Data Processing Agreement
Last updated: April 13, 2026
This Data Processing Agreement ("DPA") applies to all customers ("Customer") of AgileVision Sp. z o.o. ("Provider") and governs Provider's processing of personal data on Customer's behalf in connection with the NoGaps knowledge base platform (the "Service"). By using the Service, Customer agrees to the terms of this DPA.
This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any other applicable data protection legislation ("Data Protection Legislation"). In the event of any conflict between this DPA and Customer's service agreement with Provider, this DPA shall prevail with respect to the processing of personal data.
1. Definitions
"Customer Data" means all data, files, and information submitted to or processed by the Service on Customer's behalf, including spaces, pages, comments, attachments, team membership, and any personal data therein.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
"Sub-processor" means any third party engaged by Provider to process Personal Data on Customer's behalf. Other capitalised terms used in this DPA have the meanings given in the GDPR or, where applicable, in Customer's service agreement with Provider.
2. Scope and roles
2.1 Roles — For the purposes of Data Protection Legislation: Customer is the Controller (or, where Customer processes personal data on behalf of its own end customers, a Processor); Provider is the Processor (or Sub-processor, as applicable) acting on Customer's documented instructions.
2.2 Subject matter and purpose — Provider processes Personal Data solely to provide the Service — that is, to host, organise, and serve the knowledge base content created by Customer's team members within Customer's workspaces, as configured by Customer through the platform.
2.3 Nature of processing — The processing activities consist of: collection (via the NoGaps web application), structuring, storage, retrieval for display and export, version control, and logging for security and error resolution.
2.4 Categories of data subjects — Data subjects may include: Customer's employees and contractors who use the platform, Customer's administrators, and any other individuals whose personal data Customer chooses to record in the platform.
2.5 Types of personal data — Personal data processed may include: names, email addresses, Google account profile information, workspace and space membership, role assignments, page content (including any personal data authored by users), comments, and any other personal data Customer chooses to enter into the platform.
2.6 Duration — Processing shall continue for as long as Customer uses the Service. Upon cessation, Section 8 of this DPA applies.
3. Customer obligations and instructions
3.1 Lawful basis — Customer is responsible for ensuring that it has a lawful basis for the processing of Personal Data through the Service, including any necessary consents, privacy notices, or legitimate interest assessments toward its own team members and any other data subjects.
3.2 Instructions — Customer's instructions to Provider regarding the processing of Personal Data are documented in: (i) Customer's service agreement with Provider and this DPA; (ii) the workspace configuration created by Customer within the platform; and (iii) any written instructions provided by Customer to Provider from time to time. Provider shall process Personal Data only in accordance with Customer's documented instructions, unless required to do otherwise by applicable law, in which case Provider shall inform Customer (where permitted by law) before carrying out such processing.
3.3 Customer responsibility for data entered — Customer determines which team members are invited, which spaces and pages are created, and which content is recorded. Provider does not independently decide what Personal Data is processed or for what purpose.
4. Provider obligations
4.1 Confidentiality — Provider shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Processing limitations — Provider shall not: process Personal Data for any purpose other than providing the Service; sell, rent, or otherwise make Personal Data available to third parties for their own purposes; or combine Customer's Personal Data with data from other customers or sources, except in aggregated, anonymised form that does not identify Customer or any data subject.
4.3 Assistance — Provider shall, taking into account the nature of processing, assist Customer by appropriate technical and organisational measures in fulfilling Customer's obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection). Provider shall promptly notify Customer if it receives a request from a data subject directly, and shall not respond to such request without Customer's instructions unless required by law.
4.4 Data protection impact assessments — Provider shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Legislation and to the extent such assessment relates to the Service.
5. Sub-processors
5.1 Authorised sub-processors — Customer provides general authorisation for Provider to engage sub-processors, subject to the requirements of this Section. The current list of sub-processors is set out in Annex 1 to this DPA.
5.2 Obligations on sub-processors — Provider shall: enter into a written agreement with each sub-processor imposing data protection obligations no less protective than those in this DPA; and remain fully liable to Customer for the performance of each sub-processor's obligations.
5.3 Changes to sub-processors — Provider shall notify Customer at least 30 days in advance of any intended addition or replacement of a sub-processor, including the sub-processor's name, location, and the nature of processing. Customer may object in writing within 15 days of receiving such notice if Customer has reasonable grounds relating to data protection. If Customer objects, the Parties shall discuss the concern in good faith. If no resolution is reached within 15 days, Customer may terminate the Service, and Provider shall refund any prepaid fees for the unused portion of the subscription term.
6. Technical and organisational measures
6.1 Security measures — Provider shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Encryption
- Data in transit: TLS 1.2 or higher for all web requests and application access
- Data at rest: AES-256 encryption for stored data on Provider's infrastructure
- Session tokens are encrypted using iron-session and never logged in plaintext
Access control
- Role-based access control (Owner, Admin, Member, Guest) for all platform users
- Authentication via Google Sign-in (OAuth 2.0)
- Provider staff access to production systems requires individual named accounts with audit logging
- Principle of least privilege applied to all internal access
Infrastructure security
- Production infrastructure hosted in EU data centres
- Tenant data isolated at the database level
- Regular security patching and updates
Monitoring and logging
- Continuous monitoring of service availability and performance
- Application logs retained for security and error resolution
- Logs do not contain full Customer Data payloads; sensitive fields are masked or truncated
Operational practices
- Regular encrypted backups
- Incident response procedures documented and maintained
- Periodic review and update of security measures to reflect evolving threats and industry practices
6.2 No guarantee — While Provider implements the measures described above, no security measures are impenetrable. Provider does not guarantee that unauthorised access, disclosure, or loss will never occur, but commits to responding promptly and appropriately in accordance with Section 7.
7. Personal data breach
7.1 Notification — Provider shall notify Customer of any Personal Data breach without undue delay and in any event within 72 hours of becoming aware of the breach. Notification shall include, to the extent available: (i) the nature of the breach, including the categories and approximate number of data subjects and records concerned; (ii) the likely consequences of the breach; (iii) the measures taken or proposed to address the breach; and (iv) the contact point at Provider for further information.
7.2 Cooperation — Provider shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach, and in complying with Customer's notification obligations to supervisory authorities and data subjects under Data Protection Legislation.
7.3 Record-keeping — Provider shall maintain a record of all Personal Data breaches, including the facts, effects, and remedial actions taken.
8. Data return and deletion
8.1 Return — Upon termination of Customer's use of the Service, and upon Customer's written request made within 30 days, Provider shall make available to Customer a copy of any Personal Data processed under this DPA. All content is stored as Markdown in a Git repository and can be cloned directly. Additional exports are available in Provider's standard export format.
8.2 Deletion — Following the period described in Section 8.1, or upon Customer's earlier written instruction, Provider shall delete all Personal Data from its systems within 60 days, including from backups within the normal backup rotation cycle. Provider may retain Personal Data only to the extent required by applicable law, and shall inform Customer of any such requirement.
8.3 Certification — Upon Customer's written request, Provider shall provide written confirmation that deletion has been completed.
9. International transfers
9.1 Processing location — All Customer Data is processed within the European Economic Area. Provider's infrastructure and all sub-processors are configured to process data in EU regions (see Annex 1).
9.2 US-incorporated sub-processors — Certain sub-processors are incorporated in the United States but process data exclusively in EU-hosted regions. Where the corporate jurisdiction of a sub-processor may give rise to obligations under foreign law (e.g. US CLOUD Act), Provider shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical measures where necessary.
9.3 Future transfers — Provider shall not transfer Personal Data outside the EEA without first: (i) notifying Customer in accordance with Section 5.3; and (ii) ensuring that an appropriate transfer mechanism under Chapter V of the GDPR is in place.
10. Audits and compliance
10.1 Information — Provider shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Legislation.
10.2 Audits — Customer (or a qualified third-party auditor appointed by Customer and bound by confidentiality obligations) may conduct an audit of Provider's compliance with this DPA, subject to: (i) at least 30 days' prior written notice; (ii) a scope reasonably related to the processing activities; (iii) being conducted during normal business hours; and (iv) not unreasonably disrupting Provider's operations. Provider shall cooperate with and provide reasonable assistance for such audits.
10.3 Frequency — Customer may exercise its audit right no more than once per calendar year, unless required by a supervisory authority or in response to a Personal Data breach.
10.4 Costs — Each Party shall bear its own costs in connection with audits. If an audit reveals material non-compliance, Provider shall bear the reasonable costs of any follow-up audit.
11. Changes to this DPA
11.1 Updates — Provider may update this DPA from time to time to reflect changes in processing activities, sub-processors, security measures, or applicable law. Provider shall notify Customer of material changes at least 30 days before they take effect.
11.2 Continued use — Customer's continued use of the Service after the effective date of an updated DPA constitutes acceptance of the updated terms. If Customer does not agree with a material change, Customer may terminate the Service in accordance with its service agreement with Provider.
12. Governing law
This DPA shall be governed by and construed in accordance with the laws of the Republic of Poland. Any disputes shall be submitted to the competent courts of Krakow, Poland.
13. Contact
For questions or requests regarding this DPA, contact Provider at:
AgileVision Sp. z o.o.
Email: hello@agilevision.io
Annex 1 — Sub-processors
The following sub-processors are authorised as of the date shown above:
| Sub-processor | Purpose | Data processing location | Entity jurisdiction |
|---|---|---|---|
| Amazon Web Services, Inc. | Application hosting | EU region (eu-north-1, Stockholm) | United States |
| Google LLC | Authentication (Google Sign-in / OAuth 2.0) | EU region | United States |
| Turso (ChiselStrike, Inc.) | Database hosting (libSQL) | EU region | United States |
| Stripe, Inc. | Payment processing | EU region | United States |
| Cloudflare, Inc. | CDN and DDoS protection for website | Global edge network | United States |
| HubSpot, Inc. | CRM and marketing communications | EU region | United States |
| Plausible Insights OÜ | Website analytics (no personal data) | Estonia (EU) | Estonia (EU) |
© 2026 AgileVision Sp. z o.o. All rights reserved. NoGaps is a product of AgileVision.