Data Processing Agreement
Last updated: April 2026 — Version 1.0
What this is: This agreement sets out the responsibilities of Aptly (as data processor) and you, the Aptly user (as data controller), when personal data belonging to candidates is processed through the Aptly platform. By creating an Aptly account, you agree to these terms.
Data Processor
Black Wolf Analytics (Pty) Ltd
Operating as Aptly
hello@aptly.pro
South Africa
Tax ref: 9776594179
Data Controller
You — the registered Aptly user
The individual or organisation that has created an Aptly account and uses the platform to process candidate personal data on their own behalf or on behalf of their clients.
1. Definitions
"Personal data" means any information relating to an identified or identifiable natural person — in the context of this Agreement, primarily candidate names, email addresses, and CV content.
"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
"Data controller" means the party that determines the purposes and means of processing personal data. In this Agreement, that is you.
"Data processor" means the party that processes personal data on behalf of the data controller. In this Agreement, that is Aptly.
"Data subject" means the individual whose personal data is being processed — in this context, a job candidate whose CV has been uploaded to Aptly.
"Sub-processor" means any third party engaged by Aptly to assist in processing personal data.
"Applicable law" means the Protection of Personal Information Act 4 of 2013 (POPIA) and, where applicable, the General Data Protection Regulation (GDPR) or UK GDPR.
2. Nature and purpose of processing
Aptly processes candidate personal data for the following purpose: to provide AI-powered CV screening, candidate ranking, candidate database management, and recruitment communication tools on behalf of the Controller.
Processing activities include:
- Extracting text from candidate CV files (PDF and Word documents)
- Transmitting extracted CV text to the Anthropic Claude API for AI analysis and scoring
- Storing candidate names, email addresses, and extracted CV text in a candidate database within the Controller's account
- Generating and storing AI-produced screening results — scores, verdicts, match reasoning, and gap analysis
- Facilitating the sending of emails to candidates via the Resend API on the Controller's instruction
- Presenting candidate data to the Controller and, where the Controller enables the share link feature, to designated third parties (e.g. hiring managers)
3. Categories of personal data and data subjects
| Category |
Data subjects |
Data processed |
| Candidates |
Job applicants whose CVs are uploaded by the Controller |
Name, email address, CV text, AI-generated scoring and reasoning |
| Account users |
Recruiters and hiring professionals registered on Aptly |
Name, email address, company name, account activity |
| Hiring managers |
Third parties granted access to a shared shortlist link |
Name (if provided when leaving a comment), comment text |
4. Aptly's obligations as data processor
Aptly agrees to:
- Process personal data only on the documented instructions of the Controller and only for the purposes described in this Agreement
- Ensure that authorised personnel are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, or destruction
- Not engage sub-processors without the Controller's general authorisation (see Section 6) and without imposing equivalent data protection obligations on those sub-processors
- Assist the Controller in fulfilling data subject rights requests in relation to personal data held on Aptly's platform, to the extent technically possible
- Assist the Controller in meeting its obligations relating to security, breach notification, and data protection impact assessments
- Delete or return all personal data to the Controller upon termination of the service, at the Controller's choice, subject to any legal retention obligations
- Make available all information necessary to demonstrate compliance with this Agreement and permit audits by the Controller on reasonable notice
- Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data
5. Your obligations as data controller
By using Aptly to process candidate personal data, you confirm that:
- You have an appropriate legal basis under applicable law to process each candidate's personal data — for example, legitimate interests in evaluating candidates for a role, or the candidate's consent
- Where required by applicable law, you have informed candidates that their data may be processed by an AI-powered screening platform and may be stored in a talent database
- You will respond to any data subject access, correction, or deletion requests made by candidates directly to you, and will use the tools provided by Aptly to fulfil deletion requests where required
- You will not upload special categories of personal data (such as health, biometric, or criminal conviction data) to the platform unless you have explicit consent and a clear legal basis for doing so
- You will comply with all applicable data protection laws in your jurisdiction when using the Aptly platform
- You are responsible for the accuracy and lawfulness of any emails sent to candidates via the Aptly platform
6. Sub-processors
By accepting this Agreement, you authorise Aptly to use the following sub-processors. Aptly will ensure each sub-processor is bound by data protection obligations no less stringent than those in this Agreement.
| Sub-processor |
Purpose |
Location |
Anthropic
api.anthropic.com |
AI processing of CV text and job specifications to generate candidate screening results |
United States |
| Render.com |
Cloud hosting, application infrastructure, and PostgreSQL database storage |
United States |
Resend
resend.com |
Transactional email delivery to candidates and account users |
United States |
Aptly will notify you of any intended changes to sub-processors by updating this Agreement and giving at least 30 days' notice where operationally possible. Continued use of the Aptly platform after notification constitutes acceptance.
7. Data subject rights
If a candidate contacts Aptly directly requesting access to, correction of, or deletion of their personal data, Aptly will:
- Forward the request to the relevant Controller (registered user) within 5 business days
- Assist the Controller in fulfilling the request using the deletion and management tools within the platform
- Where the Controller cannot be reached or the data relates to an inactive account, action the deletion directly within 30 days of receiving the request
Candidates wishing to exercise their rights may contact Aptly at hello@aptly.pro.
8. Security measures
Aptly implements the following security measures to protect personal data:
- All data in transit is encrypted using TLS 1.2 or higher
- Database access is restricted to authenticated application processes only
- User passwords are hashed using bcrypt — plain-text passwords are never stored
- Authentication uses JSON Web Tokens (JWT) with expiry
- The platform is hosted on Render.com, which maintains SOC 2 Type II certification
- Raw CV files are processed in memory and are not written to persistent storage
- Access to production systems is restricted to authorised personnel only
9. Data retention and deletion
Candidate personal data stored on Aptly is retained until the Controller deletes it. There is no automatic deletion schedule. The Controller may delete individual candidate records, screenings, or their entire account at any time.
Upon account deletion:
- All account data, candidate records, screenings, applications, and associated data are permanently and irreversibly deleted
- Deletion is immediate within the Aptly application database
- Anthropic, Render, and Resend may retain logs for their own standard retention periods as set out in their respective privacy policies
Upon termination of the service by either party, Aptly will provide the Controller with a reasonable opportunity to export their data before deletion, unless the account has been suspended for breach of terms.
10. Data breaches
In the event of a personal data breach affecting the Controller's data, Aptly will:
- Notify the Controller at the registered account email address without undue delay and, where feasible, within 72 hours of becoming aware of the breach
- Provide sufficient information for the Controller to meet any notification obligations to regulators or data subjects under applicable law
- Take reasonable steps to contain and remediate the breach and keep the Controller informed of progress
11. Liability
Aptly's liability under this Agreement is limited to direct damages caused by a material breach of this Agreement by Aptly, and shall not exceed the total fees paid by the Controller to Aptly in the three months preceding the event giving rise to the claim.
Aptly is not liable for any processing carried out by the Controller in breach of this Agreement or applicable law, or for any use of the Aptly platform that exceeds the purposes described in this Agreement.
12. Governing law
This Agreement is governed by the laws of the Republic of South Africa, including the Protection of Personal Information Act 4 of 2013 (POPIA). Where the Controller is located in the European Economic Area or United Kingdom, GDPR or UK GDPR obligations are also recognised and Aptly commits to meeting equivalent standards.
Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of South Africa.
13. Contact and acceptance
This Agreement takes effect when you create an Aptly account or continue to use the Aptly platform after the date this Agreement was published.
For any questions about this Agreement, contact us at:
hello@aptly.pro
Black Wolf Analytics (Pty) Ltd
South Africa