Skip to main content
Apex Edge Sales Engineering

ApexIQ WinCommand™

Apex Edge Sales Engineering

Legal

Data Processing Addendum

This DPA governs how Apex Edge Sales Engineering processes personal data on behalf of Customers using ApexIQ WinCommand™.

Effective: 1 May 2026

Last reviewed: 15 May 2026

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service between Apex Edge Sales Engineering ("Processor") and the subscribing Customer ("Controller"). By accepting the Terms of Service, you also accept this DPA without requiring a separate signature.

1. Definitions

In this DPA, the following terms have the meanings given:

  • "Controller": The Customer - the company or organisation that determines the purposes and means of processing personal data.
  • "Processor": Apex Edge Sales Engineering, which processes personal data on behalf of the Controller.
  • "Personal data", "data subject", "processing", "special category data": As defined in UK GDPR / EU GDPR.
  • "Sub-processor": A third party engaged by Apex Edge Sales Engineering to process personal data in connection with providing the Service.
  • "UK GDPR": The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.
  • "EU GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • "PECR": The Privacy and Electronic Communications Regulations 2003.

2. Details of processing

Data subjects

Employees, contractors, and team members of the Customer who are invited to use the Service.

Categories of personal data processed

  • Identity data: full name, email address
  • Professional data: job role, company name
  • Usage and activity data: records created, features used, timestamps, last active
  • Technical data: IP address, session metadata
  • Billing contact data: name, email, company (not payment card numbers)

Special categories of data

The Service is not designed to process special categories of personal data (Article 9 UK GDPR). The Controller must not upload or enter special category data (health, racial or ethnic origin, religious beliefs, etc.) into the Service.

Purposes of processing

Apex Edge Sales Engineering processes personal data solely for the purpose of providing the ApexIQ WinCommand™ Service as described in the Terms of Service. No processing is carried out for Apex Edge Sales Engineering's own purposes beyond operating, securing, and improving the Service.

Duration of processing

For the term of the Customer's subscription, plus the retention periods set out in Apex Edge Sales Engineering's Privacy Policy. On termination, data is retained for 30 days then permanently deleted unless earlier deletion is requested.

3. Controller obligations

The Controller shall:

  • Ensure it has a lawful basis for providing personal data to the Processor and for all processing instructions it issues.
  • Comply with all applicable data protection laws in relation to its use of the Service and the personal data it provides.
  • Not instruct Apex Edge Sales Engineering to process personal data in a way that would breach applicable law.
  • Ensure that data subjects have been informed about the processing described in this DPA, to the extent required by law.
  • Obtain any necessary consents or authorisations (where consent is the chosen legal basis) before providing personal data to Apex Edge Sales Engineering.
  • Not provide special category data through the Service.

4. Processor obligations

Apex Edge Sales Engineering shall:

  • Process personal data only on the documented instructions of the Controller, unless required to do so by applicable law.
  • Immediately inform the Controller if, in Apex Edge Sales Engineering's opinion, an instruction infringes applicable data protection law.
  • Ensure that all personnel authorised to process personal data are under appropriate obligations of confidentiality.
  • Implement and maintain the technical and organisational security measures described in clause 5.
  • Not engage sub-processors without prior general authorisation from the Controller (which is granted by acceptance of these Terms, subject to the notification rights in clause 6).
  • Assist the Controller in responding to data subject rights requests, to the extent technically feasible.
  • Assist the Controller with its obligations under Articles 32-36 UK GDPR (security, breach notification, DPIAs, prior consultation).
  • Delete or return all personal data to the Controller at the end of the Service relationship, at the Controller's election, and delete existing copies unless retention is required by law.
  • Make available all information reasonably necessary to demonstrate compliance with this DPA.

5. Technical and organisational security measures

Apex Edge Sales Engineering implements the following measures, which represent the current standard and may be updated from time to time:

Access controls

  • Role-based access control - users can only access data within their own organisation
  • Row-level security (RLS) enforced at the database layer on all tables
  • Multi-factor authentication available for user accounts
  • Principle of least privilege applied to all service accounts

Encryption

  • All data in transit encrypted using TLS 1.2 or higher
  • All data at rest encrypted using AES-256 (via Supabase / AWS)

Audit and monitoring

  • Audit log of all significant user and administrative actions
  • Server-side logging of authentication events
  • Super-admin impersonation is always logged with reason, timestamp, and actor

Availability and resilience

  • Service hosted on Netlify (global CDN) with automatic failover
  • Database hosted on Supabase EU region (Frankfurt) with daily automated backups
  • Critical secrets stored exclusively in environment variables - never in source code

Supplier management

  • All sub-processors are subject to appropriate data processing agreements
  • Sub-processor list is maintained and disclosed at /legal/sub-processors

6. Sub-processors

The Controller provides general authorisation for Apex Edge Sales Engineering to engage the sub-processors listed at /legal/sub-processors.

Apex Edge Sales Engineering will notify the Controller of any intended addition or replacement of sub-processors with at least 30 days' notice, giving the Controller the opportunity to object on reasonable grounds related to data protection. Where the Controller objects, Apex Edge Sales Engineering will use reasonable efforts to make available a commercially reasonable change to the Service to avoid processing by the objected-to sub-processor. If no such change is reasonably available, either party may terminate the relevant Services on 30 days' written notice.

Apex Edge Sales Engineering imposes data protection obligations on all sub-processors that are substantially equivalent to those set out in this DPA. Apex Edge Sales Engineering remains liable to the Controller for the acts and omissions of its sub-processors.

7. Data subject rights

Apex Edge Sales Engineering will provide reasonable technical assistance to the Controller to enable the Controller to respond to data subject rights requests (access, rectification, erasure, restriction, portability, objection).

Where Apex Edge Sales Engineering receives a data subject rights request directly from a data subject, it will promptly forward it to the Controller, unless prohibited by law. Apex Edge Sales Engineering will not respond substantively to such requests without the Controller's written authorisation, except as required by law.

Authenticated users can exercise self-service data rights directly via Settings → Account in the application (data download and account deletion).

8. Personal data breach notification

Apex Edge Sales Engineering will notify the Controller of a personal data breach without undue delay and, where feasible, no later than 48 hours after becoming aware of a breach affecting the Controller's personal data. The notification will include, to the extent then known:

  • The nature of the breach, including the categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach
  • Contact details for obtaining further information

Apex Edge Sales Engineering will cooperate with the Controller and provide additional information as it becomes available. The Controller is responsible for notifying the relevant supervisory authority and affected data subjects in accordance with applicable law.

9. Data protection impact assessments

Where the Controller is required to conduct a Data Protection Impact Assessment (DPIA) in relation to processing carried out by Apex Edge Sales Engineering, Apex Edge Sales Engineering will provide reasonable assistance, including by making available relevant information about the Service's security measures and data processing activities.

10. International data transfers

Apex Edge Sales Engineering stores Customer personal data in the EU (Supabase EU region, Frankfurt). Transfers to sub-processors operating outside the UK/EEA are governed by:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission for EU GDPR transfers, and
  • UK International Data Transfer Agreements (IDTAs) as approved by the UK ICO for UK GDPR transfers.

Details of transfer mechanisms by sub-processor are available on request from contact@apexedgesalesengineering.com.

11. Audit rights

Apex Edge Sales Engineering will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to:

  • A maximum of one audit per calendar year, except where a confirmed personal data breach has occurred
  • 30 days' prior written notice, specifying the scope and purpose of the audit
  • Reasonable confidentiality obligations on the auditor
  • Audit costs borne by the Controller, unless a material breach of this DPA is confirmed

As an alternative to an on-site audit, Apex Edge Sales Engineering may provide a third-party security assessment or certification (e.g. ISO 27001 equivalent) covering the relevant processing activities.

12. Term and termination

This DPA takes effect on the date the Customer accepts the Terms of Service and remains in force for the duration of the Service relationship. On termination of the Terms of Service, this DPA also terminates, subject to the data deletion obligations in clause 2 (duration of processing).

13. Governing law

This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be resolved in accordance with clause 16 of the Terms of Service.

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service with respect to data protection, this DPA shall take precedence.

Contact

Questions about this DPA should be directed to contact@apexedgesalesengineering.com.