Approveit

Solutions

Resources

Use Cases

Pricing

How It Works

Log In

Request a Demo

Home

Data Processing Addendum

Data Processing Addendum

Data Processing Addendum

Data Processing Addendum

Last updated: Dec 4, 2025

This Data Processing Addendum (“Addendum”) forms part of, and is incorporated into, the Terms of Service available at https://approveit.today/terms-of-service (“Terms”), and governs Approveit Inc.’s Processing of Personal Data on behalf of the Customer as part of the Services.

This Addendum is intended to meet the requirements of global data protection and privacy laws applicable to Approveit Inc. in its role as a processor or service provider, including but not limited to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and other Applicable Privacy Regulations.

By accessing or using the Services, the Customer enters into this Addendum with Approveit Inc., a corporation organized under the laws of the State of Delaware.

Where the Customer requires specific regional transfer mechanisms (such as the EU Standard Contractual Clauses, or the UK Addendum), the Customer shall notify Approveit at support@approveit.today, and Approveit will make the appropriate terms available.

In case of conflict between the Terms and this Addendum, this Addendum prevails with respect to the Processing of Personal Data. In case of conflict between this Addendum and any applicable Standard Contractual Clauses, the latter shall prevail.

Capitalized terms not defined in this Addendum have the meanings assigned to them in the Terms or, if not defined there, the meanings provided under applicable data protection laws and in Section 8 (Definitions) below.

1. Scope and Roles of the Parties

1. Scope and Roles of the Parties

1.1 Scope.
This Addendum governs Approveit Inc.’s Processing of Personal Data on behalf of the Customer as necessary to provide the Services in accordance with the Terms. It applies to all Processing activities that Approveit performs as part of the Services, regardless of the Customer’s location or the jurisdiction in which the Personal Data originates.


1.2 Roles of the Parties.
For the purposes of this Addendum and applicable data protection and privacy regulations:

  • the Customer may act as a data controller or a data processor, as applicable; and

  • Approveit Inc. shall act as a data processor, or where the Customer acts as a processor, as a sub-processor, Processing Personal Data on behalf of the Customer and in accordance with this Addendum.

1.3 Customer Warranties (when acting as Processor).
Where the Customer acts as a Data Processor, the Customer represents and warrants that:

  1. it is authorized by the relevant data controller to appoint Approveit as a sub-processor;

  2. the Customer’s instructions to Approveit accurately reflect the instructions of the relevant data controller; and

  3. the Customer has established and documented all legal bases or other requirements necessary to permit Approveit’s Processing of Personal Data on behalf of the Customer.

1.4 Customer Instructions.
Approveit shall Process Personal Data only on the Customer’s documented instructions, including instructions relating to international transfers, as set out in this Addendum, the Terms, or Exhibit 1. Approveit shall not Process Personal Data for any other purpose. Any instruction that falls outside the scope of the Services or the Processing activities described in Exhibit 1 may constitute a request for additional services and may require prior written agreement.


1.5 Nature and Purpose of Processing.
Approveit shall Process Personal Data solely as necessary to provide, maintain, support, secure, and improve the Services, or as otherwise permitted under the Terms or this Addendum.


1.6 Customer Responsibility.
The Customer is responsible for ensuring that its use of the Services and its instructions to Approveit comply with applicable data protection and privacy regulations, including where the Customer acts as a processor on behalf of a third-party data controller.

1.1 Scope.
This Addendum governs Approveit Inc.’s Processing of Personal Data on behalf of the Customer as necessary to provide the Services in accordance with the Terms. It applies to all Processing activities that Approveit performs as part of the Services, regardless of the Customer’s location or the jurisdiction in which the Personal Data originates.


1.2 Roles of the Parties.
For the purposes of this Addendum and applicable data protection and privacy regulations:

  • the Customer may act as a data controller or a data processor, as applicable; and

  • Approveit Inc. shall act as a data processor, or where the Customer acts as a processor, as a sub-processor, Processing Personal Data on behalf of the Customer and in accordance with this Addendum.

1.3 Customer Warranties (when acting as Processor).
Where the Customer acts as a Data Processor, the Customer represents and warrants that:

  1. it is authorized by the relevant data controller to appoint Approveit as a sub-processor;

  2. the Customer’s instructions to Approveit accurately reflect the instructions of the relevant data controller; and

  3. the Customer has established and documented all legal bases or other requirements necessary to permit Approveit’s Processing of Personal Data on behalf of the Customer.

1.4 Customer Instructions.
Approveit shall Process Personal Data only on the Customer’s documented instructions, including instructions relating to international transfers, as set out in this Addendum, the Terms, or Exhibit 1. Approveit shall not Process Personal Data for any other purpose. Any instruction that falls outside the scope of the Services or the Processing activities described in Exhibit 1 may constitute a request for additional services and may require prior written agreement.


1.5 Nature and Purpose of Processing.
Approveit shall Process Personal Data solely as necessary to provide, maintain, support, secure, and improve the Services, or as otherwise permitted under the Terms or this Addendum.


1.6 Customer Responsibility.
The Customer is responsible for ensuring that its use of the Services and its instructions to Approveit comply with applicable data protection and privacy regulations, including where the Customer acts as a processor on behalf of a third-party data controller.

1.1 Scope.
This Addendum governs Approveit Inc.’s Processing of Personal Data on behalf of the Customer as necessary to provide the Services in accordance with the Terms. It applies to all Processing activities that Approveit performs as part of the Services, regardless of the Customer’s location or the jurisdiction in which the Personal Data originates.


1.2 Roles of the Parties.
For the purposes of this Addendum and applicable data protection and privacy regulations:

  • the Customer may act as a data controller or a data processor, as applicable; and

  • Approveit Inc. shall act as a data processor, or where the Customer acts as a processor, as a sub-processor, Processing Personal Data on behalf of the Customer and in accordance with this Addendum.

1.3 Customer Warranties (when acting as Processor).
Where the Customer acts as a Data Processor, the Customer represents and warrants that:

  1. it is authorized by the relevant data controller to appoint Approveit as a sub-processor;

  2. the Customer’s instructions to Approveit accurately reflect the instructions of the relevant data controller; and

  3. the Customer has established and documented all legal bases or other requirements necessary to permit Approveit’s Processing of Personal Data on behalf of the Customer.

1.4 Customer Instructions.
Approveit shall Process Personal Data only on the Customer’s documented instructions, including instructions relating to international transfers, as set out in this Addendum, the Terms, or Exhibit 1. Approveit shall not Process Personal Data for any other purpose. Any instruction that falls outside the scope of the Services or the Processing activities described in Exhibit 1 may constitute a request for additional services and may require prior written agreement.


1.5 Nature and Purpose of Processing.
Approveit shall Process Personal Data solely as necessary to provide, maintain, support, secure, and improve the Services, or as otherwise permitted under the Terms or this Addendum.


1.6 Customer Responsibility.
The Customer is responsible for ensuring that its use of the Services and its instructions to Approveit comply with applicable data protection and privacy regulations, including where the Customer acts as a processor on behalf of a third-party data controller.

2. Processor’s Duties

Processing of Personal
Data

2.1 Compliance with Applicable Privacy Regulations.
Approveit shall comply with the data protection and privacy regulations applicable to its role as a processor or sub-processor in connection with the Services. Upon request, Approveit shall provide the Customer with information reasonably necessary to demonstrate its compliance with this Addendum.


2.2 Assistance with Data Subject Requests.
Taking into account the nature of the Processing, Approveit shall assist the Customer, to the extent reasonably required, in responding to requests from individuals exercising their rights under Applicable Privacy Regulations.


2.3 Assistance with Assessments and Regulatory Inquiries.
To the extent required under Applicable Privacy Regulations and taking into account the nature of the Processing and the information available to Approveit, Approveit shall assist the Customer with:

  1. conducting data protection impact assessments or similar assessments required by law; and

  2. responding to inquiries, investigations, or consultations initiated by regulatory authorities relating to the Processing of Personal Data under this Addendum.

2.4 Assistance with Security Obligations.
Approveit shall assist the Customer in ensuring compliance with its security-related obligations under Applicable Privacy Regulations, taking into account the nature of the Processing and the information available to Approveit.

2.5 Breach Notification.
Approveit shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer. Such notification shall include information reasonably required for the Customer to meet its obligations under Applicable Privacy Regulations.

2.6 Audits and Information Rights.
Approveit shall make available to the Customer the information reasonably necessary to demonstrate its compliance with this Addendum. The Customer agrees that its audit rights may be satisfied through Approveit’s provision of third-party audit reports, certifications, or other documentation made available by Approveit.


2.7 Government and Third-Party Requests
Approveit shall promptly notify the Customer if it receives any legally binding request from a public authority or third party for access to Personal Data Processed on behalf of the Customer, unless such notification is prohibited by law. If notification is prohibited, Approveit will use reasonable efforts to challenge or limit such disclosure to the extent permitted under applicable law.

2.1 Compliance with Applicable Privacy Regulations.
Approveit shall comply with the data protection and privacy regulations applicable to its role as a processor or sub-processor in connection with the Services. Upon request, Approveit shall provide the Customer with information reasonably necessary to demonstrate its compliance with this Addendum.


2.2 Assistance with Data Subject Requests.
Taking into account the nature of the Processing, Approveit shall assist the Customer, to the extent reasonably required, in responding to requests from individuals exercising their rights under Applicable Privacy Regulations.


2.3 Assistance with Assessments and Regulatory Inquiries.
To the extent required under Applicable Privacy Regulations and taking into account the nature of the Processing and the information available to Approveit, Approveit shall assist the Customer with:

  1. conducting data protection impact assessments or similar assessments required by law; and

  2. responding to inquiries, investigations, or consultations initiated by regulatory authorities relating to the Processing of Personal Data under this Addendum.

2.4 Assistance with Security Obligations.
Approveit shall assist the Customer in ensuring compliance with its security-related obligations under Applicable Privacy Regulations, taking into account the nature of the Processing and the information available to Approveit.

2.5 Breach Notification.
Approveit shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer. Such notification shall include information reasonably required for the Customer to meet its obligations under Applicable Privacy Regulations.

2.6 Audits and Information Rights.
Approveit shall make available to the Customer the information reasonably necessary to demonstrate its compliance with this Addendum. The Customer agrees that its audit rights may be satisfied through Approveit’s provision of third-party audit reports, certifications, or other documentation made available by Approveit.


2.7 Government and Third-Party Requests
Approveit shall promptly notify the Customer if it receives any legally binding request from a public authority or third party for access to Personal Data Processed on behalf of the Customer, unless such notification is prohibited by law. If notification is prohibited, Approveit will use reasonable efforts to challenge or limit such disclosure to the extent permitted under applicable law.

2.1 Compliance with Applicable Privacy Regulations.
Approveit shall comply with the data protection and privacy regulations applicable to its role as a processor or sub-processor in connection with the Services. Upon request, Approveit shall provide the Customer with information reasonably necessary to demonstrate its compliance with this Addendum.


2.2 Assistance with Data Subject Requests.
Taking into account the nature of the Processing, Approveit shall assist the Customer, to the extent reasonably required, in responding to requests from individuals exercising their rights under Applicable Privacy Regulations.


2.3 Assistance with Assessments and Regulatory Inquiries.
To the extent required under Applicable Privacy Regulations and taking into account the nature of the Processing and the information available to Approveit, Approveit shall assist the Customer with:

  1. conducting data protection impact assessments or similar assessments required by law; and

  2. responding to inquiries, investigations, or consultations initiated by regulatory authorities relating to the Processing of Personal Data under this Addendum.

2.4 Assistance with Security Obligations.
Approveit shall assist the Customer in ensuring compliance with its security-related obligations under Applicable Privacy Regulations, taking into account the nature of the Processing and the information available to Approveit.

2.5 Breach Notification.
Approveit shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer. Such notification shall include information reasonably required for the Customer to meet its obligations under Applicable Privacy Regulations.

2.6 Audits and Information Rights.
Approveit shall make available to the Customer the information reasonably necessary to demonstrate its compliance with this Addendum. The Customer agrees that its audit rights may be satisfied through Approveit’s provision of third-party audit reports, certifications, or other documentation made available by Approveit.


2.7 Government and Third-Party Requests
Approveit shall promptly notify the Customer if it receives any legally binding request from a public authority or third party for access to Personal Data Processed on behalf of the Customer, unless such notification is prohibited by law. If notification is prohibited, Approveit will use reasonable efforts to challenge or limit such disclosure to the extent permitted under applicable law.

3. Confidentiality and Security Measures

3. Confidentiality and Security Measures

3.1 Confidentiality.
Approveit shall ensure that all personnel authorized to Process Personal Data on its behalf are bound by appropriate contractual or statutory obligations of confidentiality and receive training appropriate to their responsibilities regarding the handling of Personal Data.


3.2 Technical and Organizational Measures.
Approveit shall implement and maintain the technical and organizational measures set out in Exhibit 3. These measures are designed to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage, and to support Approveit’s compliance with applicable privacy and data protection regulations, including Article 32 of the GDPR where relevant.


3.3 Updates to Security Measures.
Approveit may update or modify the technical and organizational measures in Exhibit 3 from time to time to reflect developments in industry standards, technology, or Approveit’s security practices, provided that such updates do not materially reduce the overall level of protection for Personal Data.


3.4 Customer Acknowledgment.

The Customer acknowledges that the technical and organizational measures described in Exhibit 3 are designed to provide a level of security appropriate to the nature of the Processing and the risks involved.

4. Subprocessors

4.1 General Authorization.
The Customer provides a general authorization for Approveit to engage Subprocessors to support the provision of the Services. The current list of Subprocessors is set out in Exhibit 2 and may be updated by Approveit from time to time.

4.2 Updates to Subprocessors.
Approveit may add or replace Subprocessors by updating this Addendum or another publicly accessible location referenced in the Terms. Any such update becomes effective upon publication. The Customer is responsible for reviewing updates and may raise reasonable data protection concerns regarding a new Subprocessor.


4.3 Subprocessor Obligations.
Approveit shall require its Subprocessors to comply with data protection obligations that offer a level of protection for Personal Data no less protective than those set out in this Addendum. Approveit remains responsible for the acts and omissions of its Subprocessors in connection with the Processing of Personal Data under this Addendum.

4.1 General Authorization.
The Customer provides a general authorization for Approveit to engage Subprocessors to support the provision of the Services. The current list of Subprocessors is set out in Exhibit 2 and may be updated by Approveit from time to time.

4.2 Updates to Subprocessors.
Approveit may add or replace Subprocessors by updating this Addendum or another publicly accessible location referenced in the Terms. Any such update becomes effective upon publication. The Customer is responsible for reviewing updates and may raise reasonable data protection concerns regarding a new Subprocessor.


4.3 Subprocessor Obligations.
Approveit shall require its Subprocessors to comply with data protection obligations that offer a level of protection for Personal Data no less protective than those set out in this Addendum. Approveit remains responsible for the acts and omissions of its Subprocessors in connection with the Processing of Personal Data under this Addendum.

4.1 General Authorization.
The Customer provides a general authorization for Approveit to engage Subprocessors to support the provision of the Services. The current list of Subprocessors is set out in Exhibit 2 and may be updated by Approveit from time to time.

4.2 Updates to Subprocessors.
Approveit may add or replace Subprocessors by updating this Addendum or another publicly accessible location referenced in the Terms. Any such update becomes effective upon publication. The Customer is responsible for reviewing updates and may raise reasonable data protection concerns regarding a new Subprocessor.


4.3 Subprocessor Obligations.
Approveit shall require its Subprocessors to comply with data protection obligations that offer a level of protection for Personal Data no less protective than those set out in this Addendum. Approveit remains responsible for the acts and omissions of its Subprocessors in connection with the Processing of Personal Data under this Addendum.

5. Cross-border Transfers of Personal Data

5. Cross-border Transfers of Personal Data

5.1 Transfers.
Approveit Processes Personal Data in the United States. The provision of the Services may involve the Processing of Personal Data outside the Customer’s jurisdiction and in countries that may have different privacy and data protection regulations than those applicable to the Customer.


5.2 GDPR / UK Transfers (If Applicable).
If the Customer is subject to the GDPR or the UK GDPR and requires a lawful transfer mechanism for transfers of Personal Data to Approveit or its Subprocessors located outside the EEA or the UK, the Customer shall notify Approveit at support@approveit.today. Approveit will make the applicable EU Standard Contractual Clauses (“SCCs”) or the UK Addendum available upon request.


5.3 Subprocessor Transfers.
Where required under Applicable Privacy Regulations, Approveit may enter into the SCCs (using Module 2 or Module 3, as appropriate) or other appropriate transfer mechanisms with its Subprocessors upon the Customer’s request.

6. Deletion or Return of Personal Data

6. Deletion or Return of Personal Data

Upon termination or expiration of the Services, Approveit shall, at the Customer’s choice and to the extent reasonably practicable, delete or return all Personal Data Processed on behalf of the Customer, unless retention is required by applicable law. Approveit may retain secure archival copies solely to the extent permitted under applicable regulations. Approveit shall ensure that any deletion is carried out in accordance with its data retention and destruction policies.

7. Limitation of Liability

The Parties agree that the limitations and exclusions of liability set out in the Terms apply to this Addendum. Nothing in this Addendum shall limit either Party’s liability where such limitation is not permitted under applicable law.

8. Definitions

For the purposes of this Addendum, and unless stated otherwise, the following capitalized terms have the meanings set out below:

Addendum means this Data Processing Addendum, including all Exhibits incorporated into it.


Agreement means the Terms of Service and any other applicable agreements governing the Customer’s use of the Services.


Applicable Privacy Regulations means all data protection and privacy laws applicable to Approveit in its role as a processor or service provider, including the GDPR, the UK GDPR, and comparable privacy laws applicable to the Customer or the Processing of Personal Data.


Customer” means the entity or individual that has entered into the Agreement and uses the Services, and on whose behalf Approveit Processes Personal Data.


Data Controller or Controller means the entity that determines the purposes and means of Processing Personal Data, as defined under Applicable Privacy Regulations.

Data Processor” or “Processor means the entity that Processes Personal Data on behalf of a Controller, as defined under Applicable Privacy Regulations.


Data Subject means an identified or identifiable individual whose Personal Data is Processed under the Agreement and this Addendum.


Personal Data means any information relating to a Data Subject that is defined as “personal data,” “personal information,” or any equivalent term under Applicable Privacy Regulations and that Approveit Processes on behalf of the Customer.


Personal Data Breach means any confirmed or reasonably suspected unauthorized access, acquisition, disclosure, alteration, or destruction of Personal Data, or any event otherwise constituting a “data breach” under Applicable Privacy Regulations.


Process or Processing means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, storage, transmission, access, retrieval, modification, disclosure, or deletion.


Services means the Approveit platform and related products or services provided under the Agreement.


Standard Contractual Clauses or SCCs means the European Commission’s standard contractual clauses for the transfer of personal data to third countries, in the form made available by Approveit upon Customer request.


Subprocessor means any third party engaged by Approveit to Process Personal Data on its behalf in connection with the Services.

Exhibit 1 — Details of the Data Processing

1. Subject Matter
Processing of Personal Data as necessary to provide, operate, maintain, and support the Approveit Service in accordance with the Agreement and this Addendum.


2. Duration
For the term of the Agreement and until all Personal Data is deleted or returned in accordance with Section 6 of the Addendum.


3. Nature of the Processing
Approveit processes Personal Data as required to provide the Services, including:

  • receiving, storing, and transmitting approval requests;

  • enabling approval workflows inside integrated platforms (such as Slack);

  • displaying workflow-related information to users;

  • maintaining logs, metadata, and audit trails;

  • securing, backing up, and updating the Service;

  • deleting or returning data upon termination.


4. Purpose of the Processing
To enable the Customer to create, manage, and automate approval workflows and related communication within the Approveit Service.


5. Categories of Personal Data
 Personal Data processed may include, as applicable:

  • name, display name, username, or nickname;

  • workplace information (e.g., team, department);

  • identifiers provided by integrated platforms (e.g., Slack user ID);

  • content of approval requests and workflow messages;

  • timestamps (e.g., creation time, approval time);

  • usage logs and metadata necessary for service functionality and security.


6. Categories of Data Subjects
Personal Data relates to:

  • Customer’s employees, contractors, and other authorized users of the Approveit Service;

  • individuals whose data is included in approval workflows submitted by the Customer.

Exhibit 2 — Subprocessors

Exhibit 2 — Subprocessors

Approveit engages the Subprocessors listed below to support the provision of the Services. Each Subprocessor Processes Personal Data only as necessary to perform the services described.

Subprocessor

Subprocessor

Subprocessor

Amazon Web Services (AWS)

Amazon Web Services (AWS)

Amazon Web Services (AWS)

Slack Technologies, LLC

Slack Technologies, LLC

Slack Technologies, LLC

Microsoft Teams / Microsoft Corporation

Microsoft Teams / Microsoft Corporation

Microsoft Teams / Microsoft Corporation

HubSpot, Inc.

HubSpot, Inc.

HubSpot, Inc.

Intercom R&D Unlimited Company

Intercom R&D Unlimited Company

Intercom R&D Unlimited Company

Stripe, Inc.

Stripe, Inc.

Stripe, Inc.

Fathom.video

Fathom.video

Fathom.video

Hotjar Ltd.

Hotjar Ltd.

Hotjar Ltd.

Amplitude, Inc.

Amplitude, Inc.

Amplitude, Inc.

Zoom Video Communications, Inc.

Zoom Video Communications, Inc.

Zoom Video Communications, Inc.

Purpose of Processing

Purpose of Processing

Purpose of Processing

Core infrastructure, hosting, databases, storage, backups

Core infrastructure, hosting, databases, storage, backups

Workflow notifications and approval actions via Slack integration

Workflow notifications and approval actions via Slack integration

Workflow notifications and collaboration via Teams integration

Workflow notifications and collaboration via Teams integration

CRM and communication management

CRM and communication management

Customer support chat, helpdesk, in-app support

Customer support chat, helpdesk, in-app support

Payment processing and billing

Payment processing and billing

Meeting transcription and conversation summaries

Meeting transcription and conversation summaries

Behavioral analytics (heatmaps, clicks, session activity)

Behavioral analytics (heatmaps, clicks, session activity)

Product analytics and usage events

Product analytics and usage events

Video conferencing, call recording

Video conferencing, call recording

Types of Personal Data Processed

Types of Personal Data Processed

Types of Personal Data Processed

Account data; workflow records; attachments; logs

Account data; workflow records; attachments; logs

User identity; approver metadata; message payloads

User identity; approver metadata; message payloads

User identity; workflow metadata

User identity; workflow metadata

Email addresses; contact details; company information

Email addresses; contact details; company information

User identity; support chat messages; usage context

User identity; support chat messages; usage context

Billing identifiers; tokenized payment metadata

Billing identifiers; tokenized payment metadata

Voice/video transcripts; participant information

Voice/video transcripts; participant information

Session metadata; device logs

Session metadata; device logs

Usage events; metadata; device identifiers

Usage events; metadata; device identifiers

Names, email addresses, meeting participation data, audio/video recordings (if enabled), chat messages, device/connection metadata

Names, email addresses, meeting participation data, audio/video recordings (if enabled), chat messages, device/connection metadata

Region

Region

Region

US (default) / EU (if Customer requests an EU-hosted environment)

US (default) / EU (if Customer requests an EU-hosted environment)

USA

USA

Global (depends on Customer’s tenant region)

Global (depends on Customer’s tenant region)

USA

US / EU

USA

USA

USA

USA

USA

USA

EU

EU

USA

USA

USA

USA

Exhibit 3 — Technical and Organizational Measures

Exhibit 3 — Technical and Organizational Measures

Approveit maintains an information security program designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure. The measures described below apply to Approveit and all Subprocessors engaged in the provision of the Services.


1. Organizational Security

  • Approveit maintains a documented information security program aligned with AICPA SOC 2 Type II requirements.

  • Security roles and responsibilities are defined.

  • All personnel receive appropriate security and privacy training and are subject to confidentiality obligations.


2. Access Control

  • Access to systems containing Personal Data is restricted based on role and least-privilege principles.

  • Approveit requires unique user IDs, strong authentication, and password standards.

  • Access rights are reviewed regularly and revoked promptly upon termination or role change.

  • Administrative access is limited to authorized personnel.


3. Data Security and Encryption

  • Personal Data is encrypted in transit using industry-standard transport encryption (e.g., TLS).

  • Encryption keys are securely managed and periodically rotated.

  • Communications with integrations such as Slack and Microsoft Teams occur through secure, authenticated channels.


4. Application and Infrastructure Security

  • Approveit uses Amazon Web Services (AWS) for hosting and follows AWS security best practices.

  • Network security controls include firewalls, filtering, and monitoring.

  • Regular vulnerability scanning is performed, and patches are applied under a documented patch management process.

  • Development, staging, and production environments are logically separated.


5. Logging and Monitoring

  • Approveit logs system activity, access to production systems, and security events.

  • Automated monitoring and alerting mechanisms are in place to detect suspicious activity.

  • Logs are retained for an appropriate period to support security investigations.


6. Data Backup, Availability, and Resilience

  • Regular backups are performed and stored securely.

  • Backup integrity is periodically tested.

  • AWS infrastructure provides redundancy and fault tolerance.

  • Approveit maintains business continuity and disaster recovery measures appropriate for a cloud-based service.


7. Data Minimization and Separation

  • Personal Data is logically segregated by Customer in a multi-tenant environment.

  • Production data is not used for development or testing.

  • Personal Data is retained only as long as necessary to provide the Services or as required by law.


8. Incident Response

  • Approveit maintains a documented incident response plan.

  • Security incidents are promptly investigated and remediated.

  • Customers are notified in accordance with Section 2.5 of the Addendum.


9. Vendor and Subprocessor Management

  • Subprocessors undergo security and privacy due diligence before engagement.

  • Approveit requires Subprocessors to implement security measures no less protective than those described in this Exhibit.

  • Subprocessor compliance is reviewed periodically.


10. Physical Security

  • Physical security of data centers is ensured by AWS and includes industry-standard measures such as access controls, monitoring, and environmental protections.

  • Approveit does not operate its own data centers.

Approveit maintains an information security program designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure. The measures described below apply to Approveit and all Subprocessors engaged in the provision of the Services.


1. Organizational Security

  • Approveit maintains a documented information security program aligned with AICPA SOC 2 Type II requirements.

  • Security roles and responsibilities are defined.

  • All personnel receive appropriate security and privacy training and are subject to confidentiality obligations.


2. Access Control

  • Access to systems containing Personal Data is restricted based on role and least-privilege principles.

  • Approveit requires unique user IDs, strong authentication, and password standards.

  • Access rights are reviewed regularly and revoked promptly upon termination or role change.

  • Administrative access is limited to authorized personnel.


3. Data Security and Encryption

  • Personal Data is encrypted in transit using industry-standard transport encryption (e.g., TLS).

  • Encryption keys are securely managed and periodically rotated.

  • Communications with integrations such as Slack and Microsoft Teams occur through secure, authenticated channels.


4. Application and Infrastructure Security

  • Approveit uses Amazon Web Services (AWS) for hosting and follows AWS security best practices.

  • Network security controls include firewalls, filtering, and monitoring.

  • Regular vulnerability scanning is performed, and patches are applied under a documented patch management process.

  • Development, staging, and production environments are logically separated.


5. Logging and Monitoring

  • Approveit logs system activity, access to production systems, and security events.

  • Automated monitoring and alerting mechanisms are in place to detect suspicious activity.

  • Logs are retained for an appropriate period to support security investigations.


6. Data Backup, Availability, and Resilience

  • Regular backups are performed and stored securely.

  • Backup integrity is periodically tested.

  • AWS infrastructure provides redundancy and fault tolerance.

  • Approveit maintains business continuity and disaster recovery measures appropriate for a cloud-based service.


7. Data Minimization and Separation

  • Personal Data is logically segregated by Customer in a multi-tenant environment.

  • Production data is not used for development or testing.

  • Personal Data is retained only as long as necessary to provide the Services or as required by law.


8. Incident Response

  • Approveit maintains a documented incident response plan.

  • Security incidents are promptly investigated and remediated.

  • Customers are notified in accordance with Section 2.5 of the Addendum.


9. Vendor and Subprocessor Management

  • Subprocessors undergo security and privacy due diligence before engagement.

  • Approveit requires Subprocessors to implement security measures no less protective than those described in this Exhibit.

  • Subprocessor compliance is reviewed periodically.


10. Physical Security

  • Physical security of data centers is ensured by AWS and includes industry-standard measures such as access controls, monitoring, and environmental protections.

  • Approveit does not operate its own data centers.

Approveit maintains an information security program designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure. The measures described below apply to Approveit and all Subprocessors engaged in the provision of the Services.


1. Organizational Security

  • Approveit maintains a documented information security program aligned with AICPA SOC 2 Type II requirements.

  • Security roles and responsibilities are defined.

  • All personnel receive appropriate security and privacy training and are subject to confidentiality obligations.


2. Access Control

  • Access to systems containing Personal Data is restricted based on role and least-privilege principles.

  • Approveit requires unique user IDs, strong authentication, and password standards.

  • Access rights are reviewed regularly and revoked promptly upon termination or role change.

  • Administrative access is limited to authorized personnel.


3. Data Security and Encryption

  • Personal Data is encrypted in transit using industry-standard transport encryption (e.g., TLS).

  • Encryption keys are securely managed and periodically rotated.

  • Communications with integrations such as Slack and Microsoft Teams occur through secure, authenticated channels.


4. Application and Infrastructure Security

  • Approveit uses Amazon Web Services (AWS) for hosting and follows AWS security best practices.

  • Network security controls include firewalls, filtering, and monitoring.

  • Regular vulnerability scanning is performed, and patches are applied under a documented patch management process.

  • Development, staging, and production environments are logically separated.


5. Logging and Monitoring

  • Approveit logs system activity, access to production systems, and security events.

  • Automated monitoring and alerting mechanisms are in place to detect suspicious activity.

  • Logs are retained for an appropriate period to support security investigations.


6. Data Backup, Availability, and Resilience

  • Regular backups are performed and stored securely.

  • Backup integrity is periodically tested.

  • AWS infrastructure provides redundancy and fault tolerance.

  • Approveit maintains business continuity and disaster recovery measures appropriate for a cloud-based service.


7. Data Minimization and Separation

  • Personal Data is logically segregated by Customer in a multi-tenant environment.

  • Production data is not used for development or testing.

  • Personal Data is retained only as long as necessary to provide the Services or as required by law.


8. Incident Response

  • Approveit maintains a documented incident response plan.

  • Security incidents are promptly investigated and remediated.

  • Customers are notified in accordance with Section 2.5 of the Addendum.


9. Vendor and Subprocessor Management

  • Subprocessors undergo security and privacy due diligence before engagement.

  • Approveit requires Subprocessors to implement security measures no less protective than those described in this Exhibit.

  • Subprocessor compliance is reviewed periodically.


10. Physical Security

  • Physical security of data centers is ensured by AWS and includes industry-standard measures such as access controls, monitoring, and environmental protections.

  • Approveit does not operate its own data centers.

Exhibit 1 — Details of the Data Processing

1. Subject Matter
Processing of Personal Data as necessary to provide, operate, maintain, and support the Approveit Service in accordance with the Agreement and this Addendum.


2. Duration
For the term of the Agreement and until all Personal Data is deleted or returned in accordance with Section 6 of the Addendum.


3. Nature of the Processing
Approveit processes Personal Data as required to provide the Services, including:

  • receiving, storing, and transmitting approval requests;

  • enabling approval workflows inside integrated platforms (such as Slack);

  • displaying workflow-related information to users;

  • maintaining logs, metadata, and audit trails;

  • securing, backing up, and updating the Service;

  • deleting or returning data upon termination.


4. Purpose of the Processing
To enable the Customer to create, manage, and automate approval workflows and related communication within the Approveit Service.


5. Categories of Personal Data
 Personal Data processed may include, as applicable:

  • name, display name, username, or nickname;

  • workplace information (e.g., team, department);

  • identifiers provided by integrated platforms (e.g., Slack user ID);

  • content of approval requests and workflow messages;

  • timestamps (e.g., creation time, approval time);

  • usage logs and metadata necessary for service functionality and security.


6. Categories of Data Subjects
Personal Data relates to:

  • Customer’s employees, contractors, and other authorized users of the Approveit Service;

  • individuals whose data is included in approval workflows submitted by the Customer.

Features

Workflow Automation

Approval Software

BPM Software

Process Management

Human-in-the-Loop

AI Decision Making

Pricing

Use Cases

Accounts Payable

Accounts Receivable

Integrations

Teams

Finance

Human Resources

Operations

IT & Security

Resources

Blog

Case studies

User Guides

How-to Videos

About Us

Partnership

Contact Sales

5.0 STARTS Rating by G2 users

5.0 STARS Rating by Capterra users

Approveit-logo

455 Valencia St., San Francisco, CA 94110

support@approveit.today

DPA

Privacy Policy

Terms of Service

©2025 All rights reserved. Approveit, Inc.

Features

Workflow Automation

Approval Software

BPM Software

Process Management

Human-in-the-Loop

AI Decision Making

Pricing

Use Cases

Accounts Payable

Accounts Receivable

Integrations

Teams

Finance

Human Resources

Operations

IT & Security

Resources

Blog

Case studies

User Guides

How-to Videos

About Us

Partnership

Contact Sales

5.0 STARTS Rating by G2 users

5.0 STARS Rating by Capterra users

Approveit-logo

455 Valencia St., San Francisco, CA 94110

support@approveit.today

DPA

Privacy Policy

Terms of Service

©2025 All rights reserved. Approveit, Inc.

Features

Workflow Automation

Approval Software

BPM Software

Process Management

Human-in-the-Loop

AI Decision Making

Pricing

Use Cases

Accounts Payable

Accounts Receivable

Integrations

Teams

Finance

Human Resources

Operations

IT & Security

Resources

Blog

Case studies

User Guides

How-to Videos

About Us

Partnership

Contact Sales

5.0 STARTS Rating by G2 users

5.0 STARS Rating by Capterra users

Approveit-logo

455 Valencia St., San Francisco, CA 94110

support@approveit.today

DPA

Privacy Policy

Terms of Service

©2025 All rights reserved. Approveit, Inc.

Home

Data Processing Addendum

Request a Demo

Request a Demo