Legal
Data Processing Addendum
- Effective
- May 20, 2026
- Last updated
- May 20, 2026
This DPA forms part of the Terms of Service between APIDLY LTD, the company registered in England and Wales (number 17042735) that operates Planoda (the "Processor"), and the Customer (the "Controller") when the Controller processes personal data of EU or UK data subjects through the Service.
1. Scope
Processor will process personal data only on documented instructions from Controller, including transfers of personal data to a third country, unless required to do so by Union or Member State law. Processor will inform Controller of any such legal requirement before processing, unless prohibited by law.
2. Confidentiality
Processor ensures that personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Sub-processors
Controller authorizes Processor to engage the sub-processors listed in our Privacy Policy. We notify you of any intended changes — addition or replacement — at least 30 days in advance and give you the opportunity to object on reasonable grounds.
4. Standard Contractual Clauses
Where personal data is transferred outside the EEA, the parties agree to the EU Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum (IDTA), incorporated by reference into this DPA.
5. Data subject assistance
Processor will assist Controller in fulfilling Data Subject access, rectification, erasure, restriction, portability, and objection requests within the timelines required by GDPR (typically 30 days). Self-service tools are exposed in the in-app settings.
6. Breach notification
Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Controller's data. The notification will include the information required by Article 33(3) GDPR.
7. Audit rights
Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Controller or another auditor mandated by Controller, subject to reasonable notice and confidentiality safeguards.
8. Return or deletion
At the end of the provision of services, Processor will delete or return all personal data to Controller at Controller's choice, and delete existing copies unless retention is required by Union or Member State law.