PokeDemo Data Processing Addendum (DPA)
Last updated: February 18, 2026
This Data Processing Addendum (“DPA”) supplements and forms part of the agreement between APEX IT LABS S.R.L. (“PokeDemo”, “Processor”, “we”) and the customer accepting the PokeDemo Terms of Service and/or placing an Order (“Customer”, “Controller”, “you”) (together, the “Agreement”).
This DPA applies only to the extent PokeDemo processes Customer Personal Data on behalf of Customer as a Processor under Applicable Data Protection Law. Where PokeDemo processes personal data as an independent Controller (for example, account administration, billing, tax, security, fraud/abuse prevention, and legal compliance), such processing is not governed by this DPA.
1. Definitions
1.1 “Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Customer Personal Data under the Agreement, including where applicable the GDPR and UK GDPR.
1.2. “Customer Personal Data” means any personal data contained in Customer Content or otherwise processed by PokeDemo on Customer’s behalf under the Service.
1.3. “Customer Content” has the meaning in the Terms of Service (including recordings, assets, metadata, and materials uploaded/captured/processed via the Service).
1.4. “Processing”, “Controller”, “Processor”, “Subprocessor”, “Supervisory Authority”, “Personal Data Breach” have the meanings in the GDPR.
1.5. “EEA” means the European Economic Area.
1.6. “UK GDPR” means the GDPR as incorporated into UK law, as amended.
1.7. “SCCs” means the European Commission Standard Contractual Clauses for transfers (as updated/replaced).
1.8. “Subprocessor” means any third party engaged by PokeDemo to process Customer Personal Data.
1.9. “UK Addendum” means the UK International Data Transfer Addendum to the EU SCCs (or successor).
1.10. “Restricted Data” has the meaning set out in the Terms, Section 11 (Restricted Data and Prohibited Capture), as may be updated from time to time in accordance with the Terms.
2. Roles and Scope
2.1 Customer is the Controller. Customer determines the purposes and means of processing Customer Personal Data within the Service.
2.2 PokeDemo is the Processor. PokeDemo processes Customer Personal Data only on behalf of Customer, in accordance with this DPA and Customer’s documented instructions, unless required to do otherwise by applicable law.
2.3 Order of precedence. If there is a conflict between this DPA and the Agreement regarding data protection terms, this DPA governs.
2.4 PokeDemo as controller for certain data. This DPA applies only to Customer Personal Data processed by PokeDemo as a Processor on behalf of Customer. PokeDemo may process certain personal data as an independent controller for its own purposes (for example, account management, billing, fraud prevention, security, and legal compliance) as described in the Privacy Policy.
3. Processing Details (Article 28(3))
3.1. Subject matter: Provision of the Service (recording ingestion, processing, preview, export generation/delivery, workspace collaboration, support).
3.2. Duration: For the term of the Customer’s use of the Service, plus the period required for deletion/return under Section 9 and any retention permitted under Section 9.5.
3.3. Nature and purpose: Hosting, storage, processing, transmission, rendering, export generation, and support operations to provide the Service; security and abuse prevention related to Customer Personal Data.
3.4. Categories of data subjects: Customer’s end users; employees/contractors; customers/prospects; trainees; website/app users; and any individuals whose data is included in Customer Content.
3.5. Categories of personal data: May include identifiers (name, email), usage data, technical identifiers, recordings (audio/video/screen capture), text shown/typed during capture, and metadata (timestamps, events, click paths). Customer controls what is captured/uploaded.
3.6. Special categories: Customer must avoid special categories and Restricted Data as defined in the Terms; see Section 6.
3.7. Annexes: The details above are expanded in Annex 1 (Description of Processing) and Annex 2 (Technical and Organizational Measures).
4. Processor Obligations
4.1 Instructions. PokeDemo will process Customer Personal Data only on documented instructions from Customer, including as necessary to provide the Service under the Agreement, unless required to do otherwise by applicable law. If PokeDemo believes an instruction infringes Applicable Data Protection Law, it will inform Customer (unless prohibited by law).
4.2 Confidentiality. PokeDemo will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations.
4.3 Security. PokeDemo will implement appropriate technical and organizational measures to protect Customer Personal Data, taking into account the nature of the processing and risks to individuals.
4.4 Subprocessors. Customer authorizes PokeDemo to use subprocessors to process Customer Personal Data for the Service. PokeDemo will impose data protection obligations on subprocessors that are substantially similar to those in this DPA and remains responsible for their performance as required by law. PokeDemo will make available the Subprocessor List upon request and will address objections as described in Section 10.5.
4.5 Data subject requests. Taking into account the nature of processing, PokeDemo will provide reasonable assistance to Customer to respond to data subject requests relating to Customer Personal Data. If PokeDemo receives a request directly, it will notify Customer unless legally prohibited.
4.6 Assistance and compliance. Taking into account the nature of the processing, PokeDemo will provide reasonable assistance to Customer with Customer’s obligations under Applicable Data Protection Law relating to security of processing, Personal Data Breaches (including notification as set out in Section 7), DPIAs, and prior consultation/regulatory consultations, to the extent applicable to the Service and within PokeDemo’s control.
4.7 Deletion/return. Upon termination or at Customer’s request, PokeDemo will delete Customer Personal Data or make it available for export/return as set out in Section 9, in accordance with the Agreement, except to the extent retention is required or permitted by applicable law (including backups and legal compliance).
4.8 Audits. PokeDemo will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by Customer (or an independent auditor) under reasonable notice, scope, and confidentiality conditions.
5. Customer Obligations
5.1. Lawful basis and transparency. Customer is responsible for having a lawful basis for processing, providing required notices, and obtaining any consents needed for recordings/capture, including workplace/communications rules and applicable secrecy laws.
5.2. Instructions and configuration. Customer is responsible for configuring the Service appropriately, limiting capture, and ensuring that Customer Content does not include Restricted Data (as defined in the Terms, Section 11) unless separately agreed in writing and lawfully handled.
5.3. Data accuracy and minimization. Customer is responsible for data minimization and for reviewing/redacting before sharing exports or deploying self-hosted bundles.
6. Restricted Data and Prohibited Content
6.1. Customer will not instruct PokeDemo to process Restricted Data (as defined in the Terms, Section 11) unless the parties separately agree in writing and implement any additional safeguards required by applicable law.
6.2. If Customer becomes aware that Restricted Data was captured, Customer will promptly delete, redact, or regenerate the relevant Customer Content and/or exports to remove it. PokeDemo will provide reasonable support upon request.
7. Personal Data Breach
7.1. Notification. PokeDemo will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
7.2. Information provided. PokeDemo will provide information reasonably required for Customer to meet its breach reporting obligations, such as nature of the breach, likely consequences, and measures taken or proposed, to the extent available.
7.3. Customer responsibility. Customer is responsible for notifying Supervisory Authorities and data subjects where required.
8. Data Subject Requests and Cooperation
8.1 Routing requests. If PokeDemo receives a request from a Data Subject or Supervisory Authority relating to Customer Personal Data, PokeDemo will, where legally permitted, promptly notify Customer and direct the requester to Customer so Customer can respond, unless PokeDemo is legally required to respond directly.
8.2 Assistance. Taking into account the nature of the processing, PokeDemo will provide reasonable assistance to Customer, as required by Applicable Data Protection Law, for responding to Data Subject requests and for Customer’s obligations relating to DPIAs and prior consultation/regulatory consultations, to the extent relevant to the Service and within PokeDemo’s control.
8.3 Costs. Routine assistance is included. PokeDemo may charge reasonable fees (and will provide notice where practicable) for assistance that is excessive, repetitive, or requires substantial additional effort beyond the standard features and support included in the Service.
9. Deletion and Return
9.1 Product-level deletion. Customer may be able to delete certain projects or recordings through Service controls where available. When Customer deletes content through the Service, PokeDemo will remove it from Customer’s active workspace view and schedule deletion of the associated Customer Personal Data from active systems, subject to Section 9.4 and Section 9.5.
9.2 Export / return upon request. If Customer requests a copy of Customer Personal Data before deletion, PokeDemo will make it available through the Service’s standard export/download features and in the formats supported by the Service, subject to applicable fees/credits, security controls, and technical feasibility.
9.3 Account closure / termination. Upon termination of the Service or verified account deletion request (as applicable), PokeDemo will delete Customer Personal Data from active systems within a reasonable time, unless retention is required or permitted under applicable law or this DPA (including Section 9.4 and Section 9.5).
9.4 Backups. Customer Personal Data and related account data may persist in encrypted backups for a limited period until backups are rotated or overwritten. PokeDemo restricts access to backups and uses them only for disaster recovery, unless legally required.
9.5 Retention exceptions. PokeDemo may retain limited data where required or permitted for:
(a) compliance with legal obligations (including accounting/tax and statutory recordkeeping),
(b) security, fraud prevention, and abuse prevention,
(c) payment dispute handling, chargeback defense, and enforcement of the Agreement,
and (d) legitimate legal defense.
Any retained data will be protected in accordance with this DPA.
10. Subprocessors
10.1 General authorization. Customer provides general authorization for PokeDemo to appoint Subprocessors to process Customer Personal Data for the purpose of delivering the Service.
10.2 Subprocessor list on request. A list of PokeDemo’s current Subprocessors (“Subprocessor List”) will be made available to Customer upon request.
10.3 Flow-down terms. PokeDemo will enter into a written agreement with each Subprocessor that imposes data protection obligations that are no less protective than those in this DPA, including appropriate confidentiality and security obligations.
10.4 Responsibility. PokeDemo remains responsible for its Subprocessors as required by Applicable Data Protection Law, subject to the liability limits and mandatory law provisions in the Agreement.
10.5 Changes and objections (Business Users). PokeDemo may add or replace Subprocessors from time to time. Upon request, PokeDemo will provide Customer with an updated Subprocessor List. If Customer objects to a new Subprocessor on reasonable data protection grounds and PokeDemo cannot provide a commercially reasonable alternative, Customer may stop using the affected part of the Service (as reflected in the Terms, Section 9.7). Except where required by mandatory law, this does not entitle Customer to a refund for already purchased fees/credits.
11. International Transfers
11.1 EEA-first processing. PokeDemo will use EU/EEA-based regions for hosting and storage for the Service where available and as configured by PokeDemo.
11.2 Transfers may occur. Customer acknowledges that PokeDemo and its Subprocessors may process or allow access to Customer Personal Data from locations outside the EEA/UK (for example, due to Subprocessor operations, global network routing, or remote access for reliability and security).
11.3 Safeguards. To the extent Customer Personal Data is transferred from the EEA (or the UK) to a country not recognized as providing an adequate level of protection, PokeDemo will ensure that the transfer is subject to appropriate safeguards under Applicable Data Protection Law, such as the Standard Contractual Clauses and (for UK transfers) the UK International Data Transfer Addendum or another approved transfer mechanism, and will implement such safeguards with relevant Subprocessors where required.
11.4 SCCs incorporation. If SCCs are required for a transfer, the parties agree that the SCCs will apply. Annex 1 and Annex 2 of this DPA will serve as the relevant annexes to the SCCs, and Subprocessor information will be provided on request.
11.5 Information. Upon request, PokeDemo will provide information about the applicable transfer mechanism(s) used for relevant Subprocessors.
12. Audits and Compliance
12.1. Information. Upon written request, PokeDemo will provide reasonable information necessary to demonstrate compliance with this DPA.
12.2. Audit. Customer may audit PokeDemo’s compliance with this DPA no more than once per year, or more frequently if required due to a verified security incident affecting Customer Personal Data, subject to:
- reasonable advance notice;
- confidentiality obligations; and
- audit scope limited to Customer Personal Data processing systems relevant to the Service.
12.3. Third-party reports. Where available, PokeDemo may satisfy audit requests by providing relevant third-party audit reports, certifications, or summaries instead of permitting on-site audits.
12.4. Audit costs. Customer is responsible for its own costs of any audit. Customer will also reimburse PokeDemo for reasonable time and expenses incurred in supporting an audit (including responding to questionnaires and providing evidence), unless the audit identifies a material breach of this DPA by PokeDemo.
13. Liability
Liability under this DPA is subject to the liability limitations and exclusions in the Terms of Service, except to the extent prohibited by applicable law (including mandatory consumer rights where applicable).
14. Contact
Data protection inquiries: [email protected]
Support: [email protected]
Annex 1 — Description of Processing
A. Processing activities
Ingestion of Customer Content captured via extension/web app
Storage of recordings/assets/metadata
Rendering and preview (within dashboard, if enabled)
Export generation (HTML bundle) and delivery for download
Workspace collaboration and access control features
Troubleshooting/support (upon request)
Security monitoring and abuse prevention related to the Service
B. Data categories
Account/workspace identifiers (workspace ID, user ID)
Content-based data: screen capture/video/audio (if enabled), on-screen text, UI interactions, annotations, and metadata
Technical data: IP address, device/browser details, event logs, timestamps
C. Special categories
Not intended. Customer must not use the Service to process special categories of personal data (GDPR Article 9) or Restricted Data, as defined in the Terms Section 11 (Restricted Data and Prohibited Capture), unless the parties separately agree in writing and Customer implements any additional safeguards required by applicable law.
D. Recipients
Customer and its authorized users
PokeDemo personnel with role-based access
Approved Subprocessors (see Section 10)
E. Retention
As described in Section 9 and the Terms (including backups and retention exceptions).
Annex 2 — Technical and Organizational Measures (TOMs)
PokeDemo implements technical and organizational measures appropriate to the risks, which may include:
1) Access controls
- Role-based access control (RBAC) and least-privilege access for internal personnel.
- Strong authentication and secure credential handling (including multi-factor authentication for administrative access where applicable).
- Logical separation of customer workspaces/tenants.
2) Encryption and transmission security
- Encryption in transit (TLS).
- Encryption at rest where supported by the underlying infrastructure and configuration.
3) Operational security and monitoring
- Logging and monitoring for service reliability and security events.
- Alerting for abnormal access patterns where applicable.
- Audit logs for key operations where available.
4) Secure development and vulnerability management
- Change management practices for production deployments.
- Vulnerability management and timely patching of systems and dependencies.
5) Incident response
- Documented incident response and breach triage procedures.
- Personal Data Breach notification workflow consistent with Section 7 of this DPA.
6) Data lifecycle and retention
- Product-level deletion controls where available.
- Controlled retention practices and backup rotation/overwrite processes.
- Access controls for backups; backups used for disaster recovery.
7) Subprocessor governance
- Use of reasonable diligence when selecting Subprocessors and ensuring appropriate data protection terms are in place with them (including, where applicable, their standard DPAs).
- Subprocessor information is made available to Customer upon request as described in this DPA.
Annex 3 — Subprocessors (Available on Request)
PokeDemo maintains an up-to-date list of authorized Subprocessors used to deliver the Service and will provide this list to Customer upon request in accordance with Section 10.2 of this DPA.
PokeDemo may add or replace Subprocessors from time to time. Updated Subprocessor information will be made available to Customer upon request. Where Customer objects to a new Subprocessor on reasonable data protection grounds, the process in Section 10.5 applies.