Legal Notice & Data Processing Addendum
Last updated: 2026-02-16
Legal notice
| Trading name | EXERION |
|---|---|
| Operator | EXERION |
| Country of operation | Lithuania (European Union) |
| Website | https://exerion.io |
| Contact | Via the contact form at exerion.io |
EXERION is a capability architecture firm operating under Lithuanian law. All inquiries, including legal notices and data protection requests, should be directed via the contact form on this website.
Disclaimer
The content published on exerion.io is provided for informational purposes only. Nothing on this website constitutes legal, financial, tax, or investment advice, nor does it create any advisory or fiduciary relationship between EXERION and the reader.
EXERION makes reasonable efforts to ensure the accuracy and currency of information on this site but makes no warranties, express or implied, as to its completeness or fitness for any particular purpose. We accept no liability for decisions made in reliance on content published here.
Links to third-party websites are provided for convenience only. EXERION does not endorse, control, or accept responsibility for the content of linked sites.
Intellectual property
All content on this website — including text, graphics, logos, layout, and code — is the intellectual property of EXERION unless otherwise stated.
© EXERION. All rights reserved.
You may not reproduce, distribute, adapt, or republish any content from this site without prior written permission from EXERION. Brief quotation with attribution for journalistic or editorial purposes is permitted provided a link back to the original page is included.
Data Processing Addendum
This Data Processing Addendum ("DPA") applies where EXERION processes personal data on behalf of an enterprise client ("Controller") in the course of delivering its services. It supplements any master services agreement or statement of work in place between the parties.
Scope and role
Where EXERION acts as a data processor under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), it will process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law; in such a case, EXERION shall inform the Controller of that legal requirement before processing, unless that law prohibits such disclosure on important grounds of public interest.
Confidentiality
EXERION ensures that persons authorised to process the Controller's personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Technical and organisational measures
EXERION implements and maintains appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons.
Sub-processors
EXERION engages sub-processors only where necessary for the performance of services and will not engage a new sub-processor without giving the Controller reasonable prior notice and the opportunity to object. Current approved sub-processors whose infrastructure may be used in the delivery of client services include:
- HubSpot, Inc. — CRM and communications, operating from EU region infrastructure.
- Google Cloud (EU regions) — Infrastructure and productivity tooling, operated from European Union data centres.
EXERION will impose data protection obligations on each sub-processor by way of a contract that provides equivalent data protection guarantees to those set out in this DPA.
Data subject rights
EXERION will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.
Breach notification
EXERION will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, providing sufficient information to allow the Controller to meet any obligations to notify supervisory authorities or affected data subjects.
Deletion on termination
Upon termination or expiry of the relevant services agreement, EXERION will, at the Controller's choice, delete or return all personal data processed on the Controller's behalf, and delete existing copies unless Union or Member State law requires storage of the personal data.
DPA inquiries
Enterprise clients seeking to execute a signed DPA, or with questions about our data processing practices in the context of a specific engagement, should contact us via the form on this site. We will respond within 5 business days.