Legal
Data Processing Agreement
Last updated: May 26, 2026
How to use this document
This is Aptoria's standard Data Processing Agreement. Corporate customers commonly counter-sign their own template; we'll review and respond within 5 business days. To request a counter-signed copy, email legal@aptoria.ai with your company name and the email of the signatory.
1. Definitions
"Aptoria" means Aptoria LLC, a limited-liability company that operates the Aptoria platform and acts as the data processor under this Agreement. "Customer" means the entity that has signed up for an Aptoria account. "Personal Data" has the meaning given in applicable data-protection law (GDPR, CCPA/CPRA, UK GDPR). "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and erasure. "Subprocessor" means a third party engaged by Aptoria to process Personal Data on Customer's behalf (listed in Schedule A below).
2. Scope and roles
Customer is the Controller of Personal Data submitted to the Service. Aptoria is the Processor. Aptoria will process Personal Data only on documented instructions from Customer (the Service's intended functionality constitutes such instructions).
3. Customer obligations
Customer warrants that it has a lawful basis to provide Personal Data to Aptoria and that it has all necessary notices and consents in place (including, where applicable, notice to tenants whose data is uploaded to the Service).
4. Security measures
Aptoria maintains the following technical and organizational measures: encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+); role-based access controls; row-level security policies on every multi-tenant database table; mandatory MFA for staff accounts with production access; centralized audit logging; least-privilege service-role credentials; quarterly access reviews; documented incident response procedure.
5. Subprocessors
Customer authorizes Aptoria to engage the subprocessors listed in Schedule A below. Aptoria will notify Customer at least 30 days before adding or replacing a subprocessor (via email to the account owner and a dated change to this document). Customer may terminate the Service if it reasonably objects to a new subprocessor.
6. International data transfers
Personal Data is stored in the United States. Where Personal Data originates from the EEA, UK, or Switzerland, Aptoria relies on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum as the transfer mechanism. Subprocessors that operate outside the United States execute the equivalent SCCs.
7. Data subject rights
Aptoria provides Customer with the means to respond to data subject access, correction, deletion, and portability requests through the Service's account-export and account-deletion features. Aptoria will assist Customer with requests it cannot fulfill directly, at no additional charge.
8. Personal Data breach notification
Aptoria will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any confirmed Personal Data breach affecting Customer's data. Notification includes: nature of the breach, categories and approximate number of records, likely consequences, and measures taken.
9. Audits
Once per calendar year, on at least 30 days' written notice, Customer may audit Aptoria's compliance with this DPA. Aptoria will respond to questionnaires (e.g. SIG, CAIQ) and may, at its discretion, provide a then-current third-party audit report in lieu of an on-site audit.
10. Return or deletion
On termination of the Service, Aptoria will return Customer's Personal Data via export and delete it from production systems within 30 days. Backups are overwritten on the standard retention cycle (within 90 days).
11. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the underlying Terms of Service between Customer and Aptoria.
Schedule A — Subprocessors (current)
Supabase, Inc.
Purpose: Application database, authentication, file storage
Data: Account, tenant, lease, payment, message, document
Region: United States (US-East)
Provider DPA / privacy policy ↗
Stripe, Inc.
Purpose: Payment processing (rent collection), owner ACH payouts, subscription billing
Data: Payment instrument tokens, transaction metadata
Region: United States
Provider DPA / privacy policy ↗
Plaid, Inc.
Purpose: Bank account verification + ACH transactions
Data: Bank account details (tokenized), institution metadata
Region: United States
Provider DPA / privacy policy ↗
OpenAI, L.L.C.
Purpose: AI assistant + agent drafting + document classification
Data: Lease text, message content, property metadata (sent to inference API; not used for model training per OpenAI API terms)
Region: United States
Provider DPA / privacy policy ↗
Resend (Resend, Inc.)
Purpose: Transactional email delivery
Data: Email addresses, message subject + body, delivery status
Region: United States
Provider DPA / privacy policy ↗
Twilio Inc.
Purpose: SMS notifications + 2FA codes
Data: Phone numbers, message content, delivery status
Region: United States
Provider DPA / privacy policy ↗
DocuSign, Inc.
Purpose: Optional electronic signature on lease documents (when configured by landlord)
Data: Lease document, signer name + email, signature audit trail
Region: United States
Provider DPA / privacy policy ↗
Vercel Inc.
Purpose: Web application hosting + edge function execution
Data: Request logs (IP, user-agent, route, response code), no payload bodies
Region: Global edge network; US primary
Provider DPA / privacy policy ↗
This template is provided for procurement review. The legally binding agreement is the one signed by an authorized representative of Aptoria. Changes to subprocessors are notified 30 days in advance via the email on file for the account owner.