Data Processing Agreement
Last Updated: February 1, 2026
Parties
This Data Processing Agreement ("DPA") is between:
- Customer ("Controller"): The entity using the Apture platform
- Apture Ltd. ("Processor"): A company registered in Poland
This DPA is incorporated into the Apture Terms of Service and governs data protection matters.
1. Definitions
- Applicable Data Protection Law: GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy laws
- Candidate Data: Personal data relating to candidates whose CVs are uploaded
- Customer Data: All personal data Apture processes on behalf of Customer
- Sub-processor: Third parties engaged by Apture to process Customer Data
2. Scope and Roles
Customer as Controller: Customer determines purposes and means of processing and is responsible for compliance with data protection laws.
Apture as Processor: Apture processes Customer Data only on behalf of and under documented instructions from Customer.
3. Scope of Processing
Apture processes Customer Data for:
- Resume/CV parsing and AI-powered analysis
- Candidate matching and scoring
- Assessment and recommendation generation
- Storage, retrieval, and service operations
4. AI and Machine Learning Processing
The Service uses third-party AI services (Google Gemini) for natural language processing and candidate analysis.
5. Sub-processors
Current authorized sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Gemini | AI-powered CV analysis | US |
| Supabase | Database & file storage | US |
| AWS | Cloud infrastructure | US |
| Clerk | User authentication | US |
| Stripe | Payment processing | US |
Apture will notify Customer of sub-processor changes with 30 days' notice.
6. Data Subject Rights
Apture assists Customer in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection.
7. Security Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control and multi-factor authentication
- Network security, firewalls, and intrusion detection
- Regular security monitoring and personnel training
8. Security Incidents
Apture will notify Customer of any confirmed security incident within 72 hours and provide information necessary for Customer's notification obligations.
9. International Data Transfers
For transfers outside the EEA, Apture relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Module Two: Controller to Processor).
10. Data Retention
Customer Data is retained during the agreement. Upon termination, data can be exported for 30 days, then deleted within 90 days.
11. US State Privacy Laws
For CCPA/CPRA and other US state laws: Apture processes data only for specified purposes, does not "sell" or "share" Customer Data, and assists with consumer rights requests.
12. Contact
Apture Ltd.
Email: support@useapture.com
For enterprise customers requiring a signed DPA, please contact support@useapture.com.