APEXA Logo

GDPR Compliance

APEXA is committed to GDPR compliance - both in our own operations and in every AI solution we build for clients. This page explains our approach and your rights.

Last updated: January 1, 2026

Our GDPR commitment

GDPR compliance isn't an afterthought at APEXA - it's baked into every solution we build. We design all AI systems with data protection by default, ensuring your business and your clients are protected from day one.

1What is GDPR?

The General Data Protection Regulation (GDPR) is EU Regulation 2016/679, which came into force on 25 May 2018. It is the world's most comprehensive data protection law and applies to any organisation that:

  • Is established in the EU or EEA
  • Processes personal data of EU/EEA residents (regardless of where the organisation is based)
  • Offers goods or services to EU/EEA residents
APEXA and all our clients fall under GDPR jurisdiction. We take this responsibility seriously and design every solution to be GDPR-compliant from day one.

2GDPR in Our AI Solutions

Every AI system APEXA builds incorporates the following GDPR-aligned practices:

Data Minimisation

We design AI systems to collect and process only the minimum data necessary to achieve the intended purpose - no excess data collection.

Purpose Limitation

Data collected for one purpose is not repurposed without explicit consent. We document the lawful basis for each data processing activity.

Storage Limitation

Automated retention policies delete or anonymise data once it is no longer needed. Retention schedules are documented for all AI workflows.

Security by Design

Technical measures implemented in every solution:

  • Data encryption at rest and in transit (AES-256 / TLS 1.3)
  • Role-based access controls (least-privilege principle)
  • Audit logs for all AI decisions affecting personal data
  • Pseudonymisation where full identification is not required
  • Regular security testing and vulnerability assessments

On-Premise Deployment (when required)

For clients in sensitive sectors (legal, healthcare, finance), we offer on-premise deployment so data never leaves your infrastructure.

3Data Controller vs. Processor

Under GDPR, it is important to distinguish between Data Controllers and Data Processors:

Your organisationData Controller - you determine the purpose and means of processing personal data
APEXA (during build)Data Processor - we process data on your behalf under a Data Processing Agreement (DPA)
APEXA (own operations)Data Controller - for our own client and prospect data (covered in our Privacy Policy)
We provide a Data Processing Agreement (DPA) as standard for all AI implementation projects where we handle personal data on your behalf. This is included at no extra cost.

4What We Deliver for GDPR Compliance

For every AI implementation project, APEXA delivers:

Data Processing Agreement (DPA)

Formal agreement defining our role as processor and your rights as controller

Privacy Impact Assessment (PIA)

For high-risk processing activities, we conduct and document a formal PIA

Records of Processing Activities

Documentation of all data flows, lawful bases, and retention schedules

Data Flow Diagrams

Visual maps of how data moves through the AI system

Explainability Documentation

For AI decisions affecting individuals, explanations of how decisions are made

Subject Access Request (SAR) procedures

Technical capability to respond to data subject rights requests

5Sub-Processors We Use

When building AI solutions, we may use the following GDPR-compliant sub-processors:

Anthropic (Claude)LLM processing - EU data processing available, DPA provided
OpenAIOptional LLM - EU data processing available, DPA provided
n8nWorkflow automation - self-hosted option available for full data control
VercelHosting - EU region deployment available, SOC 2 certified
Google CloudOptional infrastructure - EU region, GDPR-compliant

We always disclose which sub-processors will be used and obtain your approval before engaging them for your project.

6Your Rights Under GDPR

  • Right of access - request a copy of all personal data we hold about you
  • Right to rectification - correct inaccurate or incomplete data
  • Right to erasure - request deletion of your data where no legal basis exists for retention
  • Right to restriction - limit processing of your data in certain circumstances
  • Right to portability - receive your data in a structured, machine-readable format
  • Right to object - object to processing based on legitimate interests or direct marketing
  • Rights related to automated decision-making - not be subject to solely automated decisions with legal effects
To exercise any right, email privacy@apexa.ai. We respond within 30 days as required by GDPR Article 12.

7Data Breach Notification

In the unlikely event of a personal data breach, APEXA will:

  • Notify affected clients within 24 hours of becoming aware
  • Report to the relevant supervisory authority within 72 hours if required
  • Provide full incident details, impact assessment, and remediation steps
  • Maintain a breach register as required by GDPR Article 33

8GDPR Contact & DPA Requests

GDPR enquiriesprivacy@apexa.ai
DPA requestslegal@apexa.ai
Phone+421-903-231-401

Need a Data Processing Agreement?

If you're a client or prospective client who needs a signed DPA, contact us and we'll send our standard DPA within 1 business day.

Request a DPA