Advisory API Systems LLC

Data Processing Agreement

Effective Date: Upon First API Use
Version: 1.4
Last Updated: April 2026

1. INTRODUCTION AND SCOPE

1.1 Purpose

This Data Processing Agreement (“DPA”) establishes the terms under which Advisory API Systems LLC (“Processor,” “Company,” “we,” “us,” or “our”) processes personal data on behalf of User (“Controller,” “you,” or “your”) in connection with the Portfolio Optimization API services.

1.2 Incorporation

This DPA is incorporated by reference into the User Agreement (“Agreement”). By using the API, User agrees to the terms of this DPA.

1.3 Applicability

This DPA applies to all processing of Personal Data by Processor on behalf of Controller in connection with the API services.

2. DEFINITIONS

“Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data, including:

EU General Data Protection Regulation (GDPR), applicable to Personal Data processed on EU-based infrastructure
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Other U.S. state privacy laws (Virginia CDPA, Colorado CPA, etc.)
Financial privacy regulations including Gramm-Leach-Bliley Act (GLBA)

“Controller” means User, as the entity that determines the purposes and means of processing Personal Data.

“Data Subject” means an identified or identifiable natural person whose Personal Data is processed.

“Personal Data” means any information relating to an identified or identifiable natural person that is submitted to the API by Controller.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

“Processor” means Advisory API Systems LLC, as the entity that processes Personal Data on behalf of Controller.

“Security Incident” means any confirmed unauthorized access to, or acquisition of, Personal Data that compromises the security, confidentiality, or integrity of such data.

“Sub-processor” means any third party engaged by Processor to process Personal Data on behalf of Controller.

3. DATA PROCESSING TERMS

3.1 Roles and Responsibilities

(a) Controller Status: User is the Controller of all Personal Data submitted to the API. User determines what data is submitted and for what purposes.

(b) Processor Status: Advisory API Systems acts as a Processor, processing Personal Data solely for the purpose of providing the API services, which include generating investment advice for User.

Ensuring lawful basis for processing (consent, legitimate interest, etc.)
Providing required notices to Data Subjects
Responding to Data Subject rights requests
Ensuring accuracy of data submitted to the API

3.2 Processing Instructions

(a) Processor shall process Personal Data only:

To provide the API services as described in the Agreement
In accordance with Controller’s documented instructions
As required by applicable law

(b) If Processor believes an instruction violates Applicable Data Protection Laws, Processor will promptly notify Controller.

3.3 Purpose Limitation

Personal Data will be processed solely for the following purposes:

Executing portfolio optimization calculations requested via API calls
Generating investment allocation recommendations for User
Maintaining usage logs for billing, service improvement, and regulator requirements and audits
Providing technical support
Complying with legal obligations

4. CATEGORIES OF DATA PROCESSED

4.1 Categories of Personal Data

The API may process the following categories of Personal Data as submitted by Controller:

Category	Examples	Purpose
Identification Data	Names, dates of birth, ages	Household composition, life expectancy calculations
Financial Data	Income, assets, account balances, Social Security benefits	Portfolio optimization calculations
Employment Data	Occupation, employment status, salary history	Human capital valuation
Demographic Data	State of residence, marital status	Tax calculations, regulatory compliance
Benefit Data	Pension amounts, insurance coverage, Medicare eligibility	Background asset valuation
Risk Profile Data	Risk tolerance scores, willingness-to-pay responses	CRRA parameter determination

4.2 Special Categories

The API is not designed to process special categories of data (sensitive personal information) such as health data, biometric data, or data revealing racial or ethnic origin, political opinions, or religious beliefs. Controller should not submit such data unless essential to the service and permitted by applicable law.

4.3 Data Subjects

Data Subjects may include:

The User (Individual Client) or the User’s advisory clients (End Users, in the case of RIA Clients)
Spouses or partners of the above (for household optimization)
Beneficiaries referenced in planning scenarios

5. DATA SECURITY

5.1 Security Measures

Processor implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest using AES-256
Secure API authentication via bearer Access Tokens (256-bit, cryptographically random), stored on infrastructure only as SHA-256 hashes
Third-party service credentials held in environment variables outside the application source tree, not in version control
Rate limiting and access controls
Regular security assessments and penetration testing
Intrusion detection and monitoring systems
Secure development practices

Organizational Measures:

Access limited to personnel with business need
Confidentiality obligations for all personnel
Security awareness training
Incident response procedures
Vendor security assessments

5.2 Security Updates

Processor will update security measures as necessary to maintain appropriate protection in light of evolving threats and industry standards.

6. SUB-PROCESSORS

6.1 Authorized Sub-processors

Controller authorizes Processor to engage the following categories of Sub-processors:

Category	Purpose
Cloud Infrastructure Providers	Hosting and data storage
Payment Processors	Billing and payment processing
Security and Monitoring Services	Infrastructure protection

6.2 Sub-processor List

A current list of Sub-processors is available upon written request to [email protected].

6.3 Sub-processor Obligations

Processor will:

Enter into written agreements with Sub-processors imposing data protection obligations substantially similar to this DPA
Remain liable for Sub-processor compliance
Conduct appropriate due diligence on Sub-processors

6.4 Changes to Sub-processors

Processor will notify Controller at least thirty (30) days before engaging a new Sub-processor or making material changes to existing Sub-processor arrangements. If Controller has legitimate grounds to object, Controller may terminate the Agreement by providing written notice within the notification period.

7. DATA RETENTION AND DELETION

7.1 Personal Data Processing

The API processes Personal Data to generate responses. Personal Data included in API requests is processed in real-time and is retained by Processor after the response is delivered, in addition to:

(a) API Logs: Request metadata (timestamps, API Key identifiers, HTTP status codes) may be retained for operational purposes.

(b) Billing Records: Usage counts necessary for billing are retained in accordance with accounting requirements (typically seven years).

7.2 Deletion Upon Request or Termination

(a) Controller may request deletion of Personal Data at any time by submitting a written request via email to [email protected]. Processor will delete the specified Personal Data within thirty (30) days, subject to regulatory retention requirements applicable to investment advisers.

(b) Upon termination of the Agreement, Processor will:

Cease all processing of Personal Data
Delete or return Personal Data within thirty (30) days, at Controller’s election
Provide written confirmation of deletion upon request

7.3 Legal Retention

Processor may retain Personal Data as required by applicable law, subject to appropriate confidentiality and security measures.

8. DATA SUBJECT RIGHTS

8.1 Controller Responsibility

Controller is responsible for responding to Data Subject requests to exercise their rights under Applicable Data Protection Laws (access, correction, deletion, portability, etc.).

8.2 Processor Assistance

Processor will:

Promptly notify Controller of any Data Subject request received directly
Provide reasonable assistance to Controller in responding to requests
Implement technical measures to facilitate Controller’s response to requests

8.3 Response Timeline

Processor will respond to Controller’s requests for assistance within ten (10) business days.

9. SECURITY INCIDENTS

9.1 Notification

Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Controller’s Personal Data.

9.2 Notification Contents

Security Incident notifications will include, to the extent known:

Description of the incident
Categories and approximate number of Data Subjects affected
Categories of Personal Data affected
Likely consequences of the incident
Measures taken or proposed to address the incident

9.3 Cooperation

Processor will:

Cooperate with Controller’s investigation
Take reasonable steps to mitigate harm
Preserve evidence for forensic analysis
Assist Controller with regulatory notifications as required

9.4 No Acknowledgment of Fault

Notification of a Security Incident does not constitute acknowledgment of fault or liability.

10. INTERNATIONAL DATA TRANSFERS

10.1 Processing Location

Personal Data is processed on servers located in Germany (European Union), which are subject to the EU General Data Protection Regulation (GDPR) and its strict data protection requirements. Data may also transit through infrastructure located in the United States in the course of providing the services. Processor does not transfer Personal Data to jurisdictions outside the European Union and the United States unless:

Required to provide the services
Controller provides prior written consent
Appropriate safeguards are in place

10.2 Transfer Mechanisms

Because Personal Data is processed within the European Union (Germany), the processing benefits from the protections of the GDPR. For any transfers of Personal Data between the European Union and the United States that occur in the course of providing the services, Processor relies on appropriate transfer mechanisms, which may include:

EU-U.S. Data Privacy Framework certification (if applicable)
Standard Contractual Clauses (SCCs)
Other legally recognized mechanisms

10.3 Supplementary Measures

Where required, Processor will implement supplementary technical and organizational measures to ensure adequate protection of transferred data.

11. CCPA COMPLIANCE

11.1 Service Provider Status

For purposes of the CCPA/CPRA, Processor acts as a “Service Provider” as defined in Cal. Civ. Code § 1798.140(ag).

11.2 CCPA Obligations

Processor certifies that it:

Will not sell or share Personal Data
Will not retain, use, or disclose Personal Data for any purpose other than providing the API services
Will not retain, use, or disclose Personal Data outside the direct business relationship with Controller
Will provide the same level of privacy protection as required by the CCPA

11.3 Notification of Inability to Comply

Processor will notify Controller if it determines it can no longer meet its obligations under this Section 11.

11.4 Privacy Policy

Processor maintains a Privacy Policy describing its collection, use, disclosure, and retention of personal information, including disclosures required by the CCPA/CPRA and the GLBA. The Privacy Policy is incorporated by reference into the User Agreement and is available at https://ria.us/agreement/Privacy_Policy.html.

12. GLBA COMPLIANCE

12.1 Safeguards

To the extent Personal Data includes “nonpublic personal information” as defined under GLBA, Processor maintains an information security program that:

Ensures the security and confidentiality of customer information
Protects against anticipated threats or hazards
Protects against unauthorized access or use

12.2 Financial Industry Requirements

Processor acknowledges that Controller may be subject to regulatory examination and will cooperate with Controller’s compliance requirements.

13. GENERAL PROVISIONS

13.1 Conflicts

In the event of a conflict between this DPA and the Agreement, the terms most protective of Personal Data shall prevail.

13.2 Amendments

This DPA may be amended by Processor to reflect changes in Applicable Data Protection Laws. Material changes will be communicated with at least thirty (30) days’ notice.

13.3 Survival

This DPA shall survive termination of the Agreement with respect to all Personal Data processed during the term.

13.4 Liability

Liability under this DPA is subject to the limitations set forth in the Agreement.

14. CONTACT INFORMATION

Advisory API Systems LLC

Email: [email protected]
Phone: (310) 839-0358

This Data Processing Agreement is incorporated by reference into the User Agreement. By using the API, you acknowledge and agree to the terms of this DPA.