Data Processing Agreement.
Last updated · March 14, 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between APUS DATA Mateusz Jerzyk, VAT ID: PL5140344860, ul. Olsztyńska 42a/8, 51-423 Wrocław, Poland ("Processor", "we", "Affinsy") and you, the customer ("Controller", "you"), collectively the "Parties".
This DPA applies to the processing of personal data that you upload or make available to us through the Affinsy platform (affinsy.com) for the purpose of generating e-commerce analytics reports, including Market Basket Analysis (MBA) and RFM Customer Segmentation.
This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Transaction Data" means the e-commerce data you upload to Affinsy, which may include order IDs, customer identifiers, product names, prices, quantities, and dates.
3. Subject Matter and Details of Processing
| Purpose of Processing | To provide e-commerce analytics services, including Market Basket Analysis (MBA), RFM Customer Segmentation, and AI-powered insights based on Transaction Data you provide. |
| Nature of Processing | Collection (upload), storage, aggregation, statistical analysis, AI-powered analysis, and report generation. Data is merged using deduplication logic (matching on Order ID + Product Name) and retained until you delete it. |
| Categories of Data Subjects | Your e-commerce customers whose transaction data is included in your uploads. This may include end consumers and business customers. |
| Types of Personal Data | Customer identifiers (IDs, email addresses if used as IDs), order IDs, product names, product SKUs, transaction amounts, quantities, and order dates. No special categories of data (Article 9 GDPR) are processed. |
| Duration of Processing | For the duration of the service agreement. Transaction Data persists until you delete it or close your account. Deleted data is permanently removed within 30 days. |
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS) and at rest, access controls, and regular security assessments.
- Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.
- Assist the Controller in ensuring compliance with obligations related to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultations (Articles 32-36 GDPR).
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
5. Technical and Organizational Measures
The Processor implements the following security measures:
- Encryption in transit: All data transmitted via HTTPS/TLS. API communications with third-party services use encrypted channels.
- Encryption at rest: Data stored in Google BigQuery and MongoDB Atlas is encrypted at rest using provider-managed encryption keys.
- Access control: Multi-tenant data isolation using tenant-specific identifiers. OAuth 2.0 with PKCE for API and MCP access. Session-based authentication for the web application.
- Token security: OAuth tokens stored as SHA-256 hashes, never in plain text. Access tokens expire after 1 hour; refresh tokens after 30 days.
- Password security: Report sharing passwords hashed with bcrypt (10 rounds).
- Data isolation: Each customer's data is isolated using tenant IDs in BigQuery (clustered by tenant_id) and user IDs in MongoDB.
- Infrastructure: Application hosted on Vercel with automatic security updates. Database hosted on MongoDB Atlas with automated backups. Data warehouse on Google Cloud Platform with enterprise-grade security.
6. Sub-processors
The Controller provides general authorization for the Processor to engage the following Sub-processors. The Processor shall notify the Controller of any changes to this list at least 14 days in advance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (BigQuery, Cloud Storage, Cloud Run) | Data warehousing, file storage, report computation | EU (europe-west4) |
| Google Generative AI (Gemini) | AI-powered report insights and recommendations | EU / US |
| MongoDB Atlas | Application database (user accounts, reports, metadata) | EU |
| Vercel Inc. | Application hosting and serverless compute | US (edge network global) |
| Stripe Inc. | Payment processing | US / EU |
| Resend Inc. | Transactional email delivery | US |
All Sub-processors are bound by contractual obligations to maintain the confidentiality and security of Personal Data and to process it only for the specified purposes. Where Sub-processors are located outside the EEA, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.
7. International Data Transfers
Your Transaction Data is primarily stored in the European Union (Google BigQuery, europe-west4 region). However, certain Sub-processors may process data outside the EEA. Where such transfers occur, they are protected by:
- European Commission adequacy decisions (where applicable).
- Standard Contractual Clauses (SCCs) adopted by the European Commission.
- The EU-US Data Privacy Framework (for certified US organizations).
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). If a Data Subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.
9. Data Deletion and Return
You may delete your data at any time through:
- Data Purge: Use the "Delete All Data" function on the Data page to permanently remove all imported Transaction Data from BigQuery, Cloud Storage, and associated import records.
- Report Deletion: Individual reports can be soft-deleted and are permanently removed after 30 days.
- Account Closure: Upon request to hello@affinsy.com, all your data (account information, Transaction Data, reports, and associated files) will be permanently deleted within 30 days.
Freemium reports are automatically deleted 72 hours after creation. Pending import jobs that are not completed are automatically deleted after 1 hour.
10. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
11. Audit Rights
The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and contribute to such audits. Audits shall be conducted with reasonable advance notice and during normal business hours, minimizing disruption to the Processor's operations.
12. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.
13. Term and Termination
This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. Upon termination of the service agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies within 30 days, unless applicable law requires further storage.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Poland, without regard to its conflict of laws principles. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Wrocław, Poland.
15. Contact
For questions about this DPA or to exercise any rights, contact:
APUS DATA Mateusz Jerzyk
Data Protection Officer: Mateusz Jerzyk
Email: hello@affinsy.com
Address: ul. Olsztyńska 42a/8, 51-423 Wrocław, Poland
VAT ID: PL5140344860
