Data Processing Addendum (DPA)

Last updated: January 13, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and FreeBraavos LTD ("AppDeploy", "we", "us") governing your use of AppDeploy (the "Agreement").

This DPA applies where and to the extent AppDeploy processes Personal Data on Customer's behalf as a processor in connection with the Services ("Customer Personal Data").

If you need a signed copy of this DPA, contact support@appdeploy.ai.

1) Definitions

"Applicable Data Protection Law" means laws applicable to the processing of Personal Data under the Agreement, including (where applicable) the EU GDPR and the UK GDPR.
"Controller", "Processor", "Personal Data", and "Processing" have the meanings given in Applicable Data Protection Law.
"Customer Personal Data" means Personal Data processed by AppDeploy as a Processor on behalf of Customer in connection with the Services, including Personal Data contained in Customer content (such as source code and configuration) and Personal Data processed in connection with requests to Customer's deployed apps (for example, IP address and request headers in server logs).
"Subprocessor" means any Processor engaged by AppDeploy to process Customer Personal Data.

2) Roles and scope

Customer is the Controller of Customer Personal Data and AppDeploy is the Processor of Customer Personal Data. Each party will comply with Applicable Data Protection Law in its respective role.

Customer is responsible for (a) providing any required notices to, and obtaining any required consents from, end users and visitors of Customer's deployed apps, and (b) ensuring Customer instructions to AppDeploy comply with Applicable Data Protection Law.

AppDeploy may act as a Controller for Personal Data processed for its own business purposes (for example, account management, security, fraud prevention, and billing if applicable). Such data is governed by our Privacy Policy and not this DPA.

3) Details of processing

The subject matter, duration, nature, and purpose of the processing, as well as the types of Personal Data and categories of data subjects, are described in Annex 1.

Customer instructs AppDeploy to process Customer Personal Data to provide the Services under the Agreement. Customer may issue additional documented instructions consistent with the Agreement.

If AppDeploy believes an instruction violates Applicable Data Protection Law, AppDeploy will inform Customer (unless prohibited by law).

4) Processor obligations

4.1 Confidentiality

AppDeploy will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

4.2 Security measures

AppDeploy will implement appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

A summary of our security measures is described in Annex 2. No security measures can guarantee absolute security.

4.3 Personal data breaches

AppDeploy will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. AppDeploy will provide information reasonably required by Customer to meet its breach notification obligations, as available to AppDeploy.

4.4 Assistance with data subject requests

Taking into account the nature of the processing, AppDeploy will provide reasonable assistance to Customer to help respond to requests by data subjects to exercise their rights under Applicable Data Protection Law, to the extent Customer cannot access relevant data through the Services.

If AppDeploy receives a request directly from a data subject relating to Customer Personal Data, AppDeploy will, to the extent legally permitted, direct the data subject to Customer or notify Customer.

4.5 Assistance with compliance

AppDeploy will provide reasonable assistance to Customer, upon request, with Customer's obligations under Applicable Data Protection Law relating to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and information available to AppDeploy.

4.6 Records

AppDeploy will maintain records of processing activities as required by Applicable Data Protection Law.

5) Subprocessors

Customer provides a general authorization for AppDeploy to engage Subprocessors to process Customer Personal Data, subject to the terms of this section.

AppDeploy maintains a list of current Subprocessors at appdeploy.ai/subprocessors.

5.1 Subprocessor obligations

AppDeploy will impose data protection obligations on Subprocessors that are no less protective than those in this DPA to the extent applicable to the Subprocessor's processing of Customer Personal Data.

AppDeploy remains responsible for the performance of its Subprocessors with respect to their processing of Customer Personal Data.

5.2 Changes to Subprocessors (notice and objection)

If AppDeploy adds or replaces a Subprocessor that processes Customer Personal Data, AppDeploy will provide advance notice by updating the Subprocessors page and, where feasible, by email or in-product notice at least 30 days before the change takes effect.

If Customer objects to a new Subprocessor on reasonable data protection grounds, Customer may contact support@appdeploy.ai within the notice period. AppDeploy will work with Customer in good faith to address the objection, which may include providing an alternative, limiting the affected processing, or allowing Customer to terminate the affected Services.

6) International transfers

AppDeploy primarily processes and stores data in the United States (us-east-1). AppDeploy may also use global edge locations for content delivery and security, depending on the infrastructure services used.

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection, the parties will ensure appropriate safeguards are in place as required by Applicable Data Protection Law.

If Customer requests it and where required, AppDeploy will make available Standard Contractual Clauses (SCCs) or other applicable transfer mechanisms (including, for UK transfers, the UK IDTA or the UK Addendum), as appropriate.

7) Deletion or return of Customer Personal Data

Upon termination of the Services or upon Customer's request, AppDeploy will delete or return Customer Personal Data, at Customer's choice, unless retention is required by applicable law.

Deletion from backups occurs on a rolling basis consistent with AppDeploy's backup retention practices. For more information, see our Privacy Policy.

8) Audits and information

AppDeploy will make available information reasonably necessary to demonstrate compliance with this DPA.

Customer may conduct an audit of AppDeploy's compliance with this DPA no more than once per 12-month period, subject to (a) at least 30 days prior written notice, (b) reasonable confidentiality obligations, and (c) restrictions designed to prevent disruption to AppDeploy's operations and to protect other customers' data and security. Audits will be conducted at Customer's expense.

9) Liability and order of precedence

The parties' liability under this DPA is subject to the limitations of liability and exclusions in the Agreement, unless Applicable Data Protection Law requires otherwise.

If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA will control to the extent of the conflict.

10) Contact

FreeBraavos LTD, Menakhem Begin Rd 121, Tel Aviv-Yafo, Azrieli Sarona Tower, Israel.

DPA questions or requests? Email support@appdeploy.ai.

Annex 1 - Processing details

A. Subject matter

Deployment, hosting, operation, and support of Customer-deployed websites and web applications through AppDeploy, including processing necessary to build and deploy Customer code and to serve Customer deployments to end users.

B. Duration

For the term of the Agreement and as long as Customer deployments remain active, plus any retention periods described in the Agreement, this DPA, and AppDeploy's Privacy Policy.

C. Nature and purpose of processing

Receive Customer project files, configuration, and metadata for deployment.
Build and deploy Customer apps and host them at a URL.
Serve Customer-deployed apps to end users and visitors.
Operate, secure, monitor, and troubleshoot the deployment infrastructure.

D. Categories of data subjects

Customer (account users, administrators, and collaborators).
End users and visitors of Customer-deployed apps.

E. Categories of Personal Data

Identifiers and account-related information (for example, a user identifier, and optional email address if provided via social sign-in).
Customer content that may contain Personal Data (for example, text entered into an app, files uploaded to an app, or configuration values).
Technical and usage data related to hosting and serving deployments (for example, IP address, request headers, access logs, error logs, timestamps).

Customer controls what Personal Data is collected by Customer-deployed apps. Customer should avoid including secrets or restricted data in project files or logs.

F. Special categories of data

AppDeploy does not intentionally process special categories of Personal Data. Customer agrees not to provide such data unless Customer has a lawful basis and appropriate safeguards, and AppDeploy has agreed in writing.

Annex 2 - Technical and organizational measures

The measures below describe AppDeploy's approach to security. They may evolve as our service changes. AppDeploy will maintain measures designed to be appropriate for the risk of processing.

A. Access control

Principle of least privilege for internal access to production systems.
Access is limited to authorized personnel and protected through authentication controls.
Separation of environments (where feasible) and controlled access to administrative interfaces.

B. Encryption and transport security

TLS in transit for communications with the Services.
Encryption at rest for stored data where supported by underlying infrastructure services.

C. Logging and monitoring

Operational logging to detect and investigate reliability and security issues.
Efforts to reduce sensitive data in logs (for example, redacting obvious secrets and personal data where feasible).
Monitoring for service availability and abnormal behavior.

D. Vulnerability and patch management

Regular updates of dependencies and infrastructure components as appropriate.
Security review and incident response procedures for reported vulnerabilities.

E. Backups and recovery

Backups and disaster recovery practices designed to restore service availability.
Backup retention and deletion practices aligned with AppDeploy's Privacy Policy.

F. Subprocessor management

Use of reputable infrastructure providers for compute, storage, and identity services.
Contractual flow-down of data protection obligations to Subprocessors where applicable.
Maintenance of a public Subprocessors list and a notice process for changes.

Annex 3 - Subprocessors

The current list of Subprocessors is available at appdeploy.ai/subprocessors.