← Back to Apex

DRAFT — NOT YET LEGALLY REVIEWED

This document is a working draft. Do not rely on it as binding legal advice. A licensed attorney will review and finalize prior to any production use.

Data Processing Agreement

Effective: April 18, 2026

1. Parties and scope

This Data Processing Agreement (“DPA”) forms part of the master Terms of Service between Apex, Inc. (“Apex,” “Processor”) and the customer (“Customer,” “Controller”) identified in the Order Form or account registration.

It applies to the processing of personal data by Apex on behalf of Customer in connection with the Apex platform (the “Services”), including the mobile measurement, affiliate-tracking, email-sending, and analytics features.

2. Definitions

  • “Data Protection Laws” means all applicable laws governing the processing of personal data, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other similar laws.
  • “Personal Data” has the meaning given in the applicable Data Protection Laws.
  • “Sub-processor” means any third party engaged by Apex to process Personal Data on behalf of Customer, including Stripe, AWS, and Anthropic.
  • “Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA.

3. Roles of the parties

Customer is the Controller of Personal Data it submits to the Services. Apex is the Processor, processing Personal Data solely on Customer's documented instructions, including as expressed through Customer's use of the Services.

For Apex's own business operations (billing, platform security, fraud detection across Apex's customer base), Apex acts as an independent Controller. The scope of that independent-controller processing is limited to operational data — not the Personal Data Customer uploads or collects through the Services.

4. Categories of data processed

Apex processes the following categories of Personal Data on Customer's behalf:

  • Contact data: name, email, phone, address
  • Online identifiers: visitor ID, session ID, IP address, user-agent
  • Device identifiers: IDFA, GAID, IDFV, Android ID (where ATT/consent permits)
  • Usage data: pageviews, events, conversions, engagement metrics
  • Attribution data: click IDs, UTM parameters, install referrer
  • Affiliate payout data: Stripe Connect account reference, payout history
  • Communication preferences and delivery receipts

Sensitive categories (health, political opinion, etc.) are NOT processed under the Services. Customer agrees not to upload sensitive Personal Data.

5. Sub-processors

Apex engages the following sub-processors to provide the Services. An up-to-date list is maintained at apex.inc/legal/subprocessors.

  • Amazon Web Services, Inc. (US) — cloud infrastructure hosting.
  • Stripe, Inc. (US) — payment processing and affiliate payouts via Stripe Connect. Stripe's own DPA: stripe.com/legal/dpa.
  • Amazon Web Services, Inc. (Bedrock) — AI inference for attribution explanations, creative analysis, and growth-advisor features. Prompts and responses are not used to train foundation models per AWS Bedrock terms.
  • Amazon SES (US) — transactional and marketing email delivery.
  • Cognito + AWS IAM (US) — authentication and access control.
  • Meta Platforms, Inc. (US) — when Customer connects a Meta Ads account, Apex reads campaign metadata, per-ad performance metrics, and the merchant-defined conversion-action catalog from the Meta Marketing API to populate the Performance dashboard. Apex does NOT push audiences or events to Meta from this integration. Meta's own DPA covers Meta-side processing.
  • Google LLC (US) — when Customer connects a Google Ads account, Apex reads campaign metadata, per-ad performance metrics, and the merchant-defined ConversionAction catalog via the Google Ads API. Apex does NOT push audiences or events into Google Ads.
  • LinkedIn Corporation (US) — when Customer connects a LinkedIn Ads account, Apex reads campaign metadata, per-creative performance metrics, and the merchant's Conversion catalog via the LinkedIn Marketing API. Apex does NOT push audiences or events into LinkedIn.

Apex gives Customer 30 days' notice before adding a new sub-processor, by email and by updating the published list. Customer may object in writing during that period; if objection is not resolved, Customer may terminate the affected Services.

6. International transfers

Personal Data is processed primarily in the United States. For EEA/UK Data Subjects, Apex relies on the EU Standard Contractual Clauses (Module 2: Controller to Processor, 2021/914) and, where applicable, the UK International Data Transfer Addendum, to lawfully transfer data to US sub-processors.

Customer can request the SCC package signed by Apex at privacy@apex.inc.

7. Security

Apex maintains commercially reasonable technical and organizational security measures, including:

  • Encryption in transit (TLS 1.2+) for all API traffic.
  • Encryption at rest for DynamoDB tables and S3 buckets.
  • Access control via AWS IAM with least-privilege policies.
  • Role-based access control within the Apex dashboard.
  • Multi-factor authentication on admin accounts.
  • Security logging and anomaly detection via CloudWatch.
  • Regular security reviews and dependency scanning.

A formal SOC 2 Type II audit is on the roadmap for 2026; current controls are designed to map to the audit's Trust Services Criteria.

8. Data subject rights

Apex will assist Customer in responding to data-subject requests (access, rectification, erasure, portability, restriction) submitted to Customer directly. Apex provides self-service tools in the dashboard for:

  • Exporting a Data Subject's records in structured format (JSON or CSV).
  • Deleting a Data Subject's records from the Apex platform.
  • Suppressing future communications to a Data Subject.

If Apex receives a Data Subject request directly, we will refer the Data Subject to Customer (as the Controller) unless required by law to respond directly.

9. Breach notification

Apex will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer data. Notice will be by email to the primary account contact and include: the nature of the breach, the categories and approximate number of Data Subjects concerned, the likely consequences, and the measures taken or proposed.

10. Return and deletion

Upon termination of the Services, Apex will delete Customer's Personal Data within 90 days, except for data Apex is legally required to retain (e.g., tax records associated with affiliate payouts for the minimum retention period required by applicable law — typically 7 years in the US).

Customer may request earlier deletion at privacy@apex.inc. Backups containing Personal Data age out on a 35-day rolling schedule.

11. Audits

Apex will make available to Customer, on request and no more than once per year, the most recent third-party audit reports covering the Services (e.g., the SOC 2 Type II report once available). On-site audits require reasonable advance notice, are subject to Apex's security protocols, and are at Customer's expense.

12. Signing this DPA

This DPA takes effect automatically when you accept the Terms of Service and begin using the Services. No signature is required. For a countersigned PDF version for your records, contact legal@apex.inc.