DATA PROCESSING AGREEMENT
Effective Date: April 1, 2026 Last Updated: April 1, 2026
This Data Processing Agreement ("DPA") forms part of the Master Intelligence Agreement and applies when Arccore LLC ("Processor") processes Personal Information on behalf of the Client ("Controller") in connection with the Intelligence Platform.
Arccore LLC is located at 8 The Green, Suite G, Dover, DE 19901, United States.
1. DEFINITIONS
- "Personal Information" has the meaning given in the CCPA/CPRA and other applicable U.S. state privacy laws. "Process" or "Processing" means any operation performed on Personal Information.
- "Services" means the Intelligence Platform as defined in the Master Intelligence Agreement between the parties, and any related services described therein.
- "Controller" means the Client (as defined in the MIA), being the party that determines the purposes and means of Processing Personal Information.
- "Processor" means Arccore LLC, being the party that Processes Personal Information on behalf of the Controller.
- "Sub-processor" means any third-party processor engaged by Processor to Process Personal Information on behalf of Controller in connection with the Services.
2. PROCESSING INSTRUCTIONS
Processor will Process Personal Information only on documented instructions from Controller and in accordance with the MIA, this DPA, and applicable law. Processor will not sell Personal Information or use it for any commercial purpose other than providing the Services. For purposes of this DPA, Controller's documented instructions consist of: (a) the terms of the MIA and this DPA as in effect from time to time; (b) Controller's account configuration and delivery settings within the Intelligence Platform; and (c) written instructions provided by Controller to legal@platformpolicy.com, which Processor will acknowledge in writing within five (5) Business Days. Processor will promptly notify Controller if, in Processor's reasonable opinion, an instruction infringes applicable privacy law.
3. SECURITY
Processor implements and maintains appropriate technical and organizational measures, including those described in the Privacy Policy and Data Handling Policy.
3.1. Personnel Confidentiality. Processor ensures that all persons authorized to Process Personal Information on behalf of Processor: (a) are subject to appropriate confidentiality obligations no less protective than those in this DPA and the MIA; (b) Process Personal Information only on Processor's documented instructions or as required by applicable law; and (c) have received appropriate training on data protection obligations relevant to their role.
4. SUB-PROCESSORS
Controller authorizes the use of Sub-processors listed in Attachment 1. Processor will enter into written agreements with Sub-processors that impose equivalent obligations. Controller will be notified at least 30 days before any new Sub-processor is added; Controller may object within 14 days of such notice. If Controller objects to a new Sub-processor within 14 days, the parties will negotiate in good faith. If no resolution is reached within 30 days of the objection, Controller may terminate this DPA and the applicable Services upon 30 days' written notice and receive a pro-rata refund of prepaid fees.
5. DATA SUBJECT RIGHTS
Processor will assist Controller in responding to verifiable consumer requests under CCPA/CPRA and other state laws. Processor will provide such assistance within ten (10) Business Days of receiving a written request from Controller, or such shorter period as required by applicable law.
6. BREACH NOTIFICATION
Processor will notify Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Information breach.
7. RETURN OR DELETION
Upon termination of the Services, Processor will, within thirty (30) days of the termination date, delete or return (at Controller's election) all Personal Information and provide written certification of deletion to Controller. Processor may retain Personal Information beyond this period only to the extent required by applicable law, and shall notify Controller of any such retention in writing. Notwithstanding the foregoing, Processor's deletion obligations under this Section 7 do not apply to Risk Profile Information (as defined in MIA §5.3), which remains subject to the permanent confidentiality obligations in MIA §5.3 regardless of termination. Processor will continue to protect such information in accordance with MIA §5.3 after termination, and will not use it for any purpose other than fulfilling those confidentiality obligations.
8. AUDIT RIGHTS
Controller may audit Processor's compliance as set forth in MIA §11.4.
9. CCPA SERVICE PROVIDER
Processor acts solely as a "service provider" under CCPA/CPRA and will not retain, use, or disclose Personal Information except as permitted.
10. GOVERNING LAW
This DPA is governed by the laws of the State of Delaware, without regard to its conflict-of-laws rules.
ATTACHMENT 1 — AUTHORIZED SUB-PROCESSORS
As of the Effective Date, Arccore LLC uses the following categories of Sub-processors:
| Category | Purpose |
|---|---|
| Cloud hosting | Application hosting and database services |
| Email delivery | Transactional and notification email delivery |
| Payment processing | Subscription billing and payment handling |
| Analytics | Aggregated usage monitoring |
| Security | DDoS protection, WAF, threat monitoring |
A current list of specific Sub-processor names is available upon written request to legal@platformpolicy.com.
Contact: Legal: legal@platformpolicy.com | Arccore LLC, 8 The Green, Suite G, Dover, DE 19901, United States