Esta pagina esta disponivel em ingles e hungaro. Outros idiomas serao adicionados em breve.
Last updated: 13 June 2026
The Hungarian version is the binding original. This English version is provided for convenience only.
This Data Processing Agreement (the 'DPA') is entered into between Tokár Ádám EV, sole proprietor, registered in Hungary, Gyula (the 'Processor'), operating the Apex Chatbot service at apexchatbot.com, and the Customer who holds an active subscription to the Apex Chatbot service (the 'Controller').
The Controller is the entity or individual that has signed up at apexchatbot.com and agreed to the General Terms and Conditions (ÁSZF). Acceptance of the ÁSZF constitutes electronic acceptance of this DPA.
Contact for DPA matters: dpo@apexweb.hu (until the dpo alias is configured, the reachable address is adam@apexweb.hu).
The terms used in this DPA have the meanings given in Regulation (EU) 2016/679 (the 'GDPR').
'Personal data' means any information relating to an identified or identifiable natural person (data subject).
'Processing' means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
'Data subject' means the natural person to whom personal data relates.
'Sub-processor' means any processor engaged by the Processor who processes personal data on behalf of the Controller.
The Processor processes personal data on behalf of the Controller to deliver the chatbot, voice agent, and automation services described in the main service agreement and the General Terms and Conditions.
Processing takes place for the duration of the subscription and solely within the purposes defined in the service agreement and this DPA.
This DPA is in effect for as long as the Customer holds an active subscription, and for the data retention period defined in the Privacy Policy after termination.
After the retention period, or on a valid deletion request, all personal data attributable to the Controller's account is permanently deleted unless applicable EU or Hungarian law requires longer retention.
End users of the Controller's website who interact with the chatbot or voice agent.
The Controller's own employees and administrator users who access the Apex Chatbot dashboard.
Identifiers: email addresses and phone numbers voluntarily provided by data subjects during chatbot conversations.
Free-text messages: the content of chatbot and voice agent conversations.
Conversation metadata: timestamps, session identifiers, and IP addresses.
Optional knowledge base content provided by the Controller, which may include personal data if the Controller includes it.
Process personal data only on documented instructions from the Controller, unless required otherwise by applicable EU or member state law.
Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organisational measures as described in Section 9 of this DPA.
Assist the Controller with fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, objection).
Assist the Controller with meeting its obligations under Articles 32 to 36 of the GDPR, including breach notification.
At the Controller's choice, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or member state law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.
The Processor uses sub-processors to deliver parts of the service. The current list of sub-processors is published at /legal/sub-processors.
The Controller provides general written authorisation for the Processor to engage sub-processors from the published list.
The Processor will notify the Controller at least 14 calendar days in advance of adding any new sub-processor or replacing an existing one, by updating the sub-processors page and, where the Controller's billing email is known, by direct email notice.
The Controller may object to a new sub-processor by emailing dpo@apexweb.hu within the notice period. If the objection cannot be resolved, the Controller may terminate the subscription with a pro-rata refund for the unused period.
Encryption in transit: all data transmitted between users, the Processor's application, and sub-processors is protected by TLS 1.2 or higher.
Encryption at rest: all database storage is managed by Supabase, which applies AES-256 encryption at rest.
Access controls: database access is governed by Supabase Row Level Security (RLS) policies. Application hosting access controls are enforced by Vercel deployment settings. Only authorised personnel have access to production systems.
Audit logging: significant actions on customer data are recorded in an internal audit log with actor, action, timestamp, and target identifiers.
Incident response: the Processor commits to notifying the Controller within 72 hours of becoming aware of a personal data breach, as set out in Section 11 of this DPA.
Backup: database backups are managed by Supabase with point-in-time recovery and retention aligned to Supabase's standard terms.
The majority of processing occurs within the European Economic Area (EEA): Supabase hosts data in Frankfurt (EU), and Vercel routes requests to EU edge nodes by default.
Some sub-processors are located in the United States: OpenAI, Stripe (for global operations), Resend, and others listed at /legal/sub-processors. Transfers to these processors rely on the EU-US Data Privacy Framework where the processor is certified, or on Standard Contractual Clauses (SCCs) pursuant to Commission Decision 2021/914/EU where applicable.
By accepting this DPA, the Controller authorises the Processor to make these transfers, subject to the sub-processor list and the safeguards described.
In the event of a personal data breach affecting data processed on behalf of the Controller, the Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
Notification will be sent by email to the Controller's billing email address, and will include at minimum: the nature of the breach; the categories and approximate number of data subjects concerned; the categories and approximate number of personal data records concerned; the likely consequences of the breach; the measures taken or proposed to address the breach.
The Processor will cooperate with the Controller in any required notification to a supervisory authority or to data subjects.
The Controller may request, no more than once per calendar year, a written summary of the Processor's technical and organisational measures and any third-party security assessments available.
On-site audits are accepted only when required by a binding order from a competent supervisory authority. Reasonable costs incurred by the Processor in connection with an audit are borne by the Controller.
The Processor will respond to audit summary requests within 30 calendar days.
On termination of the subscription, the Processor will, at the Controller's choice, return or delete all personal data processed on behalf of the Controller within 30 calendar days of the termination date.
If longer retention is required by applicable EU or Hungarian law (for example, accounting records), the Processor will notify the Controller and limit processing to the minimum required by law.
The Controller may export their data from the dashboard during the subscription and for 14 calendar days after termination.
Each party's liability under this DPA is capped in accordance with the liability provisions of the main service agreement (General Terms and Conditions, ÁSZF).
The Processor is liable only for damages attributable to its own processing where it has failed to comply with its obligations under the GDPR or this DPA.
This DPA is governed by the laws of Hungary, in accordance with Regulation (EU) 2016/679 (GDPR) and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (the 'Info Act').
Any dispute arising from or in connection with this DPA that cannot be resolved by negotiation within 30 days shall be submitted to the exclusive jurisdiction of the courts of Gyula, Hungary (Gyulai Járásbíróság), or, for matters above the jurisdictional threshold, the Gyulai Törvényszék.
DPA contact: dpo@apexweb.hu. Until the dpo alias is configured, the reachable address is adam@apexweb.hu.
This DPA is incorporated by reference into the General Terms and Conditions (ÁSZF). By accepting the ÁSZF at signup, the Customer electronically accepts this DPA. No separate signature is required.
Amendments to this DPA will be communicated with at least 14 calendar days notice via the Controller's billing email and by updating this page with a new 'Last updated' date.
Tokár Ádám EV · Gyula, Magyarország · adam@apexweb.hu