Capydox Data Processing Agreement (DPA)
Terms under which Capydox acts as data processor for customers using the SaaS service, in line with GDPR and relevant data protection laws.
Last updated: May 21, 2026
Capydox Data Processing Agreement (DPA)
Last updated: 21/05/2026
This Data Processing Agreement (the "DPA") forms part of the main agreement between the customer (the "Customer" or the "Controller") and Capydox (the "Provider" or the "Processor") for the use of the API documentation and evidence service (the "Service").
The DPA governs how Capydox processes personal data on behalf of the Customer, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.
1. Parties and roles
- Controller (Customer)
The Customer is the natural or legal person who subscribes to the Service and determines the purposes and means of processing personal data incorporated into the Service.
- Processor (Capydox)
Capydox is a self-employed professional operating under the trade name "Capydox" and provides the Service to the Customer. For the purposes of this DPA, Capydox acts as Processor in relation to personal data processed on behalf of the Customer.
2. Subject matter, duration and nature of processing
- Subject matter
This DPA regulates the processing of personal data that Capydox carries out on behalf of the Customer in connection with the provision of the Service.
- Duration
This DPA remains in force for as long as Capydox processes personal data on behalf of the Customer under the main agreement. Upon termination, clause 11 (Deletion or return) will apply.
- Nature and purposes of processing
Capydox will process personal data solely to:
- Provide the Service subscribed by the Customer.
- Enable features such as collection import, OpenAPI generation and maintenance, evidence and documentation management, and team collaboration.
- Provide technical and security-related support for the Service.
- Categories of data subjects
As determined by the Customer, processing may involve data relating to:
- Staff of the Customer (employees, contractors, system administrators).
- Authorised end users of the Customer.
- Contacts of the Customer's own customers, suppliers or other third parties whose data may appear in technical content uploaded to the Service.
- Types of personal data
Depending on how the Customer uses the Service, the following data types may be processed:
- Basic identification data (name, surname, business email address, user identifiers).
- Usage data and activity logs relating to the Service.
- Technical data in API collections (for example URLs, parameters, headers, example bodies) which may occasionally contain personal data if the Customer includes such data in those elements.
The Customer agrees not to upload special categories of data (Art. 9 GDPR) unless a valid legal basis exists and Capydox has been informed in advance to assess any additional measures.
3. Controller's instructions
Capydox will process personal data only in accordance with the Customer's documented instructions, including the instructions in this DPA, the main agreement and settings configured by the Customer in the Service.
The Customer is responsible for:
- Defining the purposes and means of processing.
- Properly configuring user permissions, workspaces and security options.
If Capydox believes an instruction infringes data protection law, it will inform the Customer without undue delay, to the extent permitted by law.
4. Confidentiality
Capydox will ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory confidentiality obligation.
Access to personal data will be limited to those members of Capydox staff who need such access to provide the Service, in line with the principle of least privilege.
5. Security measures
Capydox will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.
These include, among others:
- Encrypted communications via HTTPS/TLS between clients, the desktop application and servers.
- Role-based access controls and robust authentication mechanisms.
- Application-level encryption of specific sensitive fields stored in databases (for example workspace collection content, specifications, evidence and documentation in production environments).
- Logical separation of data between Customer accounts and workspaces.
- Regular backups and disaster recovery procedures.
- Vulnerability management and security incident handling processes.
Capydox may update or modify security measures provided that the overall level of protection is not reduced. Technical details may be further described in security documentation or annexes.
6. Sub-processors
- Authorisation to engage sub-processors
The Customer grants Capydox a general authorisation to engage sub-processors for the provision of the Service (for example hosting, database, email, payment, analytics, binary storage and authentication providers).
Capydox will:
- Maintain an up-to-date list of sub-processors in its legal documentation or a separate annex.
- Notify the Customer of any intended changes concerning the addition or replacement of sub-processors within a reasonable timeframe, allowing the Customer to raise justified objections.
- Obligations towards sub-processors
Capydox will:
- Enter into a written contract with each sub-processor imposing data protection obligations that are substantially equivalent to those in this DPA, particularly regarding security, confidentiality and assistance to the Controller.
- Remain liable to the Customer for the performance of its sub-processors' data protection obligations.
If the Customer reasonably objects to a new sub-processor and the Service cannot be provided without that sub-processor, the Customer may terminate the agreement as provided in the main contract.
7. International data transfers
Where the use of the Service involves international transfers of personal data outside the European Economic Area, Capydox will ensure that appropriate safeguards are in place, such as:
- Adequacy decisions of the European Commission.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Any other recognised safeguards under applicable data protection laws.
Capydox will provide the Customer, upon reasonable request, with information about international transfers and applicable safeguards, to the extent this does not reveal trade secrets or confidential information of third parties.
8. Assistance to the Controller
Taking into account the nature of processing and the information available, Capydox will assist the Customer, as reasonably possible, in fulfilling its obligations regarding:
- Data subject requests to exercise their rights (access, rectification, erasure, restriction, portability, objection and others where applicable).
- Notification of personal data breaches to supervisory authorities and, where required, to data subjects.
- Data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required.
The Customer remains responsible for deciding how to handle such requests or obligations and for the content of any communications with data subjects or authorities.
9. Personal data breaches
Capydox will notify the Customer without undue delay upon becoming aware of a personal data breach affecting personal data processed on behalf of the Customer.
The notification will include, where possible:
- A description of the nature of the breach.
- The categories and approximate number of data subjects concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its possible adverse effects.
Capydox will cooperate with the Customer to provide any further information reasonably requested by the supervisory authority.
10. Audits and inspections
The Customer has the right to verify Capydox's compliance with this DPA.
Capydox will make available to the Customer the information necessary to demonstrate compliance and, where appropriate, allow for audits or inspections by the Customer or a third-party auditor mandated by the Customer.
Audits:
- Must be requested with reasonable advance notice.
- Are limited to systems and information relevant to the Service provided to the Customer.
- Must not unduly interfere with Capydox's normal operations or compromise the security or confidentiality of other customers.
Any extraordinary costs associated with on-site audits beyond standard verifications may be charged to the Customer as agreed between the parties.
11. Deletion or return of data
Upon termination of the Service or at the Customer's request, Capydox will, within a reasonable time and as instructed by the Customer:
- Return personal data processed on behalf of the Customer in a reasonably structured format; or
- Delete such data, unless retention is required by applicable law.
Capydox may retain blocked copies of data for as long as legal obligations or potential liabilities so require (for example tax or accounting obligations), applying appropriate security measures.
12. Responsibilities and limitations
Each party is responsible for complying with its respective obligations under GDPR and other applicable laws.
- The Customer is responsible for data protection principles, lawful bases for processing and information provided to data subjects.
- Capydox is responsible for its obligations as Processor as set out in this DPA.
Any limitations of liability set out in the main agreement will apply to this DPA to the extent they do not conflict with mandatory data protection rules.
13. Precedence and changes
In case of conflict between this DPA and the main agreement, this DPA will prevail with respect to data protection matters.
Capydox may update this DPA to reflect changes in law or the Service. In case of material changes, Capydox will inform the Customer with reasonable advance notice, allowing the Customer to object or terminate the agreement under the terms of the main contract.