GDPR processor terms for customer-controlled appeal data.

This page is the public baseline for AppealLayer data processing terms. For production customers, it should be attached to or incorporated into a signed customer agreement or order form.

For customer appeal case data, the customer normally acts as controller and Enstellis SRL acts as processor. Enstellis SRL processes personal data only to provide AppealLayer, follow customer instructions, maintain security, comply with law, and support the customer.

Subject matter

Verified-human appeal workflow infrastructure for automated decisions.

Duration

The contract term plus deletion, return, backup, legal, and security wind-down periods.

Nature and purpose

Hosting, verification workflow support, appeal intake, review workflow, webhooks, audit logs, receipts, and security operations.

Data subjects

Appellants, tenant admins, reviewers, developer contacts, and support contacts.

• decision metadata, appeal token hashes, appeal deadlines, external user references, and customer-provided metadata
• appellant statements, public responses, optional evidence metadata, and case status
• reviewer notes, reviewer identifiers, internal workflow actions, and audit events
• World ID proof status, action, signal hash, and HMAC-derived nullifier digest
• webhook payloads, delivery records, API key prefixes, and tenant configuration

• process customer personal data only under documented instructions unless EU or member-state law requires otherwise
• ensure personnel with access to customer personal data are bound by confidentiality obligations
• apply technical and organizational measures appropriate to the risk
• assist the customer with data subject requests, DPIAs, security, breach response, deletion, and audits where required by GDPR
• notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data
• delete or return customer personal data after service termination unless law requires retention

• tenant-scoped authorization and service-layer isolation
• high-entropy API keys and appeal tokens with hash-only storage
• HMAC-derived nullifier digests instead of raw nullifier storage
• private evidence storage and signed download URLs once evidence upload is enabled
• append-only audit logging for material workflow actions
• webhook HMAC signatures with timestamp replay protection
• environment-secret separation and no raw secrets in source code
• least-privilege platform admin access with sensitive access logging as the product matures

The current subprocessor list is published at /subprocessors. Enstellis SRL should provide prior notice of new production subprocessors and allow reasonable objection rights in signed customer agreements.

If Enstellis SRL transfers customer personal data outside the EEA, it will rely on an EU adequacy decision, Standard Contractual Clauses, or another valid transfer mechanism, plus supplementary measures where required.

Data processing questions: privacy@appeallayer.com.