Last updated: July 8, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between Appesco B.V. ("Processor", "we", "us") and the organization using z3t.ai ("Customer", "Controller").
This DPA applies whenever Customer submits or makes available personal data through the Platform and, to the extent required by applicable data protection laws, including the GDPR, Customer acts as a controller and Appesco B.V. acts as a processor on Customer's behalf.
This DPA should be read together with our:
2. Roles of the Parties
Customer as Controller
Customer is the controller for personal data submitted to, stored in, or processed through the Platform.
Customer is responsible for:
- determining the purposes and means of processing;
- establishing a lawful basis for processing;
- providing privacy notices where required;
- obtaining any required consents;
- responding to data subject requests.
Appesco as Processor
Appesco B.V. acts as a processor and processes personal data solely on behalf of Customer and in accordance with Customer's documented instructions.
Independent Controller Activities
Appesco B.V. acts as an independent controller with respect to:
- account registration information;
- billing records;
- security logs;
- fraud prevention activities;
- legal compliance activities;
- support communications.
Those activities are governed by our Privacy Policy.
Marketplace Runs
Where a Buyer submits personal data to an Agent published by another Creator:
- the Buyer is responsible for the personal data it chooses to submit;
- the Creator determines how the Agent processes that data, including the AI providers and integrations it uses;
- Appesco B.V. acts as a processor with respect to the execution of the run.
Buyers and Creators are each responsible for ensuring an appropriate legal basis for their respective roles in the processing and, where required by applicable law, for putting appropriate arrangements in place between themselves.
3. Subject Matter and Duration
The subject matter of processing is the provision and operation of the Platform.
Processing begins when Customer submits personal data to the Platform and continues for the duration of Customer's use of the services and any applicable retention period.
The duration and scope of processing depend on the functionality selected by Customer and the data submitted to the Platform.
4. Processing Instructions
Appesco B.V. will process personal data only:
- on documented instructions from Customer;
- as necessary to provide the Platform;
- as required by applicable law.
Customer instructs Appesco B.V. to process personal data as necessary to:
- host and operate the Platform;
- execute Customer-configured workflows and Agents;
- store, transmit, and display Customer data;
- provide support and troubleshooting;
- maintain reliability and security.
Where legally permitted, Appesco B.V. will inform Customer if applicable law requires processing beyond Customer's instructions.
5. Customer Responsibilities
Customer represents and warrants that:
- it has a lawful basis for processing personal data;
- it has authority to provide personal data to Appesco B.V.;
- its use of the Platform complies with applicable law;
- it will not instruct Appesco B.V. to process personal data unlawfully.
Customer remains solely responsible for the content and legality of data submitted to the Platform.
6. Confidentiality
Appesco B.V. shall ensure that personnel authorized to process personal data:
- are subject to appropriate confidentiality obligations; and
- access personal data only where necessary to perform their duties.
7. Security Measures
Appesco B.V. shall implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
Measures may include:
- encryption in transit;
- encryption at rest;
- access controls;
- multi-factor authentication;
- monitoring and logging;
- security maintenance procedures.
Additional information regarding current security practices is available on our Security page.
Unless otherwise stated, run inputs and outputs are retained in primary storage for seventy-two (72) hours by default before removal.
8. Subprocessors
Customer authorizes Appesco B.V. to engage subprocessors to provide portions of the Platform.
A current list of subprocessors is available on our Subprocessors page.
Appesco B.V. shall:
- enter into agreements with subprocessors that provide appropriate data protection obligations;
- remain responsible for the performance of its obligations under this DPA.
If Customer has reasonable data protection concerns regarding a newly appointed subprocessor, Customer may object by contacting [email protected] within thirty (30) days after publication of the change.
The parties shall work in good faith to address such concerns.
9. Assistance with Data Subject Rights
Taking into account the nature of the processing, Appesco B.V. will provide reasonable assistance to enable Customer to respond to requests relating to:
- access;
- correction;
- deletion;
- portability;
- restriction;
- objection;
- other applicable rights.
10. Personal Data Breach Notification
Appesco B.V. will notify Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on Customer's behalf.
Such notification will include information reasonably available to Appesco B.V. and necessary to support Customer's compliance obligations.
11. International Transfers
Customer acknowledges that personal data may be processed in countries outside the European Economic Area or the United Kingdom.
Where required by applicable law, Appesco B.V. shall implement appropriate safeguards, including:
- Standard Contractual Clauses;
- adequacy decisions;
- other legally recognized transfer mechanisms.
12. Audits and Compliance Information
Upon reasonable written request and no more than once per calendar year, Appesco B.V. shall make available information reasonably necessary to demonstrate compliance with this DPA.
Appesco B.V. may satisfy such requests through:
- security documentation;
- certifications;
- audit reports;
- compliance questionnaires;
- similar materials.
Any audit must:
- occur during normal business hours;
- avoid unreasonable disruption;
- be subject to confidentiality obligations.
Customer shall bear its own audit costs unless otherwise required by law.
13. Deletion and Return of Data
Upon termination of Customer's account and subject to applicable retention obligations, Appesco B.V. will delete or return personal data processed on Customer's behalf.
Appesco B.V. may retain data where required by:
- law;
- regulation;
- legal process;
- security requirements;
- backup and disaster recovery procedures.
14. Liability
Liability arising under this DPA shall be subject to the liability limitations contained in the Terms and Conditions, except to the extent prohibited by applicable law.
15. Order of Precedence
If a conflict exists between this DPA and the Terms and Conditions regarding the processing of personal data, this DPA shall control with respect to that processing.
Annex I — Description of Processing
Categories of Data Subjects
Depending on Customer's use of the Platform, personal data may relate to:
- employees;
- contractors;
- representatives;
- customers;
- end users;
- individuals whose information is submitted by Customer.
Categories of Personal Data
Categories may include:
- names;
- contact information;
- employment information;
- account information;
- communications;
- uploaded content;
- workflow inputs and outputs;
- technical information contained in submitted data.
Nature and Purpose of Processing
Personal data is processed solely for the purpose of:
- providing and operating the Platform;
- executing Customer-configured Agents and workflows;
- storing, transmitting, displaying, and securing Customer data;
- providing support and troubleshooting;
- maintaining Platform reliability and security.
Duration of Processing
Personal data is processed for the duration of the Customer relationship and thereafter only as necessary to satisfy legal, operational, security, backup, and contractual requirements.
Contact
Questions regarding this DPA may be directed to:
Appesco B.V.
Hofwijckstraat 18, 2275 AL, Voorburg, The Netherlands
KvK: 82619468
VAT: NL862541499B01
Email: [email protected]