Data Processing Agreement

Last updated: February 20, 2026 · Version 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between APTCI ("Processor") and the customer ("Controller") using the APTCI platform. It governs the processing of personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applies automatically to all customers subject to GDPR. For a signed copy of this DPA, contact legal@aptci.app.

1. Definitions

  • Controller: The organization or individual using APTCI who determines the purposes and means of processing personal data.
  • Processor: APTCI, which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person contained in the documents, records, or communications uploaded to APTCI.
  • Processing: Any operation performed on Personal Data, including storage, analysis, extraction, and deletion.
  • Sub-processor: Any third-party service provider engaged by APTCI to process Personal Data.

2. Subject Matter and Duration

APTCI processes Personal Data solely to provide the contracted services: document analysis, event extraction, risk identification, claim generation, AI chat, and related features. Processing continues for the duration of the subscription and for a maximum of 30 days after account termination, after which all data is permanently deleted.

3. Nature and Purpose of Processing

  • Storing uploaded documents (PDF, DOCX, images) in encrypted cloud storage.
  • Extracting text from documents for AI analysis.
  • Sending document text to AI providers (Anthropic, OpenAI) to identify events, risks, obligations, and generate summaries.
  • Storing extracted data (events, risks, obligations, claims) in a database linked to the Controller's account.
  • Sending email notifications to users regarding contract deadlines.
  • Generating PDF exports of claims and reports.

4. Categories of Personal Data

The personal data processed depends entirely on what the Controller uploads. This may include:

  • Names and contact details of parties mentioned in contracts, emails, or correspondence.
  • Financial information contained in invoices or payment schedules.
  • Business information including company names, registration numbers, and addresses.
  • Dates and deadlines specified in contractual documents.
  • Account information: name, email, company of APTCI users.

APTCI does not process special categories of data (Article 9 GDPR) such as health, biometric, or criminal data. Controllers should not upload documents containing such data.

5. Processor Obligations

  • Process Personal Data only on documented instructions from the Controller (i.e., to provide the contracted service).
  • Ensure that persons authorized to process data are bound by confidentiality obligations.
  • Implement and maintain appropriate technical and organizational security measures (see Security page).
  • Not engage new sub-processors without informing the Controller and providing an opportunity to object.
  • Assist the Controller in responding to requests from data subjects exercising their GDPR rights.
  • Assist the Controller in fulfilling obligations under Articles 32–36 GDPR (security, breach notification, DPIAs).
  • Upon termination, delete or return all Personal Data to the Controller, and delete existing copies.
  • Make available all information necessary to demonstrate compliance and allow for audits.

6. Sub-processors

APTCI uses the following sub-processors, each with appropriate data processing agreements in place:

Sub-processorPurposeLocation
Supabase (AWS)Database, file storage, authenticationEU (Frankfurt)
Vercel Inc.Application hosting and deliveryGlobal (no data stored)
Anthropic PBCAI analysis, OCR, chat (text only)USA (inference only)
OpenAI LLCAI fallback, vector embeddings (text only)USA (inference only)
Resend Inc.Transactional email (deadline notifications)EU
Stripe Inc.Payment processing (billing data only)USA / EU

APTCI will provide 14 days' notice before adding new sub-processors via email or platform notice. If a Controller objects, they may terminate the service without penalty.

7. International Data Transfers

Document text is sent to Anthropic and OpenAI APIs located in the United States for AI processing. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR. No Personal Data is permanently stored outside the EU by these providers — data is transmitted for inference only and not retained.

8. Security Measures

APTCI implements appropriate technical and organizational measures including AES-256 encryption at rest, TLS 1.2+ in transit, Row-Level Security at the database level, private access-controlled file storage, and regular security updates. Full details are available on our Security page.

9. Data Subject Rights

APTCI will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection). Requests from data subjects should be directed to the Controller. If APTCI receives a direct request from a data subject, it will forward the request to the Controller within 5 business days without responding directly, unless required by law.

10. Data Breach Notification

In the event of a Personal Data breach affecting the Controller's data, APTCI will notify the Controller without undue delay and within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories and volume of data affected, likely consequences, and measures taken or proposed.

11. Audits

The Controller may request, with 30 days' written notice, an audit of APTCI's data processing activities relevant to this DPA. APTCI may satisfy audit requirements by providing up-to-date third-party certifications (SOC 2, ISO 27001) obtained by its infrastructure providers. On-site audits may be conducted once per year at the Controller's expense.

12. Signed DPA

This page represents APTCI's standard DPA terms and is incorporated by reference into the Terms of Service. For Enterprise customers requiring a countersigned DPA document, please contact legal@aptci.app. We process DPA signature requests within 5 business days.