Apnotic, LLC Data Processing Agreement
Thank you for using Password Pusher by Apnotic, LLC!
Apnotic, LLC is a US based company. Processing and storing data in a secure, fair, and transparent way is extremely important to us. Apnotic also offers an EU data region for customers requiring European data residency — see eu.pwpush.com.
This Data Processing Agreement ("DPA") is an addendum to the Terms of Service between Apnotic, LLC and the customer.
If you are accepting this DPA on behalf of your customer, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.
These service terms incorporate the Apnotic, LLC Data Processing Agreement ("DPA"), when applicable data protection laws apply to your use of Apnotic, LLC services as defined in the DPA. We protect and secure your data to the high standards set out in the agreement.
Scope and Applicability
This DPA applies exclusively to customers using the hosted Password Pusher service (us.pwpush.com or eu.pwpush.com), where Apnotic, LLC operates as a data processor on behalf of the customer.
This DPA does not apply to self-hosted Password Pusher Pro customers. When you deploy Password Pusher Pro on your own infrastructure, Apnotic acts solely as a software licensor — not a data processor. Your application data (pushes, requests, files, user accounts, audit logs) is processed entirely on your infrastructure and never touches Apnotic systems. The only personal data Apnotic holds for self-hosted customers is basic license purchaser contact information (name, email address, company name) used for account management and license fulfillment. Apnotic does not sign DPAs for self-hosted deployments because no data processing relationship exists. See our Self-Hosted Data Architecture document for a detailed breakdown of data responsibilities.
Definitions
"You" or "customer" refers to the company or organization that signs up to use Password Pusher.
"Apnotic" refers to Apnotic, LLC, a Wyoming limited liability company.
"Password Pusher" or "service" refers to the hosted service created and operated by Apnotic, LLC, available at https://us.pwpush.com, which is being used by the customer.
"Digital Ocean" refers to the cloud infrastructure provider used by Apnotic, LLC to host and manage data storage and databases for the Password Pusher service.
"Push" refers to a unique, self-deleting, one-time URL generated by the Password Pusher service for securely sharing sensitive information, such as passwords or secrets, with designated recipients.
"Request" refers to a one-time, self-deleting secure upload URL provided by the Password Pusher service, allowing a user to submit sensitive information to be stored as a push.
"Account Data" refers to the personal data provided during registration and subscription management, including name, email address, company name, and billing information.
"Application Data" refers to push and request payloads, uploaded files, metadata, and audit logs created by end users of the service.
In the course of providing the Password Pusher service to customer pursuant to the agreement, Apnotic, LLC may process both Account Data and Application Data on behalf of customer.
In this Data Processing Agreement ("DPA"), "Data Protection Legislation" means all applicable federal, state, and international laws relating to the processing of personal data and privacy, including but not limited to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the General Data Protection Regulation (GDPR) where applicable.
"data controller", "data processor", "data subject", "personal data" and "processing" shall be interpreted in accordance with applicable Data Protection Legislation.
The parties agree that customer is the data controller and that Apnotic, LLC is its data processor in relation to data that is processed in the course of providing the service.
Data Scope
Apnotic, LLC processes the following categories of personal data on behalf of hosted service customers:
| Data Category | Examples | Purpose | Retention |
|---|---|---|---|
| Account Data | Name, email, company name, billing details | Account management, subscription fulfillment, support | Duration of the customer relationship, plus any legally required retention period |
| Application Data | Push/request payloads, uploaded files, metadata | Core service delivery | Ephemeral — auto-expires by view count or time limit as configured by the customer; encrypted payload is cryptographically destroyed upon expiry |
| Audit Logs | Push lifecycle events (created, viewed, expired) | Security and compliance | Retained according to account settings |
Privacy and security of your data
We take many measures to protect and secure your data through backups, redundancies, and encryption. When you use our service, Apnotic will collect information provided to Password Pusher through registration, subscriptions, pushes and requests.
You entrust us with your data and we take that trust to heart. You agree that Apnotic may process your data as described in our data policy and for no other purpose. We do our best to deserve that trust by being open about who we are, how we work, and keeping an open door to your feedback.
You own all right, title, and interest to your data. We obtain no rights from you to your data. When using Password Pusher, you 100% own and control all of your data. We don't sell or share your data to any third-parties.
We minimize data collection in general and aim to hold data provided in pushes and requests for as little time as possible; however, the retention period is ultimately determined by the expiration limits set by the customer.
You can find more information about our processing of your data and what types/categories of data we collect on your behalf in our publicly available privacy policy.
Organizational and technical security measures
All of the data that we host is kept fully secured and encrypted on DigitalOcean infrastructure in the United States.
For encryption, we use https in transit and the AES-GCM algorithm with 256-bit keys to store push and request contents in the database. Further, the hosting provider Digital Ocean encrypts data at rest using:
Spaces (file storage): Data at rest is encrypted (AES-256, industry standard).
Managed Databases: Data at rest is encrypted with LUKS (AES-XTS-PLAIN64:SHA256, 512-bit key); backups use AES-256-CTR with HMAC-SHA256 and RSA-encrypted keys.
In addition to this, we use strict firewall rules and private networking.
Password Pusher is largely open source software which means that our source code is available and accessible on GitHub so anyone can check it out and audit it. You can read it, inspect it and review it to understand how it works and to ensure it keeps the data private and secure.
With a long history dating back to its inception in 2011 and more than 2,500 GitHub stars, there are a lot of eyes on our code. This transparency and openness, built over many years, means that open source products like Password Pusher can be more trustworthy than proprietary and closed source products.
Our software is updated several times per week and we also have a way for people to report any security vulnerabilities.
A more detailed overview about our security practices can be found on https://docs.pwpush.com/docs/security/
Processor's obligations with respect to the controller
Apnotic, LLC will process data only in accordance with instructions from customer through the settings of the service, i.e. (a) to operate, maintain and support the infrastructure used to provide the service; (b) to comply with customer's instructions and processing instructions in their use, management and administration of the service; (c) as otherwise instructed through settings of the service. Apnotic, LLC will only process data in accordance with the agreement.
Apnotic, LLC shall notify customer without undue delay if, in Apnotic's opinion, an instruction for the processing of data given by customer infringes applicable Data Protection Legislation.
Apnotic, LLC shall guarantee the confidentiality of data processed hereunder.
We as humans can access your data to help you with support requests you make and to maintain and safeguard Apnotic, LLC to ensure the security of your data and the service as a whole. Apnotic, LLC shall ensure that all Apnotic, LLC personnel required to access the data are informed of the confidential nature of the data and comply with the obligations sets out in this agreement.
Under no circumstances will Apnotic or any of its employees directly access the sensitive payload of a push or request unless compelled to do so by a valid legal order. It is Apnotic's internal policy to never access the sensitive content of pushes and requests under any circumstances, including when requested by the customer.
Apnotic, LLC shall implement and maintain appropriate technical and organizational security measures designed to protect the data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the data and having regard to the nature of the data which is to be protected.
We do work with sub-processors. With each vendor, we assess their commitment to privacy and maintain a data processing agreement with them. Any such subcontractors will be permitted to process data only to deliver the services Apnotic, LLC has retained them to provide, and they shall be prohibited from using data for any other purpose. Apnotic, LLC shall notify the controller when modifying the list of subprocessors using our in-app notifications, email and/or blog. The controller is able to legitimately object and may terminate the agreement.
You can find the list of cloud services and third party services that we use in our privacy policy.
If Apnotic, LLC becomes aware of any accidental, unauthorized or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by Apnotic, LLC in the course of providing the service, it shall without undue delay (not later than 72 hours after having become aware of it), notify customer by email and provide customer with a description of the incident as well as periodic updates to information about the incident, including its impact on customer content. Apnotic, LLC shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.
Apnotic, LLC shall not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the controller and in accordance to the data retention rules associated to the controller subscription plan.
Apnotic, LLC shall assist the controller in complying with the obligations concerning the security of personal data. Where a data subject asserts their rights as a data subject, this request will be forwarded to the controller without delay.
Audits
Customer may audit Apnotic's compliance with this DPA subject to the following conditions:
Audits are limited to once per calendar year, with at least 30 days' prior written notice.
Audits shall be conducted during normal business hours and shall not unreasonably interfere with Apnotic's operations.
The requesting party bears the costs of any audit, including reasonable costs incurred by Apnotic in facilitating the audit.
Where possible, Apnotic may satisfy audit requests by providing existing documentation, certifications, or third-party audit reports rather than granting on-site access.
How we handle delete instructions
You can choose to delete your account and delete your data at any time. We provide simple no-questions-asked deletion.
All your data will be permanently deleted immediately when you delete your Password Pusher account. We cannot recover this information once it has been permanently deleted.
Customer undertakings and Apnotic, LLC assistance
Customer warrants that it has all necessary rights to provide to Apnotic, LLC the data for processing in connection with the provision of the Apnotic, LLC Services.
Customer shall comply at all times with applicable Data Protection Legislation in respect of all data it provided to Apnotic, LLC pursuant to the Agreement.
Customer understands, as a controller, that it is responsible (as between customer and Apnotic, LLC) for:
determining the lawfulness of any processing, performing any required data protection impact assessments, and accounting to regulators and individuals, as may be needed;
providing relevant privacy notices to data subjects as may be required in your jurisdiction;
implementing your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this DPA;
notifying any relevant regulators or authorities of any incident as may be required by law in your jurisdiction.
Liability and Indemnity
Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.
Each party's total aggregate liability under or in connection with this DPA shall not exceed the total fees paid or payable by the customer to Apnotic in the twelve (12) months immediately preceding the event giving rise to the claim. This limitation applies regardless of the form of action, whether in contract, tort, strict liability, or otherwise.
This limitation does not apply to liability arising from a party's wilful misconduct or gross negligence, or to the extent prohibited by applicable law.
Duration and Termination
The DPA is effective as of May 5, 2026 and replaces and supersedes any previously agreed data processing agreement between you and Apnotic, LLC.
Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.
Self-Hosted Password Pusher Pro — DPA Not Applicable
Apnotic does not sign DPAs for self-hosted Password Pusher Pro deployments.
When you purchase a self-hosted license for Password Pusher Pro, Apnotic's role is that of a software licensor — comparable to purchasing server software from any major vendor for on-premises deployment. No data processing relationship exists between Apnotic and the self-hosted customer's end users.
Specifically:
No Application Data is transmitted to Apnotic. All pushes, requests, files, user accounts, and audit logs remain entirely on the customer's infrastructure.
No access to customer systems. Apnotic has no ability to access, view, or process any data on the customer's deployment.
License validation is cryptographic only. The license check verifies a cryptographic signature — no user data or application content is transmitted.
The only personal data Apnotic holds is the license purchaser's contact information (name, email, company name) for account management and license fulfillment. This is a standard commercial relationship, not a data processing arrangement.
Because Apnotic does not process customer data in any capacity for self-hosted deployments, a DPA is neither applicable nor appropriate. Enterprise customers requiring DPA execution with their software vendors for self-hosted products should review our Self-Hosted Data Architecture document, which provides the technical documentation needed for procurement and legal review.
Are customers required to sign the Apnotic, LLC DPA?
For hosted service customers (us.pwpush.com or eu.pwpush.com): by using our product you are agreeing to our terms of service, and you are automatically accepting our DPA. You do not need to sign a separate document. We provide the same privacy rights and protection to all hosted service customers.
For self-hosted customers: a DPA is not applicable. See the section above.
Custom DPA Execution
Apnotic's standard DPA is publicly available and automatically accepted through our Terms of Service. For hosted service customers whose organization requires a countersigned or individually negotiated DPA, Apnotic offers custom DPA execution as a compliance administration service.
Due to the legal review, scoping, and administrative effort involved, a one-time compliance administration fee applies. The fee depends on complexity and scope — contact support@pwpush.com for details.
Custom DPA execution is available for hosted service customers only. As described in this document, Apnotic does not sign DPAs for self-hosted deployments.
Can a customer share the Apnotic, LLC DPA with its customers?
Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.
Do customers need to notify anyone upon accepting our DPA?
No. You are not required to notify us or any third party upon accepting our DPA though, as mentioned above, you are free to do so.
Contact Us
If you have a question about the Data Processing Agreement (DPA), please contact us.
If you have any questions or concerns regarding your information and personal data, please contact us at privacy@pwpush.com.
Last updated: May 5, 2026