GDPR Statement

The controller within the meaning of this DPA is the respective natural or legal person, public authority, agency, or other body that uses Apilex services as a customer and is a contractual partner of Apilex ("Customer").

Company/organization: respective Customer (contractual partner)

Address: Address of the Customer as specified in the contract/order or stored in the respective Customer account

Represented by: legal representative of the customer

Contact person for data protection/GTC: contact person designated by the customer (e.g., data protection officer) or the contact email address stored in the customer account

– hereinafter referred to as "controller" –

Processor (Apilex)

Official name: FITTY TEKNOLOJİ ANONİM ŞİRKETİ (operator of "Apilex")

Address (according to publicly available information, to be verified): Çifte Havuzlar Mah. Eski Londra Asfaltı Cad. Kuluçka Mrk. A1 Blok No:151/1C İç Kapı No:B34, Esenler/İstanbul, Turkey

Contact: info@apilex.ai, public telephone: 0 (850) 259 22 42

– hereinafter referred to as "Processor" –

jointly referred to as "Parties".

Preamble

(1) The Processor provides services to the Controller in connection with the Apilex platform (AI-assisted legal research, document analysis and document creation/editing, as well as document and case management).

(2) In doing so, the Processor processes personal data on behalf of the Controller. The Parties enter into this DPA to comply with the requirements of Art. 28 GDPR.

1. Definitions

The terms used in this DPA have the meanings assigned to them in the GDPR, in particular in Art. 4 GDPR (e.g., "personal data," "processing," "breach of personal data protection").

2. Roles and responsibilities

(1) The controller is the controller within the meaning of Art. 4 No. 7 GDPR; the processor is the processor within the meaning of Art. 4 No. 8 GDPR.

(2) The controller determines the purposes and means of processing; the processor processes personal data only on documented instructions from the controller, unless required to do so by law.

(3) If the processor determines the purposes/means itself contrary to the instructions, it shall be considered the controller in this respect (Article 28(10) GDPR).

3. Subject matter, duration, and description of the processing

(1) The subject matter of this DPA is the processing of personal data in connection with the use of the Apilex platform and the associated support/operational services. The scope of the services and processing is set out in Annex 1.

(2) Duration: from the signing of the contract until the end of the main contract for the use of Apilex services; deletion/return in accordance with Section 12.

4. Authority to issue instructions and instruction process

(1) The controller is entitled to issue instructions at any time. Instructions must be issued at least in text form (email/ticket-based), documented, and implemented by the processor.

(2) The primary channel for issuing instructions is the support portal designated by the processor or the data protection contact email:privacy@apilex.ai .

Secondary communication channels may be agreed between the parties if necessary.

(3) If the processor recognizes that an instruction violates data protection law, it must inform the controller immediately (Art. 28 (3) sentence 3 GDPR).

(4) The processor may not process data for its own purposes (in particular for its own model training purposes) unless this has been expressly agreed in writing and is permitted under data protection law.

5. Responsibilities of the controller

The controller is responsible in particular for:

(1) the lawfulness of the processing (including legal basis, information obligations, DSFA if applicable), accuracy, data minimization, and storage limitation within its sphere of influence

(2) Verifying that the processor provides "adequate safeguards" for appropriate TOMs (Art. 28(1) GDPR; DSK guidelines).

(3) ensuring appropriate instructions and providing only the data necessary for the purpose ("need-to-know"), in particular in the case of sensitive customer/case files.

6. Obligations of the processor

(1) Confidentiality: The processor shall ensure that the persons authorized to process the data have committed themselves to confidentiality or are subject to a legal obligation of secrecy.

(2) Logging: The processor shall maintain a record of processing activities in accordance with Art. 30 (2) GDPR.

(3) Cooperation: The processor shall assist the controller in responding to requests/contacts from supervisory authorities in connection with the processing of orders.

7. Technical and organizational measures (TOM)

(1) The processor shall implement and maintain TOM in accordance with Art. 32 GDPR, taking into account the risk (confidentiality, integrity, availability and resilience; recoverability; assessment).

(2) The TOM categories agreed upon at the conclusion of the contract are described in Appendix 2; specific technical parameters shall be documented by the processor.

(3) The processor declares that it has certified an information security management system in accordance with ISO 27001:2022 (publicly documented certificate).

8. Subcontracting relationships (subprocessors/subcontractors)

(1) The use of additional processors (sub-processors) is only permitted with the general written consent of the controller. In the event of general consent, the processor must inform the controller of any intended changes so that the controller can object.

(2) The processor shall conclude at least equivalent data protection obligations with subcontractors (Art. 28 (4) GDPR).

(3) A current list of approved subcontractors shall be kept in Appendix 3 (including country/region, purpose, transfer mechanism). The processor shall maintain a current list of approved subcontractors in Appendix 3 or on a publicly accessible website.

The controller is responsible for reviewing this list regularly. Continued use of the services after an update shall be deemed consent to the updated list of subcontractors, subject to the right to object mentioned below.

(4) The controller may object to a new or replacement subprocessor within thirty (30) days of the list of subprocessors being updated for legitimate reasons related to data protection.

Any objection must be made in writing and must explain why the proposed subprocessor is unable to comply with applicable data protection laws.

In the event of a justified objection, the parties shall cooperate in good faith to find an economically viable alternative solution.

If no such solution can be found within a reasonable period of time, the controller may terminate the affected services after written notification.

9. Support with the rights of data subjects

(1) The processor shall assist the controller "as far as possible" in fulfilling requests from data subjects (Chapter III GDPR), e.g., through technical functions for information, correction, deletion, and export.

(2) If the processor receives a request directly, it shall forward it to the controller, to the extent permitted by law.

10. Reporting of data breaches

(1) The processor shall notify the controller of any personal data breach without undue delay, and in any case within 48 hours of becoming aware of it. The notification shall contain at least the following information: the nature of the breach, the categories of data concerned, the estimated number of persons affected, the likely consequences, and the remedial measures taken or recommended (based on the content requirements of Articles 33/34 GDPR).

(2) The processor shall assist the controller in reporting in accordance with Articles 33/34 GDPR.

11. Transfers to third countries and processing locations

(1) Personal data processed under this DPA shall primarily be hosted within the European Economic Area (EEA), including the data center infrastructure in Ireland.

Authorized employees of the processor based in Turkey may access personal data for the purposes of technical support, maintenance, troubleshooting, and security monitoring.

There is no systematic replication of production data outside the EEA.

Subprocessors (if any) and their respective processing locations are listed in Appendix 3.

(2) If personal data is transferred from the EEA to the processor or sub-processor in a third country without an adequacy decision, the parties shall agree on appropriate safeguards in accordance with Art. 46 GDPR, in particular the standard contractual clauses (SCC) in accordance with Implementing Decision (EU) 2021/914 (Module 2, depending on the constellation).

(3) In addition, supplementary measures (e.g., end-to-end encryption, key sovereignty, minimization, transparency reports) may be implemented based on the recommendations of the EDSA on supplementary measures for transfers to third countries.

(4) The processor shall inform the controller if it is required by the law applicable to it to disclose/further process data, to the extent permitted by law.

12. Return and deletion after termination of processing

(1) Upon termination of the provision of services, the processor shall delete or return personal data at the controller's discretion and delete copies, unless there is a legal obligation to retain them.

(2) Personal data stored in backup or archive systems shall be deleted in accordance with the processor's standard backup retention cycle. Backup data shall be stored securely, logically separated, and protected by appropriate technical and organizational measures.

Deletion from active production systems shall take place immediately, but no later than one (1) day after completion, unless otherwise agreed in writing.

Backup data will be automatically overwritten or deleted within a maximum period of ninety (90) days, unless a longer retention period is required by law.

(3) Proof: The processor shall provide the controller with confirmation of deletion upon request.

13. Rights of inspection and evidence

(1) The processor shall provide all information necessary to demonstrate compliance with this DPA and shall allow audits/inspections by the controller or designated auditors.

(2) Audits shall be conducted under the following conditions:

(a) Audits shall primarily be conducted remotely by reviewing documentation, questionnaires, and submitting relevant certifications or reports ("remote-first approach").

(b) On-site inspections may only be carried out if absolutely necessary and if remote verification is insufficient.

(c) The controller must give at least thirty (30) days' written notice.

(d) Audits shall be conducted during normal business hours and in a manner that does not unreasonably disrupt the operations of the processor.

(e) The controller and its auditors shall be subject to strict confidentiality obligations.

(f) Audits may not take place more than once per calendar year, unless required by a competent supervisory authority or necessary due to a justified security incident.

(3) Recognition of certificates/audit reports (e.g., ISO 27001) as evidence, where appropriate.

14. Liability, indemnification, limitations of liability

(1) Liability to data subjects is governed by Art. 82 GDPR; contractual provisions may not restrict the rights of data subjects.

(2) Internally, the parties agree that each party shall be liable for damages caused by processing that violates applicable data protection law if it has failed to fulfill its obligations under the GDPR or this DPA.

If both parties are responsible for the same damage, each party shall be liable in proportion to its responsibility for the damage.

The parties shall cooperate in good faith in defending claims by data subjects or supervisory authorities.

(3) Limitation of liability (internal relationship): The total liability of the processor under this DPA shall not exceed the amount of fees paid by the controller in the six (6) months prior to the event giving rise to liability.

This limitation shall not apply in cases of intent or gross negligence.

15. Applicable law and jurisdiction

(1) This DPA shall be governed by the law applicable to the main service agreement, excluding conflict of law rules to the extent permitted.

(2) Any disputes arising out of or in connection with this DPA shall be subject to the jurisdiction of the courts that have jurisdiction over the main service agreement.

16. Final provisions

(1) Order of precedence: In the event of any conflict between this agreement and the main contract, these terms and conditions shall take precedence with regard to data protection obligations.

(2) Amendments/additions must be made in writing.

Appendix 1 – Description of Processing

Parameters	Apilex-SaaS
Subject	Provision of the Apilex platform: AI support for legal research/analysis, document upload/analysis, drafting of pleadings/contracts, semantic search, document/folder management, collaboration/sharing.
Duration	Term of the main contract +90 days (backups)
Type of processing	Collection (via upload/input), storage, structuring/indexing, retrieval, evaluation/analysis, creation of text outputs/drafts, transmission (e.g., sharing/download), deletion.
Purpose of processing	Operation and provision of Apilex functions (analysis/generation/research), user/account management, support, and security.
Categories of data subjects	(i) Employees/agents of the controller as users, (ii) customers/parties/counterparties/witnesses/experts, etc. whose data is contained in uploaded cases/documents, (iii) other third parties mentioned in documents/chats.
Categories of personal data	Master data, contact details, communication/usage data, document content (including pleadings, contracts, evidence), metadata, log data.
Special categories (Art. 9) / Art. 10	Possible depending on the mandate/case (health data, trade union, religion, criminal record data, etc.). Processing only in accordance with instructions and with increased TOMs.
Processing operations with AI	AI-supported analysis/generation; transparency/quality assurance/monitoring in accordance with TOM appendix. Apilex describes the results as " " Drafts without legal advice; review by users is required.
Processing locations	Amazon AWS
Subcontractors	List in Appendix 3

Appendix 2 – TOM (reference to TOM chapter and TOM matrix)

A. Governance, organization, compliance

ISMS/policy system (e.g., ISO 27001-based), roles & responsibilities, regular effectiveness reviews (PDCA)
- Implementation status: In progress
Training, confidentiality obligations, authorization processes
Management of suppliers/subcontractors (Art. 28), documentation, objection procedure

B. Access, identity, authorization

Session security, brute force protection, logging of administrator actions

C. Encryption

Transport encryption (state-of-the-art TLS), HSTS
- Implementation status: Planned
Encryption of data at rest (DB/object storage/backups)
- Implementation status: Implemented

D. Multi-tenancy and separation

Client isolation, separate indexes/vector spaces, separate keys/namespaces

E. Logging, monitoring, incident response

Security logging, SIEM/alerts, escalation processes, incident playbooks (support in accordance with Art. 33/34)

F. Backup, business continuity, availability

Backup strategy, recovery testing, RTO/RPO, DDoS protection

G. Secure development lifecycle

Code reviews, SAST/DAST, secret management, dependency scans, patch management

H. Data protection through technology design / data protection through default settings

Data minimization, purpose limitation, deletion concepts, test data policy

I. AI-specific TOMs

Reproducible/deterministic decision-relevant output components
Audit-proof documentation of model parameters/processing steps
- Implementation status: Planned (documentation of parameters/workflows, tests during updates)
Regular risk assessments (e.g., red teaming)
Input filters against out-of-scope and circumvention attacks

Implementation details/evidence/verification data for each measure are maintained as maintenance fields by Engineering/Operations

Appendix 3 – List of subcontractors

No	Subprocessor	Address/Country	Description of processing	Data categories	Location of processing	Security measures implemented	Transfer mechanism
1	Amazon Web Services EMEA SARL (AWS Ireland)	38 Avenue John F. Kennedy, L-1855 Luxembourg (infrastructure located in Ireland)	Cloud infrastructure hosting, encrypted storage, backup (90-day rolling cycle), disaster recovery, system availability, infrastructure-level cybersecurity monitoring	Customer-uploaded content, account data, metadata, system logs	Ireland	Encryption during storage and transmission (TLS 1.2+), logical separation by customer environments, role-based access control, MFA, continuous security monitoring, ISO 27001-certified infrastructure	Processing within the EEA (no transfer to third countries)
2	Google Ireland Limited (Gemini)	Gordon House, Barrow Street, Dublin 4, Ireland	AI-powered text analysis and generation services exclusively for processing requested by the customer within the Apilex platform	Content uploaded by the customer that is transmitted for AI processing	EEA	Processing in accordance with DPA, no independent model training with customer data, encryption during transmission, access controls, contractual confidentiality obligations	Processing within the EEA in accordance with the EU GDPR framework
3	OpenAI Ireland Ltd.	1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, Ireland	AI-powered text analysis and generation services exclusively for processing requested by the customer within the Apilex platform	Content uploaded by the customer that has been submitted for AI processing	EEA	Processing in accordance with DPA, no independent use of customer data for training purposes, encryption during transmission, strict access controls, confidentiality protection measures	Processing within the EEA in accordance with the EU GDPR framework

Controller and contact

The controller for the processing described in this privacy policy (website, account management, marketing, support, security protocols) is: FITTY TEKNOLOJİ ANONİM ŞİRKETİ (Apilex)

Contact: privacy@apilex.ai ; Istanbul/Turkey (including Esenler and Şişli/Bomonti).

Data Protection Officer:privacy@apilex.ai

EU representative pursuant to Art. 27 GDPR : Mr. Erden Yücel, privacy@apilex.ai

What data do we process and for what purposes?

The following information relates to processing operations in which Apilex generally acts as the controller (website, account, support, etc.). For "customer content" on behalf of the customer, the AVV provisions also apply.

Account/usage data (platform operation)

Data types: Identity (name), contact information (email, phone number, address), account information (login details/password hashes, roles/rights, job-related information).

Purposes: User management, provision of platform functions (e.g., document management, analysis/drafting, research), billing, support, abuse prevention. Apilex defines the uploading/analyzing and creating of documents, among other things, as core functions.

Legal basis: Art. 6(1)(b) GDPR (contract/contract preparation) for basic

operation; Art. 6 (1) (f) GDPR (legitimate interest) for security/error analysis; Art. 6 (1) (c) GDPR for legal obligations (e.g., commercial/tax law retention obligations), if applicable.

Content uploaded/entered by you (customer content)

Types of data: All types of personal data relating to document content (e.g., contracts, pleadings, files), text entries/prompts, generated outputs/drafts, metadata. Uploads and analysis functions are explicitly described as part of the product.

Role: Regular data processor for corporate customers; legal bases and information obligations primarily lie with the corporate customer as the controller.

Note on sensitivity: Legal documents may contain special categories of personal data/criminal data ; therefore, increased security measures and restrictive access rules are required.

Support and communication data

Data types: Email communication, ticket content, telephone metadata if applicable. Apilex offers contact via email and provides a telephone number.

Purposes: Responding to inquiries, troubleshooting, customer support.

Legal basis: Art. 6(1)(b) GDPR (contractual support) or Art. 6(1)(f) GDPR (legitimate interests, e.g., efficient processing of support).

Website usage data and cookies

Types of data: Online identifiers (cookie IDs), usage/performance data, marketing/tracking data (depending on cookie settings). Apilex describes the use of cookies, including third-party cookies, for "advertising and analysis" and cites "Google" as an example.

Purposes: Website operation/security (strictly necessary cookies), performance measurement, reach measurement, marketing/retargeting (depending on opt-in).

Legal basis (GDPR): Art. 6(1)(f) GDPR for technically necessary cookies/security purposes; Art. 6(1)(a) GDPR for non-essential analytics/marketing cookies (consent), where required. Transparency requirements: WP29/EDPB guidelines on transparency.

Recipients and categories of recipients

We share personal data with the following categories of recipients as necessary:

IT service providers/hosting/cloud infrastructure (platform operation)
- Amazon Web Services (AWS), Ireland (EEA)
- Purpose: Hosting, storage, and infrastructure services for the Apilex platform.
- Transfer mechanism: Not applicable for processing within the EEA.

AI model services operated within the European Economic Area.
- Purpose: AI inference and document analysis services provided as part of the Apilex platform.
- No personal data is transferred to the United States or other third countries in connection with these services.

Authorized employees of the processor based in Turkey may access personal data for technical support, maintenance, and operational purposes. This access constitutes access from a third country pursuant to Chapter V of the GDPR and is protected by the standard contractual clauses (Module 2) referred to in Section 11 of this DPA.

Transfer to third countries

Apilex is publicly affiliated with a Turkish company; this means that processing/transfer may take place outside the EEA.

For data transfers to third countries without an adequacy decision, we use appropriate safeguards in accordance with Art. 46 GDPR, in particular the Standard Contractual Clauses (SCC) in accordance with Implementing Decision (EU) 2021/914.

In addition, we review and implement supplementary measures as necessary in accordance with the EDPB's recommendations on supplementary measures for transfers to third countries.

Storage period

Unless there are specific publicly documented deletion periods, the following apply:

Account master data: until the end of the contract + 6 months (unless there are legal retention obligations).
Customer content: as instructed/contracted; standard retention period: 6 months; backups: 90 days.
Log/security data: 180 days.

Principle: Storage only for as long as necessary for the respective purpose (Art. 5 (1) (e) GDPR).

Rights of data subjects

Depending on your role (Apilex as controller or processor), you have the following rights:

Right of access (Art. 15), Right to rectification (Art. 16), Right to erasure (Art. 17), Right to restriction of processing (Art. 18), Right to data portability (Art. 20), Right to object (Art. 21), Right to withdraw consent (Art. 7(3)).
Right to lodge a complaint with a supervisory authority (Art. 13(2)(d) GDPR).

Important: If you use Apilex through your employer/law firm and your request concerns "customer content," please first contact your employer/law firm as the controller; Apilex will assist them within the scope of the DPA.

Obligation to provide data

Without the provision of certain data (e.g., email/account data ), it may not be possible to set up/manage a platform account.

Automated decision-making

Apilex generates AI-supported responses/drafts and points out in its terms of use that the results do not constitute legal advice and must be reviewed by users. This generally means that there are no "purely automated" decisions with legal effect within the meaning of Art. 22 GDPR as a standard function – nevertheless, customers should review the specific use case .

Data Processing Agreement (DPA) pursuant to Art. 28 GDPR