apsera.ai
Sign in
Draft. This data processing agreement reflects how apsera.ai actually runs today and is the starting point for our forthcoming reviewed version. It has not been reviewed by a lawyer yet and is not the final, signed agreement. Enterprise customers signing today: ask for the latest reviewed copy at [email protected].

Data Processing Agreement

Effective date: 2026-05-05 (draft) · Operator: APBLD APP BUILD LLP (apsera.ai)

1. Parties + scope

This DPA forms part of the Terms of Service between you (the Customer, acting as Controller) and APBLD APP BUILD LLP, a Limited Liability Partnership registered in India operating the apsera.ai service (the Provider, acting as Processor). It applies whenever apsera.ai processes personal data on the Customer’s behalf in connection with the service.

2. Defined terms

  • Personal Data — any information relating to an identified or identifiable person, as defined under applicable data-protection law (GDPR Art. 4, CCPA, UK GDPR, etc.).
  • Processing — anything we do with Personal Data on your behalf: storing it, retrieving it, transmitting it, deleting it.
  • Subprocessor — a third party we use to provide part of the service, processing Personal Data on our behalf.
  • Data Subject Request — a request from an individual to access, correct, delete, or restrict processing of their Personal Data.

3. Roles + instructions

You are the Controller. We are the Processor and act only on your documented instructions, which are: (a) provide the service to you; (b) honour the choices you make in product (which integrations to connect, what tasks to assign, etc.); (c) comply with applicable law.

We’ll tell you immediately if we believe an instruction violates applicable data-protection law.

4. Categories of data + data subjects

  • Account data — names, emails, workspace info of your team members who use apsera.ai.
  • Connected-system data — whatever flows through the integrations you connect (Salesforce records, GitHub commits, Confluence pages, Slack messages, etc.). The category depends on what your team asks the workers to do.
  • Conversation + activity data — task descriptions, worker messages, tool inputs and results, audit log.

Data subjects are typically your employees, your customers, and your prospects.

5. Confidentiality

We require everyone with access to Personal Data (employees, contractors, subprocessors) to be bound by confidentiality obligations at least as strict as those in this DPA.

6. Security

We implement and maintain the technical and organisational measures described at /trust: encryption in transit (TLS 1.2+), encryption at rest (Supabase + Cloudflare R2), row-level security per org, audit logging of every action, single-tenant separation via org_id, restricted production access, immutable audit trail.

7. Subprocessors

You authorise us to engage the subprocessors listed at /trust → Subprocessors. We’ll provide at least 30 days’ notice via email before adding a new subprocessor that processes Personal Data; you may object on reasonable grounds relating to data protection. If we can’t resolve your objection, you can terminate the affected portion of the service for cause.

We remain liable for our subprocessors’ acts and omissions to the same extent as if they were our own.

8. International transfers

Personal Data may be transferred to the United States and other countries where our subprocessors operate. For transfers from the EEA / UK / Switzerland, the parties agree to the EU Standard Contractual Clauses (Module 2: Controller to Processor), UK Addendum, and Swiss FADP supplements as applicable, incorporated by reference. We’ll execute supplementary measures where Schrems II analysis requires them.

9. Data Subject Requests

Where possible, the in-product tools (data export, account closure, integration disconnect) let you fulfil Data Subject Requests directly. When you need our help (e.g. extracting data not visible in product), email [email protected] and we’ll respond within 5 business days. We won’t respond directly to data subjects (we redirect them to you, the Controller) unless legally required.

10. Personal Data Breach

We’ll notify you without undue delay (and in any case within 72 hours of becoming aware) if we identify a Personal Data Breach affecting your data. Notice will include the nature of the breach, categories and approximate volume of records and data subjects affected, likely consequences, and the measures we’re taking. We’ll work cooperatively on any required regulatory notifications.

11. Audits

On reasonable written notice (and no more than once per year, except after a Personal Data Breach), you may audit our compliance with this DPA via written questionnaire. Where you require an on-site audit, we’ll work in good faith on scope, cost, and confidentiality. We’ll share independent reports we hold (e.g. a future SOC 2 once issued) under NDA in lieu where they cover the area you’d audit.

12. Return + deletion

On termination, you may export your data via the methods at /trust. We’ll delete or anonymise all Personal Data within 30 days of termination unless retention is required by law; backups age out within 14 additional days. Confirmed in writing on request.

13. Liability

Each party’s liability under this DPA is subject to the limitations in the Terms of Service. Liability under data-protection law (e.g. GDPR Art. 82) is split per the parties’ respective responsibilities; nothing here purports to limit liability that cannot be limited under applicable law.

14. Term + precedence

This DPA runs for the term of the underlying agreement. If anything in the Terms of Service conflicts with this DPA, the DPA controls — and where applicable data-protection law (GDPR, UK GDPR, CCPA, FADP, etc.) requires something stricter, that law controls.

15. Signatures

For enterprise customers requiring a signed copy with their entity name, email [email protected] and we’ll execute via DocuSign.

Last revised: 2026-05-05 · Pending lawyer review.