Enjoy a FREE month of Apexys Research with code APEXYSLAUNCH.

Legal

Data Processing Agreement

The data protection obligations that apply when personal data is processed for Apexys services.

Data Processing Agreement (DPA)

Controller to Processor

This Data Processing Agreement ("DPA") forms part of the agreement between Apexys, Inc., a Delaware corporation ("Controller"), and any service provider, vendor, or partner processing Personal Data on behalf of Controller ("Processor").

This DPA governs the Processing of Personal Data in connection with the Apexys platform and applies where Processor processes Personal Data on behalf of Controller.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable individual processed by Processor on behalf of Controller.

"Processing" means any operation performed on Personal Data, including collection, storage, analysis, transmission, or deletion.

"Data Protection Laws" means all applicable privacy and data protection laws and regulations, including U.S. state privacy laws and, where applicable, the GDPR and similar international frameworks.

2. Roles of the Parties

2.1 Controller

Apexys determines the purposes and means of Processing Personal Data.

2.2 Processor

Processor processes Personal Data solely on behalf of Controller and in accordance with Controller's documented instructions and this DPA. Processor shall not process Personal Data for its own purposes.

3. Scope and Purpose of Processing

Processor shall process Personal Data only as necessary to provide services to Apexys, including:

  • Infrastructure hosting and maintenance
  • Data aggregation and transmission
  • Analytics and system monitoring
  • Security, logging, and error detection

Processing shall be limited to what is necessary to support the Apexys platform.

4. Categories of Personal Data

Personal Data processed may include:

  • Financial account data obtained through authorized third-party integrations
  • Investment holdings, balances, and asset allocation data
  • Transaction metadata
  • Technical and usage data related to platform operation

Processor shall not process user credentials such as banking usernames or passwords.

5. Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Ensure authorized personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Not sell, rent, or otherwise disclose Personal Data
  • Not use Personal Data for marketing, advertising, or profiling
  • Not use Personal Data to provide investment advice or recommendations

6. Security Measures

Processor shall implement reasonable and appropriate safeguards, including:

  • Encryption of Personal Data in transit
  • Least-privilege access controls
  • Logical separation of customer data
  • Monitoring for unauthorized access or misuse

Processor may update security measures as risks and technology evolve, provided protection is not materially reduced.

7. Subprocessing

7.1 Authorization

Controller authorizes Processor to engage subprocessors for infrastructure, analytics, or data connectivity services.

7.2 Subprocessor Obligations

Processor shall ensure subprocessors are subject to data protection obligations no less protective than those in this DPA. Processor remains responsible for subprocessors' compliance.

8. Data Subject Requests

Processor shall reasonably assist Controller in responding to data subject requests. Processor shall not respond directly unless instructed by Controller.

9. Personal Data Breach

Processor shall notify Controller without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of a confirmed Personal Data Breach.

Notification shall include:

  • Description of the incident
  • Categories of Personal Data affected
  • Mitigation measures taken or planned

10. Data Retention and Deletion

Processor shall retain Personal Data only as long as necessary to provide services. Upon termination or request, Processor shall delete or anonymize Personal Data unless retention is legally required.

11. Audits and Compliance

Processor shall make available information reasonably necessary to demonstrate compliance, subject to confidentiality and security limitations.

12. International Transfers

Where Personal Data is transferred outside the United States, Processor shall implement appropriate safeguards, including standard contractual clauses or equivalent lawful transfer mechanisms.

13. Liability

Nothing in this DPA expands liability beyond what is set forth in the applicable master agreement or Terms of Service.

14. Governing Law

This DPA is governed by the laws of the State of Delaware, without regard to conflict of law principles.

15. Order of Precedence

In the event of conflict, this DPA governs with respect to data protection obligations.