, and through Client’s use and configuration of the Services (including instructions issued through the Console). Additional instructions outside the scope of the Services or this DPA require a written amendment and may be subject to additional fees. AppDNA shall promptly inform Client if, in AppDNA’s opinion, an instruction infringes applicable Data Protection Laws (without obligation to actively monitor compliance with non-EU laws).
5.2 Confidentiality. AppDNA shall ensure that personnel authorized to process Personal Data are bound by appropriate written confidentiality obligations or are under a statutory obligation of confidentiality.
5.3 Security Measures. AppDNA shall implement and maintain the technical and organizational measures set out in Annex 2 (Technical and Organizational Measures) to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. AppDNA may update such measures from time to time provided the level of security is not materially diminished.
5.4 Personnel and Training. AppDNA shall ensure that personnel with access to Personal Data receive appropriate data-protection and security training and that access is granted on a need-to-know basis.
5.5 Data-Subject Requests. Taking into account the nature of the Processing, AppDNA shall, by appropriate technical and organizational measures, assist Client (insofar as possible) in responding to requests by Data Subjects to exercise their rights under Data Protection Laws. AppDNA shall promptly notify Client of any Data-Subject request received directly by AppDNA and shall not respond to such request itself, except as legally required or to confirm that the request relates to Client.
5.6 DPIA / Prior Consultation. AppDNA shall provide reasonable assistance to Client (at Client’s expense for non-routine assistance) with any data protection impact assessments and prior consultations with supervisory authorities required under Articles 35 and 36 GDPR.
5.7 Personal Data Breach Notification. AppDNA shall notify Client without undue delay, and in any event within seventy-two (72) hours after AppDNA becomes aware, of any Personal Data Breach affecting Client’s Personal Data. Such notification shall include, to the extent then known: (a) the nature of the breach; (b) categories and approximate number of Data Subjects and Personal Data records concerned; (c) likely consequences; (d) measures taken or proposed to address the breach and mitigate adverse effects; and (e) contact details of the relevant point of contact at AppDNA. AppDNA shall provide updates as additional information becomes available. Notification of a Personal Data Breach is not, by itself, an admission of fault or liability.
5.8 Records of Processing. AppDNA shall maintain records of its processing activities under Article 30(2) GDPR and shall make such records available to Client or competent supervisory authorities upon reasonable request.
5.9 Return or Deletion. Upon termination or expiration of the Commercial Agreement, AppDNA shall, at Client’s choice (expressed in writing within thirty (30) days of termination), delete or return to Client all Personal Data processed under this DPA and delete existing copies, except to the extent applicable law requires storage of Personal Data. After such period, AppDNA may delete Personal Data in accordance with its standard retention policies. Aggregated Data is not subject to this Section.
6. Sub-processors
6.1 General Authorization. Client provides general written authorization for AppDNA to engage Sub-processors to process Personal Data, subject to this Section 6.
6.2 List. AppDNA’s current list of Sub-processors is set out in Annex 3 (Sub-processors) and is also published on the AppDNA website at https://appdna.ai/legal/privacy. AppDNA shall provide notice (by email to Client’s designated DPA contact or through the Console) of any intended addition or replacement of Sub-processors at least thirty (30) days before such Sub-processor begins processing Personal Data.
6.3 Right to Object. Client may object on reasonable data-protection grounds to a proposed Sub-processor by written notice within thirty (30) days of the notification under Section 6.2. The Parties shall work in good faith to resolve the objection. If no resolution is reached, Client may terminate the affected Services on written notice; such termination shall be Client’s sole remedy. AppDNA may engage replacement Sub-processors of an existing function in emergency cases (e.g., insolvency or breach by an existing Sub-processor) without prior notice but shall provide notice as soon as reasonably practicable thereafter.
6.4 Sub-processor Obligations. AppDNA shall engage each Sub-processor under a written contract that imposes data-protection obligations no less protective than those set out in this DPA, including in respect of security measures, sub-processing, international transfers, and audit. AppDNA remains liable to Client for the acts and omissions of its Sub-processors under this DPA.
7. International Data Transfers
7.1 General. Personal Data may be processed in any country in which AppDNA or its Sub-processors maintain operations. As of the Effective Date, AppDNA hosts Personal Data exclusively in the United States. AppDNA may, at its option and subject to advance written notice, add additional hosting regions, including in the European Union/EEA for EU-established Clients, in which case the applicable region will be designated in the Commercial Agreement or by amendment.
7.2 Restricted Transfers. Where the processing of Personal Data involves a Restricted Transfer, the Parties agree that the transfer mechanism designated in Annex 4 shall apply, in the following order of precedence:
(a) where AppDNA is certified under the EU–U.S. Data Privacy Framework (and/or the UK Extension or Swiss–U.S. DPF, as applicable), the relevant Framework shall apply to the Restricted Transfer; failing which,
(b) the Standard Contractual Clauses (Module 2 — Controller-to-Processor, or Module 3 — Processor-to-Sub-processor where Client acts as Processor) are hereby incorporated by reference and entered into between the Parties, with the selections, options, and Annexes I (A, B, C) and II completed as set out in
Annex 4 (Transfer Mechanisms);
(c) for transfers from the United Kingdom, the UK Addendum is hereby incorporated by reference and entered into between the Parties, with Tables 1–4 completed as set out in Annex 4;
(d) for transfers from Switzerland, the SCCs are deemed amended in accordance with Swiss law, including by replacing references to "GDPR" with the Swiss Federal Act on Data Protection where applicable;
(e) where none of the foregoing applies, any other transfer mechanism approved under applicable law.
7.3 Transfer Impact Assessment. AppDNA has conducted a transfer impact assessment (TIA) regarding Restricted Transfers, summarized in Annex 4. AppDNA shall provide a copy of the TIA upon Client’s reasonable request.
7.4 Government Access Requests. AppDNA shall, to the extent permitted by law: (a) review the legality of any law-enforcement or governmental request for Personal Data, including whether it is necessary, proportionate, and complies with applicable rules of mutual legal assistance; (b) challenge any request that does not comply; (c) provide only the minimum data necessary to comply with a valid request; and (d) promptly notify Client of any such request, except where prohibited by law.
8. Audit Rights
8.1 Audit Reports. AppDNA shall, upon Client’s written request not more than once per twelve (12) months (except where additional audit is required by a supervisory authority or following a Personal Data Breach), make available to Client information reasonably necessary to demonstrate compliance with this DPA. AppDNA may discharge this obligation by providing copies of relevant third-party certifications, audit reports (e.g., SOC 2 Type II, ISO 27001), and policy summaries.
8.2 On-site Audits. Where Data Protection Laws require an on-site audit and the information made available under Section 8.1 is reasonably insufficient, Client may, at its cost, conduct an on-site audit upon at least thirty (30) days’ written notice and during AppDNA’s normal business hours, subject to: (a) reasonable confidentiality obligations; (b) Client paying for AppDNA’s reasonable time at AppDNA’s then-current rates; (c) the audit being conducted by Client or an independent third-party auditor (not a competitor of AppDNA) reasonably acceptable to AppDNA; (d) the audit not unreasonably interfering with AppDNA’s business; and (e) Client providing AppDNA with a copy of the audit report.
8.3 Supervisory Authority Audits. AppDNA shall cooperate with audits and inspections conducted by competent supervisory authorities to the extent required by law.
9. Liability
9.1 Cap. Each Party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set forth in the Commercial Agreement (Section XIV of the SOW or Section 16 of the Terms of Service, as applicable), without prejudice to: (a) any liability that cannot be limited as a matter of applicable law; and (b) Article 82 GDPR rights of Data Subjects.
9.2 Article 82 GDPR. Nothing in this DPA limits a Data Subject’s rights under Article 82 GDPR (or equivalent law) to seek compensation directly from either Party. As between the Parties, liability for damages paid to Data Subjects is allocated in accordance with each Party’s share of responsibility for the harm.
9.3 Indemnification (Mutual). Each Party shall indemnify the other against third-party claims, regulatory fines, and Data-Subject compensation awards to the extent caused by the indemnifying Party’s breach of this DPA, subject to the cap and exclusions in Section 9.1.
10. Term and Termination
10.1 This DPA takes effect on the Effective Date applicable to Customer (as set out in the "Acceptance and Auto-Execution" section) and continues for the duration of the Commercial Agreement. Sections governing return/deletion of Personal Data, confidentiality, audit (in respect of completed processing), liability, and any provisions that by their nature should survive shall survive termination.
10.2 If AppDNA is unable to comply with this DPA in a manner that creates a material risk of non-compliance with Data Protection Laws and cannot remedy such inability within a reasonable period, Client may terminate the affected Services upon written notice without further liability (other than payment of accrued fees).
11. Miscellaneous
11.1 Conflict. In the event of conflict: (a) between this DPA and the Commercial Agreement on data-protection matters, this DPA controls; (b) between the body of this DPA and the SCCs (where applicable), the SCCs control; (c) between this DPA and the UK Addendum on UK transfers, the UK Addendum controls.
11.2 Governing Law and Jurisdiction. Except where Data Protection Laws or the SCCs require otherwise, this DPA is governed by the law and subject to the jurisdiction set out in the Commercial Agreement. The SCCs (where applicable) are governed by the law of the EU Member State selected in Annex 4 (or where no Member State is selected, the law of the Republic of Ireland) and disputes thereunder are heard in the courts of that Member State, without prejudice to the rights of Data Subjects under Clause 18 of the SCCs.
11.3 Authorized Affiliates. Where Authorized Affiliates of Client receive Services under the Commercial Agreement, this DPA applies to such Authorized Affiliates as if they were a "Client," and Client warrants that it has authority to enter into this DPA on their behalf.
11.4 Amendments. This DPA may be amended only in writing. For Customers operating under this Public Self-Service Version, amendments take effect as set out in "Acceptance and Auto-Execution" Section A.4. For Customers operating under the Signable Version, amendments require signature by both Parties. AppDNA may make non-material updates to Annex 2 (TOMs) and Annex 3 (Sub-processors) in accordance with Section 5.3 and Section 6.2.
11.5 Counterparts. This DPA may be signed in counterparts, including by electronic signature, each of which is an original.
Acceptance and Auto-Execution
A.1 How This DPA Becomes Effective. This DPA is the "Public Self-Service Version" of the AppDNA Data Processing Agreement and is published at https://appdna.ai/legal/dpa. It is incorporated by reference into the AppDNA Terms of Service available at https://appdna.ai/legal/terms and into the AppDNA SDK End User License Agreement available at https://appdna.ai/legal/sdk-eula. This DPA takes effect (becomes binding) between AppDNA and Customer on the earliest of the following events:
(a) Customer’s acceptance of the AppDNA Terms of Service (where Customer processes Personal Data of EU/UK/Swiss residents or other persons protected by Data Protection Laws through the Services);
(b) Customer’s acceptance of the AppDNA SDK End User License Agreement;
(c) Customer’s installation, integration, or first production use of the AppDNA SDK;
(d) Customer’s execution of a Statement of Work with AppDNA that incorporates this DPA by reference; or
(e) Customer’s explicit acceptance of this DPA via Customer’s account in the Console or by signed counterpart.
A.2 Validity Without Countersignature. In accordance with Article 28(9) of the GDPR, this DPA is in writing in electronic form. The Parties acknowledge and agree that this DPA is binding on AppDNA without need for separate signature by AppDNA, and is binding on Customer upon the occurrence of any of the events in A.1 above. The Parties further agree that this DPA satisfies the "in writing" requirement of Article 28(9) GDPR (and equivalent provisions of the UK GDPR and Swiss FADP) without need for handwritten or qualified electronic signatures. AppDNA’s acceptance is evidenced by AppDNA’s publication of this DPA at https://appdna.ai/legal/dpa, signed (electronically) on AppDNA’s behalf by its authorized officers.
A.3 Customers Requiring a Signed Counterpart. Customers whose internal compliance, regulatory, or procurement requirements call for a manually executed (signed) DPA may request a signable counterpart by contacting privacy@appdna.ai. AppDNA will provide a signable version of this DPA (the "Signable Version") for execution. Once countersigned by both Parties, the Signable Version supersedes this Public Self-Service Version as between AppDNA and that Customer.
A.4 Updates to This DPA. AppDNA may update this DPA from time to time. Material updates that adversely affect Customer’s rights take effect on at least thirty (30) days’ prior written notice (by email to Customer’s account email or via the Console). Non-material updates (such as additions to Annex 3 (Sub-processors) made in accordance with Section 6.2) take effect upon publication. AppDNA will retain prior versions of this DPA for evidentiary purposes and will provide a copy of the version effective at any specified date upon request to privacy@appdna.ai.
A.5 Identification of Customer. For purposes of this DPA, "Customer" means the legal entity (or, if no legal entity, the natural person) that registered the AppDNA account or signed a Statement of Work with AppDNA. Customer’s legal entity name, address, and contact details are those provided at registration or as updated in the Console (or, where a Statement of Work has been signed, as set forth therein). For Authorized Affiliates of Customer receiving Services, see Section 11.4 of the body of this DPA.
Annex 1 — Description of Processing
Part A. List of Parties
Field | Details |
Data exporter (Controller) | Customer (the entity that has accepted the AppDNA Terms of Service or signed a Statement of Work with AppDNA), at the legal entity name, address, and contact details provided by Customer at registration with AppDNA or as updated in the Console (or, where a Statement of Work has been signed, as set forth therein). Activities: app developer/operator using AppDNA Services to optimize app growth and monetization. Role: Controller. |
Data importer (Processor) | AppDNA AI, Inc., 1007 N Orange St., 4th Floor Suite #4331, Wilmington, DE 19801, United States. Contact: dpo@appdna.ai. Activities: provision of the Services described in the Commercial Agreement. Role: Processor. |
Part B. Description of Transfer / Processing
Field | Details |
Categories of Data Subjects | End users of Client’s mobile and/or web applications who interact with the SDK or the experiences operated through the Console. Optionally, Client’s personnel who use the Console (governed by AppDNA Privacy Policy as Controller). |
Categories of Personal Data | Pseudonymous device and user identifiers (e.g., hashed device IDs, IDFA/AAID where consented, install IDs, user IDs assigned by Client); event and behavioral data (in-app actions, screen views, conversion events, paywall interactions); subscription/transaction metadata (subscription state, plan, currency, value — not card numbers); approximate geolocation derived from IP (no precise GPS by default); device and technical data (OS, device model, app version, language, time zone); app store metadata; A/B-test variant assignments; consent signals. |
Special Categories of Data | None intended. Client shall not configure the Services to collect special-category data (Article 9 GDPR) or criminal-conviction data (Article 10 GDPR) without prior written agreement and supplemental safeguards. |
Frequency of Transfer | Continuous (real-time and batched), for the duration of the Commercial Agreement. |
Nature of Processing | Collection, storage, organization, structuring, analysis, experimentation, segmentation, automated decision-making (for experiment routing and rollout), aggregation, transmission, deletion. |
Purpose(s) of Processing | (a) Operating the Console and SDK; (b) running experiments, A/B tests, paywall and onboarding optimization; (c) measuring KPIs; (d) producing reports for Client; (e) providing managed services; (f) security, fraud prevention, and service integrity; (g) compliance with applicable law. |
Retention Period | For the duration of the Commercial Agreement plus the period required by AppDNA’s retention policy (typically not exceeding 24 months after termination), or longer where required by law. Aggregated Data may be retained indefinitely. |
Sub-processor Transfers | Per Annex 3. Sub-processors process Personal Data for the purposes set out above and for the duration of their engagement. |
Part C. Competent Supervisory Authority (where SCCs apply)
Where the data exporter is established in an EU Member State: the supervisory authority of that Member State. Where the data exporter is not established in the EU but its representative is, the supervisory authority of the Member State where the representative is established. Where neither applies (e.g., where the data exporter falls under the GDPR’s extraterritorial scope under Article 3(2)): the Irish Data Protection Commission (Ireland), as a default selection.
Annex 2 — Technical and Organizational Measures (TOMs)
AppDNA implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing. AppDNA may update these measures from time to time provided the level of security is not materially diminished.
Measure | Implementation |
Pseudonymization & Encryption | Personal Data is pseudonymized where reasonably feasible. Data in transit is encrypted using TLS 1.2+ (preferring TLS 1.3). Data at rest is encrypted using AES-256 or equivalent. Encryption keys are managed by Google Cloud KMS with appropriate key-rotation and access controls. |
Confidentiality | Role-based access control (RBAC) with least-privilege defaults; access reviews at least quarterly. Unique user IDs and strong authentication (MFA enforced for production access). Logging and monitoring of access to production systems. |
Integrity | Code review and CI/CD with automated security checks. Vulnerability scanning of dependencies. Application of security patches within risk-based timeframes. Database integrity controls and audit logs. |
Availability & Resilience | Production hosted on enterprise-grade cloud infrastructure (e.g., AWS or GCP) with multi-zone availability. Automated backups with retention and tested restoration procedures. Incident-response runbooks and on-call rotation. |
Restoration of Availability | Disaster-recovery plan with defined RPO and RTO targets, reviewed at least annually. |
Testing & Evaluation | Penetration testing performed at least annually by a qualified third party. Internal security reviews and threat modeling for major releases. |
Personnel Security | Pre-employment background checks where permitted by law. Mandatory data-protection and security training on hire and at least annually thereafter. Written confidentiality obligations. |
Physical Security | Production data is hosted in cloud-provider data centers certified to ISO 27001 / SOC 2 with industry-standard physical security controls. AppDNA offices: badge access, visitor logs, and CCTV where applicable. |
Sub-processor Management | Due diligence prior to engagement. Written contracts with data-protection terms equivalent to this DPA. Periodic review of sub-processor security posture. |
Incident Detection & Response | 24/7 monitoring of production systems. Defined incident classification and escalation. Personal Data Breach notification within 72 hours per Section 5.7 of this DPA. |
Data Minimization & Default Settings | SDK default configuration avoids collection of direct personal identifiers. Optional features that increase data collection require explicit Client opt-in. |
Logging | Application and security event logs retained for an appropriate period for forensic and compliance purposes; logs are protected against tampering. |
Privacy Governance | Designated privacy lead. Internal data-protection policies. Records of processing activities maintained per Article 30 GDPR. |
Annex 3 — Sub-processors
The following Sub-processors are authorized as of the Effective Date of this DPA. AppDNA shall provide notice of any addition, replacement, or removal of Sub-processors in accordance with Section 6.2 of this DPA. The current list is mirrored in the AppDNA Privacy Policy at https://appdna.ai/legal/privacy.
Sub-Processor | Function / Purpose | Category | Location |
Google Cloud Platform (Google LLC) | Cloud infrastructure (compute, storage, networking) hosting Customer and end-user data | Hosting / Infrastructure | United States |
Google Cloud Operations (Google LLC) | Application performance monitoring, logging, and error tracking for production systems | Operations / Monitoring | United States |
Upstash, Inc. | Managed Redis (in-memory data store) for session token caching, rate limiting, and event queues. May process pseudonymous identifiers, IP addresses, and short-lived event payloads. | Caching / Infrastructure | United States |
Stripe, Inc. | Payment processing for Customer billing (Stripe acts as an independent Controller for payment data) | Payments | United States |
Resend, Inc. | Transactional email delivery (account, billing, service, and security emails to Customer’s Authorized Users) | United States | |
Amazon SES (Amazon Web Services, Inc.) | Transactional email delivery (backup / secondary) | United States | |
Crisp IM SAS | Customer support and in-product messaging | Support | European Union (France) |
Mixpanel, Inc. | Product analytics for the Console and Site (usage by Customer’s Authorized Users) | Analytics | United States |
Amplitude, Inc. | Product analytics for the Console and Site (usage by Customer’s Authorized Users) | Analytics | United States |
Google Analytics (Google LLC) | Web analytics for the Site | Analytics | United States |
Anthropic, PBC | AI / large language model services. Receives only de-identified, aggregated input; no Personal Data of Customer end users is transmitted. | AI Service Provider | United States |
Google Cloud AI (Google LLC) | AI / machine learning services. Receives only de-identified, aggregated input; no Personal Data of Customer end users is transmitted. | AI Service Provider | United States |
OpenAI, L.L.C. | AI / large language model services. Receives only de-identified, aggregated input; no Personal Data of Customer end users is transmitted. | AI Service Provider | United States |
As described in Section 7 of the AppDNA Privacy Policy, AI Service Providers (Anthropic, Google Cloud AI, and OpenAI) receive only de-identified, aggregated context derived from Customer Data and do not process Personal Data of Customer end users. They are listed in this Annex 3 for transparency and completeness; for the avoidance of doubt, they are not Sub-processors of Personal Data within the meaning of the DPA but are nonetheless engaged under written terms with appropriate confidentiality and data-handling commitments.
AppDNA may also engage its Affiliates as Sub-processors. Each Sub-processor and Affiliate is engaged under written terms imposing data-protection obligations no less protective than this DPA, in accordance with Section 6.4.
Annex 4 — Transfer Mechanisms
Part A. Standard Contractual Clauses (Module 2 / Module 3)
The Parties agree that, where Section 7 of the DPA requires the SCCs, the following selections apply to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the SCCs):
SCC Item | Selection |
Module | Module 2 (Controller-to-Processor) where Client is a Controller. Module 3 (Processor-to-Sub-processor) where Client acts as Processor on behalf of a third-party Controller. |
Clause 7 (Docking Clause) | Not applicable. |
Clause 9 (Sub-processors) | Option 2: General Written Authorization. Notice period for changes: thirty (30) days, per Section 6.2 of the DPA. |
Clause 11 (Redress) | Option to make available an independent dispute-resolution body: NOT selected. Data Subjects may lodge a complaint with the supervisory authority and/or the courts. |
Clause 17 (Governing Law) | The law of Ireland (as a default) where the data exporter’s Member State law does not allow for third-party-beneficiary rights, otherwise the law of the data exporter’s EU Member State. |
Clause 18 (Forum & Jurisdiction) | Courts of Ireland (or, where applicable, the data exporter’s EU Member State). |
Annex I.A (Parties) | As set out in Annex 1, Part A of this DPA. |
Annex I.B (Description of Transfer) | As set out in Annex 1, Part B of this DPA. |
Annex I.C (Competent Supervisory Authority) | As set out in Annex 1, Part C of this DPA. |
Annex II (Technical and Organizational Measures) | As set out in Annex 2 of this DPA. |
Annex III (List of Sub-processors) | As set out in Annex 3 of this DPA. |
By signing this DPA, the Parties are deemed to have signed the SCCs, including their Annexes, with the selections above.
Part B. UK International Data Transfer Addendum (UK IDTA)
The Parties agree that, where Section 7 of the DPA requires the UK Addendum, the UK Addendum is incorporated and the following Tables apply:
UK Addendum Table | Selection |
Table 1 — Parties | As set out in Annex 1, Part A of this DPA. Key contact details as set out therein. |
Table 2 — Selected SCCs, Modules and Selected Clauses | The SCCs as completed in Part A of this Annex 4. |
Table 3 — Appendix Information | Annex 1A (Parties): Annex 1, Part A of this DPA. Annex 1B (Description of Transfer): Annex 1, Part B. Annex II (Security Measures): Annex 2. Annex III (Sub-processors): Annex 3. |
Table 4 — Ending the Addendum | Either Party may end the UK Addendum upon notice in accordance with Section 19 of the UK Addendum. |
Part C. Swiss Transfers
For transfers from Switzerland, the SCCs apply with the following adaptations: (a) references to "Regulation (EU) 2016/679" or "GDPR" shall be deemed to include the Swiss Federal Act on Data Protection ("FADP") where applicable; (b) references to "EU Member State" shall not be interpreted to exclude Data Subjects in Switzerland from exercising rights in their place of residence; (c) the supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers exclusively governed by the FADP, or jointly with the EU supervisory authority for dual-applicability transfers.
Part D. EU–U.S. Data Privacy Framework (where applicable)
AppDNA may from time to time self-certify under the EU–U.S. Data Privacy Framework, the UK Extension to the EU–U.S. DPF, and/or the Swiss–U.S. DPF (collectively, the "DPF"). When AppDNA is actively certified for the relevant Restricted Transfer, the DPF shall serve as the primary transfer mechanism, and AppDNA shall comply with its DPF Principles obligations. Where DPF certification lapses, the SCCs / UK Addendum (Parts A–C above) shall apply automatically.
Part E. Transfer Impact Assessment Summary
AppDNA has assessed the laws and practices of the third country (primarily the United States) relevant to the protection of Personal Data transferred under the SCCs, including U.S. surveillance laws (FISA Section 702 and Executive Order 12333). The assessment considered: (i) the nature of the Personal Data transferred (pseudonymous identifiers, behavioral telemetry; not special categories or government-targeted data); (ii) the limited and unlikely scope of relevant surveillance authorities in respect of such data; (iii) supplementary measures including encryption in transit and at rest, pseudonymization, access controls, contractual challenges to overbroad requests, and transparency reporting where permitted; and (iv) for transfers from the EEA/UK/Switzerland to the U.S., the additional safeguards introduced by Executive Order 14086 and the EU–U.S. Data Privacy Framework adequacy decision. On that basis, AppDNA considers the level of protection essentially equivalent. AppDNA shall update this assessment as legal or factual circumstances change.