Data Processing Agreement

Last updated: 14 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between GAPFY UNIPESSOAL LDA ("Gapfy", "Processor") and the customer organisation ("Customer", "Controller") that uses our Services. It governs Gapfy's processing of personal data contained in Customer Data on the Customer's behalf and applies in addition to our Terms of service and Privacy policy. For self-service customers this DPA is incorporated by reference into the Terms; a counter-signed copy is available on request at privacy@gapfy.io.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data", "Processing" and "Personal Data Breach" have the meanings given in the GDPR. "Customer Personal Data" means personal data within Customer Data that Gapfy processes on the Customer's behalf.

2. Roles and scope

For Customer Personal Data the Customer is the Controller and Gapfy is the Processor. Gapfy processes Customer Personal Data only to provide and support the Services and only on the Customer's documented instructions, including as set out in this DPA and the Terms, unless required to do otherwise by EU or Member State law, in which case Gapfy will inform the Customer unless that law prohibits it. Where Gapfy determines the purposes and means of processing (for example account, billing and security data), it acts as Controller under the Privacy policy.

3. Processing details (Annex I)

• Subject matter: provision of the Gapfy Services subscribed to by the Customer.
• Duration: for the term of the subscription plus the deletion and return window in section 11.
• Nature and purpose: hosting, storage, organisation, retrieval, transmission and deletion of Customer Data as needed to operate the Services.
• Types of personal data: identifiers and contact details, content the Customer and its users create in the Services, usage and activity data, and any other personal data the Customer chooses to submit.
• Categories of data subjects: the Customer's authorised users and any individuals whose personal data the Customer includes in Customer Data.

The Customer must not submit special categories of personal data unless it has put appropriate safeguards in place, and is responsible for the lawfulness of the data it submits.

4. Confidentiality

Gapfy ensures that persons authorised to process Customer Personal Data are bound by confidentiality and process the data only as instructed.

5. Security (Annex II)

Gapfy implements appropriate technical and organisational measures under Article 32 GDPR, including encryption of data in transit and at rest, access controls and least-privilege access, network isolation, logging and monitoring, secure software development practices, and regular review. These measures are described in our Privacy policy and may be updated as technology evolves, provided the level of protection is not reduced.

6. Sub-processors (Annex III)

The Customer authorises Gapfy to engage the sub-processors listed on our Sub-processors page. Gapfy imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance. Gapfy will give advance notice of any new or replacement sub-processor; the Customer may object on reasonable data-protection grounds, and the parties will work in good faith to resolve the objection.

7. Assistance with data subject rights

Taking into account the nature of the processing, Gapfy assists the Customer with appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under Chapter III GDPR. Where Gapfy receives such a request directly, it will refer the data subject to the Customer.

8. Assistance with security, breaches and impact assessments

Gapfy assists the Customer in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Gapfy.

9. Personal Data Breach notification

Gapfy notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides the information the Customer reasonably needs to meet its own notification obligations.

10. International transfers

Gapfy hosts Customer Personal Data in the European Union. Where a sub-processor transfers data outside the European Economic Area, the transfer relies on an adequacy decision or the European Commission's Standard Contractual Clauses with additional safeguards, as indicated on the Sub-processors page.

11. Return and deletion

On termination of the Services, and at the Customer's choice, Gapfy returns or deletes Customer Personal Data within a reasonable period, unless EU or Member State law requires storage. The Customer can export Customer Data during the subscription and during the export window after termination.

12. Audits

Gapfy makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, on reasonable prior notice and subject to confidentiality.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms or any signed agreement between the parties.

14. Contact

To request a counter-signed DPA or to raise a processing question, contact privacy@gapfy.io.

This English-language version is the authoritative, legally binding version of this document. Translations are provided for convenience only.