Data Processing Addendum
GDPR-compliant processing terms for EU customer data
Effective Date: January 1, 2025
Version: 2.0
Company: Accel Express LLC (doing business as "AccelEx")
Address: 7901 4th St N, Ste 300, St. Petersburg, FL 33702, United States
This Data Processing Addendum ("DPA") forms part of the agreement between Accel Express LLC ("AccelEx", "Processor", "we", "us") and the customer ("Controller", "you") using the AccelEx platform. It applies where AccelEx processes Personal Data on behalf of Controller in connection with the Services, and where Controller is subject to the EU General Data Protection Regulation (GDPR), UK GDPR, or Swiss FDPA.
1. Definitions & Interpretation
"Personal Data" means any information relating to an identified or identifiable natural person processed by AccelEx on behalf of Controller under the Agreement.
"Processing" has the meaning given in Article 4(2) of GDPR.
"Data Subject" means the individual to whom Personal Data relates.
"Subprocessor" means any third-party processor engaged by AccelEx to process Personal Data.
"Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Standard Contractual Clauses (SCCs)" means the EU Commission Implementing Decision (EU) 2021/914.
2. Scope and Nature of Processing
Categories of Data Subjects
Employees, contractors, customers, suppliers, and business contacts of Controller whose information is contained within documents, invoices, contracts, support tickets, communications, or other unstructured inputs submitted to AccelEx for workflow processing.
Types of Personal Data
Name, contact details (email, phone, address), job title, payment/financial information appearing on invoices, identification numbers, correspondence metadata, case notes, contract counterparty details, and any other personal data embedded in operational documents submitted by Controller.
Processing Operations
Ingestion, extraction, structuring, normalization, validation, enrichment, scoring, audit logging, storage, and transmission of resolved work units. AccelEx converts unstructured inputs into deterministic, decision-ready records (e.g., verified invoices, risk-scored contracts, routed support cases) without human review unless explicitly requested.
Purpose of Processing
Execution of domain-specific workflow pipelines to generate completed, validated business work units from raw operational inputs. Outputs are ready-to-act records for enterprise systems or downstream decisions. Processing is strictly limited to delivering automated resolution of enterprise work as defined in the Agreement.
3. Controller Instructions & Compliance
AccelEx processes Personal Data only on documented instructions from Controller, unless required by EU or Member State law. Controller instructs AccelEx to process Personal Data to provide the Services (automated decision production from unstructured inputs). Controller is responsible for ensuring it has all necessary consents and lawful bases for processing. Controller shall not submit Special Categories of Personal Data (Art. 9 GDPR) unless explicitly enabled and agreed in writing. AccelEx will notify Controller of any instruction that violates GDPR.
4. Security Measures
AccelEx implements appropriate technical and organizational measures including:
- Encryption at rest (AES-256) and in transit (TLS 1.3+)
- Access controls with least privilege and MFA for all personnel
- Audit logging of all processing operations and data access
- Regular penetration testing and vulnerability scanning
- Data residency controls (US default; EU region available on request)
- Ephemeral processing: raw inputs deleted immediately after resolution; only the structured, deterministic output and audit trail retained per retention policy
5. Subprocessors
Controller authorizes AccelEx to engage Subprocessors to provide the Services. A current list is below. AccelEx will notify Controller of new Subprocessors (by email or dashboard) at least 10 days prior to engagement. Controller may object to a new Subprocessor within 5 days; AccelEx will make commercially reasonable efforts to provide an alternative or Controller may terminate the affected Service part.
| Subprocessor Name | Purpose | Location |
|---|---|---|
| AWS (Amazon Web Services) | Cloud infrastructure, storage, compute | US-EAST-1 (Virginia) |
| Vercel Inc. | Application hosting & delivery | United States |
| Upstash Inc. | Redis caching & rate limiting | United States |
All Subprocessors are bound by written agreements with data protection obligations at least as stringent as this DPA.
6. Data Subject Rights & Cooperation
AccelEx will assist Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection). Controller is responsible for verifying Data Subject identity. AccelEx will provide, upon Controller's written request, Personal Data within its possession in a structured format. Where technically feasible, AccelEx will enable deletion or restriction of processing. Requests should be sent to privacy@accelexpress.com.
7. Data Breach Notification
Upon becoming aware of a Security Incident, AccelEx will notify Controller without undue delay (within 48 hours) and provide: description of incident, categories of affected Personal Data, estimated number of records, contact point for further information, and remediation status. AccelEx will take immediate measures to mitigate effects and prevent recurrence.
8. International Data Transfers
Personal Data is primarily processed in the United States. For transfers from the European Economic Area (EEA), Switzerland, or UK to the US, AccelEx relies on the Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission. Where SCCs apply, they are incorporated by reference. For UK transfers, the UK Addendum to the SCCs applies. For Swiss transfers, the Swiss FDPA recognized adequacy or SCCs as amended apply. Controller may request a signed copy of the SCCs at legal@accelexpress.com.
9. Audit Rights
Upon reasonable notice (at least 30 days) and once per 12-month period, Controller may conduct an audit of AccelEx's processing operations relevant to this DPA, limited to no more than one audit per year unless required by regulatory authority. Audits shall be during business hours, at Controller's expense, and subject to confidentiality obligations. AccelEx may provide a SOC 2 Type II report or equivalent third-party certification in lieu of an on-site audit.
10. Data Deletion & Return
Upon termination of the Agreement, AccelEx will, at Controller's election, return or delete all Personal Data processed under this DPA within 60 days, except where retention is required by law. Raw inputs (original documents, audio, images) are deleted immediately after successful workflow resolution; only the deterministic output record and audit trail are retained for the duration of the Agreement unless otherwise specified.
11. Liability & Governing Law
Each party's total aggregate liability under this DPA is subject to the limitation of liability terms in the Agreement. This DPA is governed by the laws of the State of Florida, except where GDPR requires the law of an EU Member State. Any disputes relating to data protection obligations shall be resolved in accordance with the SCCs where applicable.
Accel Express LLC (AccelEx)
7901 4th St N, Ste 300, St. Petersburg, FL 33702, United States
✉️ dpo@accelexpress.com | ☎️ +1 (727) 123-4567
GDPR Article 28 Compliant SCCs Incorporated US Data Processing