Data Processing Agreement

‍

This Data Processing Agreement (“DPA”) is incorporated by reference into the Aptly Terms of Service or other master agreement governing the use of the Aptly platform (the “Agreement”). This DPA applies where Aptly, Inc. (“Provider”) Processes Customer Personal Data on behalf of the Customer.

This is Provider's standard Data Processing Agreement. It applies automatically if Customers use the Provider platform and have not signed a separate DPA with Aptly.

1. Structure of this DPA

This DPA consists of:

1. The Key Terms set forth below, and
2. The Common Paper Data Processing Agreement Standard Terms (Version 1.0), incorporated by reference.

If there is any conflict between the Key Terms and the Standard Terms, the Key Terms will control.

2. Key Terms

Approved Subprocessors
List maintained at: https://trust.aptlydone.com/subprocessors

Provider Security Contact
security@aptlydone.com

Security Policy
Aptly Security Policy

DPA Covered Claim
The Agreement includes an additional Provider Covered Claim for any action, proceeding, or claim arising out of or relating to (a) Provider’s breach of this DPA, or (b) Provider’s gross negligence or willful misconduct that results in a Security Incident.

Service Provider Relationship
Where the California Consumer Privacy Act (CCPA) applies, Provider acts as a “service provider.” Provider will not sell or share Customer Personal Data, and will not retain, use, or disclose such data except as necessary to provide the Service, as permitted by law, or as otherwise instructed by Customer.

Restricted Transfers

• EEA Transfers: Governing law – Ireland
• UK Transfers: Governing law – England

3. Annex I(A): Parties

Data Exporter (Customer)

• Role: Controller (or Processor, if acting on behalf of another Controller)

Data Importer (Aptly, Inc.)

• Role: Processor
• Contact: Robin Roberson, Partner
• Address: 600 N Robinson Ave, Oklahoma City, OK 73102, USA

4. Annex I(B): Description of Processing

Service
Aptly provides a multi-tenant SaaS platform that enables organizations to manage delegation of authority, signatory rights, approval limits, and related governance workflows.

Categories of Data Subjects

• Customer employees
• Customer’s end users or clients

Categories of Personal Data

• Name
• Contact details (email, phone number, address)
• Employment identifiers (e.g., employee ID)
• User activity and technical data (e.g., device information, IP address)

Special Category Data
Not intentionally processed.

Processing Activities

• Collecting, accessing, recording, and entering Customer data into the platform
• Storing, organizing, and structuring data for platform functionality
• Providing data access to Customer via reports, exports, APIs, or integrations
• Deleting or returning data upon Customer request or contract termination

Frequency & Duration
Processing is continuous and for the duration of the Agreement, unless otherwise required by law.

5. Annex II: Technical and Organizational Security Measures

See Aptly Security Policy. Key measures include:

• Encryption: TLS 1.2+ in transit, AES-256 at rest (Azure native services).
• Access Controls: Role-based access, SSO + MFA for Aptly personnel and supported for customers.
• Resilience: Redundant hosting, managed backups, disaster recovery on Azure.
• Monitoring: Continuous monitoring (Datadog, Azure) and vulnerability management.
• Governance: Internal security policies, employee training, restricted production access.
• Audit & Certification: Aptly adheres to SOC 2 security protocols and will maintain SOC 2 Type II certification, independently audited on an annual cycle.
• Data Retention: Configurable retention and deletion settings, with secure destruction at end of service.

6. Subprocessors

Provider will only engage Approved Subprocessors as listed at https://trust.aptlydone.com/subprocessors. Provider will give at least 10 business days’ notice of new subprocessors and allow Customer 30 days to object.

7. International Transfers

This DPA incorporates:

• EEA SCCs (Controller–Processor or Processor–Subprocessor, as applicable) under Commission Implementing Decision 2021/914.
• UK Addendum for transfers from the UK.
• Swiss Addendum where Swiss law applies.

8. Security Incident Response

Provider will notify Customer without undue delay, and no later than 72 hours, after becoming aware of a Security Incident. Provider will provide updates and cooperate in investigation and remediation.

9. Audit & Reports

• Audit Rights: Customer may exercise audit rights by requesting current compliance information.
• Reports: On request, Provider will share summary audit reports (e.g., SOC 2).
• Due Diligence: Aptly will complete reasonable security questionnaires annually.

10. Deletion of Data

Upon termination or expiration of the Agreement, Customer Personal Data will be securely deleted or returned upon request, unless retention is required by law.

11. Liability

Liability under this DPA is subject to the limitations of liability set forth in the Agreement.

12. Conflicts

In case of conflict:

1. EEA SCCs / UK Addendum
2. This DPA
3. The Agreement

13. Term

This DPA applies for as long as Provider Processes Customer Personal Data under the Agreement.

14. Definitions

Terms such as “Controller,” “Processor,” “Customer Personal Data,” “Processing,” “Applicable Data Protection Laws,” “Security Incident,” “Subprocessor,” “EEA SCCs,” “UK GDPR,” and “UK Addendum” have the meanings given in Applicable Data Protection Laws or the incorporated Standard Terms.