Data Processing Agreement

Last updated: 8 May 2026

What this is: This agreement sets out the responsibilities of Aptly (as data processor) and you, the Aptly user (as data controller), when personal data belonging to candidates is processed through the Aptly platform. By creating an Aptly account, you agree to these terms.

Data Processor

Black Wolf Analytics (Pty) Ltd

Operating as Aptly
hello@aptly.pro
39 Kingsway Crescent, Hermanus, Western Cape, South Africa, 7201
Billing entity: Black Wolf Analytics LLC, Wyoming, USA

Data Controller

You — the registered Aptly user

The individual or organisation that has created an Aptly account and uses the platform to process candidate personal data on their own behalf or on behalf of their clients.

1. Definitions

"Personal data" means any information relating to an identified or identifiable natural person. In the context of this Agreement, this is primarily candidate names, email addresses, and CV content.

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

"Data controller" means the party that determines the purposes and means of processing personal data. In this Agreement, that is you.

"Data processor" means the party that processes personal data on behalf of the data controller. In this Agreement, that is Aptly.

"Data subject" means the individual whose personal data is being processed. In this context, that is a job candidate whose CV has been uploaded to Aptly.

"Sub-processor" means any third party engaged by Aptly to assist in processing personal data.

"Applicable law" means the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR) or UK GDPR.

"EEA" means the European Economic Area, which comprises the member states of the European Union together with Iceland, Liechtenstein, and Norway.

"Restricted Transfer" means a transfer of personal data from within the EEA or the United Kingdom to a country that has not been granted an adequacy decision by the European Commission or the UK government.

"Standard Contractual Clauses" (SCCs) means the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries, as approved under Commission Implementing Decision (EU) 2021/914, together with the UK Addendum where the UK GDPR applies.

2. Nature and purpose of processing

Aptly processes candidate personal data for the following purpose: to provide AI-powered CV screening, candidate ranking, candidate database management, and recruitment communication tools on behalf of the Controller.

Processing activities include:

Extracting text from candidate CV files (PDF and Word documents)
Transmitting extracted CV text to the Anthropic Claude API for AI analysis and scoring
Storing candidate names, email addresses, and extracted CV text in a candidate database within the Controller's account
Generating and storing AI-produced screening results — scores, verdicts, match reasoning, and gap analysis
Facilitating the sending of emails to candidates via the Resend API on the Controller's instruction
Presenting candidate data to the Controller and, where the Controller enables the share link feature, to designated third parties (e.g. hiring managers)

3. Categories of personal data and data subjects

Category	Data subjects	Data processed
Candidates	Job applicants whose CVs are uploaded by the Controller	Name, email address, CV text, AI-generated scoring and reasoning
Account users	Recruiters and hiring professionals registered on Aptly	Name, email address, company name, account activity
Hiring managers	Third parties granted access to a shared shortlist link	Name (if provided when leaving a comment), comment text

4. Aptly's obligations as data processor

Aptly agrees to:

Process personal data only on the documented instructions of the Controller and only for the purposes described in this Agreement
Ensure that authorised personnel are bound by appropriate confidentiality obligations
Implement and maintain appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, or destruction
Not engage sub-processors without the Controller's general authorisation (see Section 6) and without imposing equivalent data protection obligations on those sub-processors
Assist the Controller in fulfilling data subject rights requests in relation to personal data held on Aptly's platform, to the extent technically possible
Assist the Controller in meeting its obligations relating to security, breach notification, and data protection impact assessments
Delete or return all personal data to the Controller upon termination of the service, at the Controller's choice, subject to any legal retention obligations
Make available reasonable documentation of compliance with this Agreement on the Controller's request, including any available SOC 2 reports or equivalent self-attestations. On-site or third-party audits are available only to enterprise customers under a separate written agreement, at the Controller's expense and on reasonable notice.
Where any sub-processor is located outside the EEA or the United Kingdom, ensure that appropriate safeguards under GDPR Article 46 (or equivalent UK GDPR provisions) are in place for any Restricted Transfer, including Standard Contractual Clauses where required
Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data

5. Your obligations as data controller

By using Aptly to process candidate personal data, you confirm that:

You have an appropriate legal basis under applicable law to process each candidate's personal data — for example, legitimate interests in evaluating candidates for a role, or the candidate's consent
Where required by applicable law, you have informed candidates that their data may be processed by an AI-powered screening platform and may be stored in a talent database
You will respond to any data subject access, correction, or deletion requests made by candidates directly to you, and will use the tools provided by Aptly to fulfil deletion requests where required
You will not upload special categories of personal data (such as health, biometric, or criminal conviction data) to the platform unless you have explicit consent and a clear legal basis for doing so
You will comply with all applicable data protection laws in your jurisdiction when using the Aptly platform
You are responsible for the accuracy and lawfulness of any emails sent to candidates via the Aptly platform

6. Sub-processors

By accepting this Agreement, you authorise Aptly to use the following sub-processors. Aptly will ensure each sub-processor is bound by data protection obligations no less stringent than those in this Agreement.

Aptly's data hosting is located within the EEA (Frankfurt, Germany). Where a sub-processor is located outside the EEA or the United Kingdom, the relevant transfer is a Restricted Transfer and is covered by Standard Contractual Clauses (SCCs) signed between Aptly and that sub-processor, as set out in the Transfer mechanism column of the table below. Aptly has reviewed the SCC modules published by each non-EEA sub-processor and accepted them as a condition of using their services.

Sub-processor	Purpose	Location	Transfer mechanism
Anthropic api.anthropic.com	AI processing of CV text and job specifications to generate candidate screening results	United States	Standard Contractual Clauses (SCCs)
OpenAI api.openai.com	Vector embedding generation for candidate database semantic search (text-embedding-3-small model). Data not used for model training per OpenAI API terms.	United States	Standard Contractual Clauses (SCCs)
Render.com render.com	Cloud hosting, application infrastructure, and PostgreSQL database storage	Germany (Frankfurt)	EU/EEA, no transfer mechanism required
Resend resend.com	Transactional email delivery to candidates and account users	United States	Standard Contractual Clauses (SCCs)
PostHog posthog.com	Product analytics, only loaded if the user consents via the cookie banner	European Union	EU/EEA, no transfer mechanism required
Stripe stripe.com	Payment processing for Aptly subscriptions and top-up purchases. Stripe is contracted via Aptly's affiliate Black Wolf Analytics LLC (Wyoming, USA).	United States	Standard Contractual Clauses (SCCs)

Aptly will notify the Controller of any intended addition or replacement of a sub-processor by updating this Agreement and giving at least 30 days' notice where operationally possible.

The Controller may object to a proposed sub-processor change on reasonable data-protection grounds within 30 days of notification. Where Aptly is unable to accommodate the objection, the Controller may terminate this Agreement and the related Aptly subscription on written notice, and Aptly will refund any pre-paid subscription fees covering the period after the termination date. Continued use of the Aptly platform after the 30-day notice period without objection constitutes acceptance.

7. Data subject rights

If a candidate contacts Aptly directly requesting access to, correction of, or deletion of their personal data, Aptly will:

Forward the request to the relevant Controller (registered user) within 5 business days
Assist the Controller in fulfilling the request using the deletion and management tools within the platform
Where the Controller cannot be reached or the data relates to an inactive account, action the deletion directly within 30 days of receiving the request

Candidates wishing to exercise their rights may contact Aptly at hello@aptly.pro.

8. Security measures

Aptly implements the following security measures to protect personal data:

All data in transit is encrypted using TLS 1.2 or higher
Database access is restricted to authenticated application processes only
User passwords are hashed using bcrypt. Plain-text passwords are never stored.
Authentication uses JSON Web Tokens (JWT) with expiry
The platform and its PostgreSQL database are hosted on Render.com in the Frankfurt (EU Central) region. Render is SOC 2 Type II certified and ISO 27001 certified; see Render's security and compliance page for their current attestations.
Raw CV files are processed in memory and are not written to persistent storage
Access to production systems is restricted to authorised personnel only
Customer data is stored within the EEA. Any processing performed by sub-processors located outside the EEA or the United Kingdom is covered by Standard Contractual Clauses, as set out in section 6.

For a fuller technical summary of Aptly's security posture, including data flow on the API path, sub-processor chain, and incident response, see our Security overview.

9. Data retention and deletion

Candidate personal data stored on Aptly is retained until the Controller deletes it. There is no automatic deletion schedule for Controller-managed records. The Controller may delete individual candidate records, screenings, or their entire account at any time.

On termination of this DPA, or on receipt of a verified deletion request from the Controller, Aptly will deactivate the account immediately. All account data, candidate records, screenings, applications, and associated personal data will be hard-deleted from the production database within 30 days of the deactivation request. Hard deletion is currently performed by Aptly's operations team on a regular schedule. Backups containing the data are retained for up to 7 days under Render's standard policy and are deleted as they roll out of that window.

Aptly may retain a minimal record of the account's existence (organisation name, deletion timestamp, billing references) where required to comply with legal or financial obligations, including records required by Stripe for payment dispute handling and records required by South African tax law.

Anthropic, OpenAI, Render, and Resend may retain logs for their own standard retention periods as set out in their respective privacy policies. Aptly does not control these retention windows.

On termination of the service by either party, Aptly will provide the Controller with a reasonable opportunity to export their data before deletion, unless the account has been suspended for breach of terms.

10. Data breaches

In the event of a personal data breach affecting the Controller's data, Aptly will:

Notify the Controller at the registered account email address without undue delay and, where feasible, within 72 hours of becoming aware of the breach
Provide sufficient information for the Controller to meet any notification obligations to regulators or data subjects under applicable law
Take reasonable steps to contain and remediate the breach and keep the Controller informed of progress

11. Liability

Aptly's liability under this Agreement is limited to direct damages caused by a material breach of this Agreement by Aptly, and shall not exceed the total fees paid by the Controller to Aptly in the 12 months preceding the event giving rise to the claim.

Aptly is not liable for any processing carried out by the Controller in breach of this Agreement or applicable law, or for any use of the Aptly platform that exceeds the purposes described in this Agreement.

12. Governing law

This Agreement is governed by the laws of the Republic of South Africa, including the Protection of Personal Information Act 4 of 2013 (POPIA). Where the Controller is located in the European Economic Area or United Kingdom, GDPR or UK GDPR obligations are also recognised and Aptly commits to meeting equivalent standards.

Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of South Africa.

13. Contact and acceptance

This Agreement takes effect when you create an Aptly account or continue to use the Aptly platform after the date this Agreement was published.

For any questions about this Agreement, contact us at:

hello@aptly.pro
Black Wolf Analytics (Pty) Ltd
South Africa