Apertture← Back to Apertture
Last updated · 2026-05-24

Data Processing Addendum

This Data Processing Addendum (the "DPA") supplements the Terms of Service and the Privacy Policy and applies whenever Apertture processes personal data of users located in the European Economic Area, the United Kingdom, or Switzerland. It sets out the GDPR-aligned commitments we make to those users, identifies our sub-processors, and describes the safeguards that apply to international data transfers.

1. Scope and Roles

Apertture is the controller of personal data processed through the Service, as described in the Privacy Policy. The vendors listed in Section 4 act as our processors (or sub-processors) and process personal data on documented instructions from Apertture.

This DPA is incorporated into and forms part of the Terms of Service. If you are acting on behalf of an organisation that uses the Service, references to "you" include that organisation. Capitalised terms not defined here have the meaning given in the Privacy Policy.

2. Subject Matter, Duration, Nature and Purpose

Subject matter: processing of personal data to provide and operate the Service (account, portfolio, brief delivery, billing).

Duration: for the duration of your account, plus the retention periods set out in Section 7 of the Privacy Policy.

Nature: collection, storage, retrieval, analysis, transmission, hosting, and deletion of personal data.

Purpose: to deliver the Service, secure it, comply with law, and improve it on a de-identified basis. We do not use personal data for advertising or sell it.

3. Categories of Personal Data and Data Subjects

Data subjects: individual users who create an Apertture account.

Categories of personal data processed: identifiers (email, optional display name), authentication data, locale and delivery preferences, jurisdiction, optional Telegram chat identifier, portfolio inputs (tickers, quantities, transactions, notes), Service-generated outputs (briefs, engagement, agent logs), security and error logs, and payment metadata (token, last four digits, plan, subscription status).

We do not knowingly process special categories of personal data within the meaning of Article 9 GDPR.

4. Sub-processors

We engage the following sub-processors to operate the Service. Each is bound by a contract that imposes data-protection obligations no less protective than this DPA. The current list:

  • Supabase, Inc. — managed Postgres database and authentication — United States — controller-processor terms incorporating EU SCCs.
  • Vercel, Inc. — web hosting and edge delivery — United States with global edge — Data Processing Addendum incorporating EU SCCs.
  • Railway Corp. — application hosting for the agent engine — United States — Data Processing Addendum incorporating EU SCCs.
  • Resend, Inc. — transactional email delivery — United States — Data Processing Addendum incorporating EU SCCs.
  • Polygon.io (Polygon LLC) — market data — United States — limited to ticker symbols submitted from server side; no personal identifiers transmitted.
  • Anthropic PBC — large language model inference for agent outputs — United States — Commercial Terms incorporating data-protection obligations; inputs are not used to train Anthropic's foundation models.
  • Stripe, Inc. — payment processing — United States; Stripe Payments Europe Ltd. (Ireland) handles EU/EEA cardholders — Data Processing Addendum incorporating EU SCCs.
  • Hostinger International Ltd. — inbound email hosting for the apertture.com domain — Cyprus / European Union — adequate jurisdiction.
  • Cloudflare, Inc. — DNS and edge security where applicable — United States with global edge — Data Processing Addendum incorporating EU SCCs.

5. International Data Transfers

Some sub-processors are located in the United States or other jurisdictions outside the European Economic Area, the United Kingdom, and Switzerland. Where personal data is transferred to such a jurisdiction, we rely on:

  • The European Commission's Standard Contractual Clauses (Module 2 — controller to processor; Module 3 — processor to processor as applicable), Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • The United Kingdom's International Data Transfer Addendum to the EU SCCs (IDTA), issued under section 119A of the Data Protection Act 2018.
  • The Swiss Federal Data Protection and Information Commissioner's adaptation of the EU SCCs.

Where the recipient is certified under the EU-U.S. Data Privacy Framework (and its UK Extension and Swiss-U.S. Framework) we additionally rely on that adequacy mechanism.

We have completed transfer impact assessments for our principal sub-processors and apply supplementary measures (encryption in transit and at rest, role-based access controls, audit logging, contractual onward-transfer restrictions) where required.

6. Security Measures

We implement appropriate technical and organisational measures under Article 32 GDPR, including:

  • Encryption in transit (TLS 1.2+) and at rest for stored personal data.
  • Role-based access control to production data; production access is limited to authorised personnel with multi-factor authentication.
  • Network isolation between the public web application, the engine workers, and the database, with secrets stored in a managed secret store.
  • Audit logs of administrative actions, retained as set out in the Privacy Policy.
  • Vulnerability monitoring on our dependencies, patched on a risk-based cadence.
  • Backups of the database, encrypted, with documented recovery procedures.
  • Personnel are bound by confidentiality and undergo periodic security awareness training.

We review these measures periodically and update them as the Service evolves.

7. Personal Data Breach Notification

If we become aware of a personal data breach likely to result in a risk to the rights and freedoms of affected users, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, in line with Article 33 GDPR.

Where the breach is likely to result in a high risk, we will also notify affected users without undue delay under Article 34 GDPR.

Notifications will describe the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to mitigate the breach.

8. Assistance with Data Subject Rights

We will assist you in responding to requests from data subjects exercising their rights under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). For Service-generated personal data we hold directly, you can exercise these rights by writing to privacy@apertture.com from the email address on your account; we respond within 30 days.

Apertture does not carry out solely automated decision-making producing legal or similarly significant effects on users.

9. Sub-processor Changes

We will give you at least 30 days' prior notice before engaging a new sub-processor that materially changes the processing of your personal data, by updating this page and emailing affected account holders. You may object to a new sub-processor on reasonable data-protection grounds by writing to privacy@apertture.com; if we cannot accommodate your objection, you may terminate your subscription and receive a pro-rata refund of any pre-paid fees covering the period after termination.

10. Return or Deletion at End of Processing

On termination of your account, we delete or return personal data in line with the retention schedule set out in Section 7 of the Privacy Policy, except where retention is required by law (for example, tax and accounting records).

You may request export of your personal data in a structured, commonly used and machine-readable format at any time by writing to privacy@apertture.com.

11. Audits, Confidentiality and Liability

Audits: as a small B2C service we do not currently undergo third-party SOC or ISO audits. We will respond in good faith to reasonable written questionnaires from EU corporate users on our security and privacy practices and, where available, share the corresponding reports of our principal sub-processors (e.g., Supabase, Vercel, Stripe).

Confidentiality: personnel with access to personal data are bound by written confidentiality obligations that survive the termination of their engagement.

Liability: each party's liability under this DPA is subject to the limitations set out in the Terms of Service, except as otherwise required by applicable law.

12. Term, Conflicts and Contact

Term: this DPA applies for as long as we process personal data on your behalf or in connection with your account.

Conflicts: if there is any conflict between this DPA and the Terms of Service or Privacy Policy with respect to the processing of personal data under EU/UK/Swiss law, this DPA prevails.

Contact: questions about this DPA, requests for the sub-processor list, or to exercise GDPR rights — privacy@apertture.com.