Legal
Effective April 23, 2026 · Version 1.2 · Incorporated into and part of the Terms of Service
This Data Processing Agreement (“DPA”) forms Part II of the Agreement between Accomplice Real Estate, LLC d/b/a AccompliceRE (“Company,” “Processor,” “Service Provider”) and Customer (“Controller,” “Business”). It governs how the Company processes Customer Data containing Personal Data on behalf of Customer in connection with the AccompliceRE platform. Capitalized terms not defined herein have the meanings given in the Terms of Service (Part I).
With respect to any Personal Data contained within Customer Data processed through the Platform, Customer acts as the data controller (or “Business” under CCPA/CPRA) and the Company acts as the data processor (or “Service Provider” under CCPA/CPRA). The Company processes Personal Data only on behalf of Customer and in accordance with Customer's documented instructions as set forth in this DPA.
Customer represents and warrants that: (a) it has a lawful basis under Applicable Data Protection Laws for processing the Personal Data it submits to the Platform; (b) it has provided all required notices to, and obtained all required consents from, any natural persons whose Personal Data is included in Customer Data; and (c) Customer's instructions to the Company are lawful.
With respect to contact information of prospective customers collected and processed by the Company for its own direct business development purposes (“Prospect Data”), the Company acts as an independent data controller. Prospect Data is not Customer Data and is not processed on behalf of any Customer. The Company's processing of Prospect Data is governed by its Privacy Policy. Prospect Data includes names, email addresses, company names, job titles, geographic information, phone numbers, and communication engagement metrics collected in connection with the Company's business outreach activities. Where Prospect Data relates to individuals in the European Economic Area or United Kingdom, the Company relies on legitimate interest under GDPR Article 6(1)(f) as the legal basis for processing. The Company's obligations as controller of Prospect Data are further described in the Privacy Policy.
The Company will process Personal Data within Customer Data solely for the following purposes:
The Company will not process Customer Data containing Personal Data for any purpose not enumerated above, including advertising directed at Customers based on Customer Data, consumer marketing profiling, data brokerage, model training, or sharing Customer Data with third parties except as expressly permitted in this DPA. This restriction applies to Customer Data only. The Company's processing of Prospect Data for its own business development purposes is governed by the Privacy Policy and is separate from this DPA.
Customer acknowledges and understands the following regarding the Company's technical capability to access Customer Data:
Customer further understands that the Company's commitment not to access Customer Data without authorization is a contractual obligation governed by this DPA, not a technical impossibility. The encryption architecture creates meaningful practical barriers to unauthorized access and ensures that any access would be a deliberate, auditable act in violation of this Agreement.
The Company has designed the Platform so that no Company employee views, accesses, or decrypts Customer Data except under the limited circumstances enumerated below. All document processing is fully automated.
If the Company receives a lawful governmental or regulatory request, subpoena, court order, or other legal process requiring access to or disclosure of Customer Data, the Company will: (a) promptly notify Customer of the request, to the extent permitted by applicable law; (b) cooperate with Customer's reasonable efforts to obtain a protective order or similar protection; and (c) disclose only the minimum amount of Customer Data required to comply with the applicable legal obligation.
If any Company employee, contractor, or agent accesses Customer Data outside the authorized circumstances described in Section 14.2, the Company will: (a) immediately investigate and remediate the unauthorized access; (b) notify Customer within 48 hours of confirming the unauthorized access; and (c) provide Customer with a written summary of the nature and scope of the access and the remediation steps taken.
The Company maintains the following internal controls governing access to Customer Data:
The Company retains Customer Data in accordance with the following schedule:
Upon Customer's written request, the Company will certify in writing that Customer Data has been deleted in accordance with this Section, except for data required to be retained by applicable law.
The Platform's AI extraction feature transmits document text content directly to Anthropic's Claude API for processing. This architecture operates under the following data handling controls:
The Company implements and maintains the following security measures, detailed in full in Exhibit B:
The Company may update its security measures from time to time. The Company will not reduce the overall level of security protection afforded to Customer Data without prior written notice and Customer's consent.
The Company will use commercially reasonable efforts to identify and remediate security vulnerabilities in the Platform in a timely manner commensurate with the risk presented.
In the event of a confirmed Security Incident affecting Customer Data, the Company will notify Customer without undue delay and in no event later than 72 hours after the Company becomes aware of the Security Incident, to the extent notification within such timeframe is reasonably practicable.
The Company's Security Incident notification will include, to the extent available at the time of notification:
Following a Security Incident, the Company will: (a) conduct a prompt investigation and take reasonable steps to identify the root cause; (b) implement remediation measures to prevent recurrence; and (c) provide Customer with reasonable updates as additional information becomes available.
The Company's notification of a Security Incident shall not constitute an admission of liability or fault by the Company.
Customer provides general authorization for the Company to engage the Subprocessors listed in Exhibit A to process Customer Data in connection with providing the Platform. The Company will enter into written agreements with each Subprocessor that impose data protection obligations no less protective than those in this DPA.
The Company will provide at least 30 days' advance written notice to Customer of any addition or replacement of a Subprocessor. If Customer objects to a new Subprocessor on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the Agreement without penalty with respect to the affected services.
To the extent Customer Data contains Personal Data subject to data subject rights requests under Applicable Data Protection Laws, the Company will provide reasonable technical and organizational assistance to Customer to enable Customer to fulfill such requests. Customer, as the data controller, is responsible for responding to data subject rights requests.
If the Company receives a data subject rights request directly from an individual regarding Customer Data, the Company will promptly forward the request to Customer without responding to it directly, unless legally required to do so.
The Company will delete or de-identify specific Customer Data records upon written request from Customer within 30 days, except where retention is required by applicable law.
No more than once per calendar year, and upon at least 30 days' prior written notice, Customer may request a written compliance assessment or audit of the Company's data processing practices under this DPA. Such audit will be conducted in a manner that does not unreasonably interfere with the Company's business operations.
To the extent the Company obtains third-party security certifications or audit reports related to the Platform, the Company will provide Customer with reasonable access to relevant summary information upon request.
The Company will cooperate with Customer's reasonable compliance assessments and will provide information reasonably necessary for Customer to demonstrate compliance with Applicable Data Protection Laws.
To the extent required by Applicable Data Protection Laws, the Company will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments under GDPR Article 35 and prior consultations with supervisory authorities under GDPR Article 36, where such assessments or consultations relate to the processing of Customer Data through the Platform.
The Company's primary data processing facilities are located in the United States (AWS US East region, N. Virginia). By using the Platform, Customer agrees to the transfer and processing of Customer Data in the United States.
To the extent any Customer Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or other countries not deemed to provide adequate data protection, the Company will ensure such transfers are made pursuant to appropriate safeguards, including Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other legally recognized transfer mechanisms.
Where Customer Data is transferred to PDFShift SAS, located in France (EU), such transfers are made pursuant to Standard Contractual Clauses in compliance with GDPR Chapter V.
This DPA is designed to be compatible with GDPR Article 28 requirements. Customers processing Personal Data of EEA residents should contact legal@accomplicere.com to discuss any additional documentation required for GDPR compliance.
Where a Subprocessor is self-certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework (collectively, the “DPF”), transfers of Personal Data to such Subprocessor in the United States are made in reliance on the DPF, as supplemented by Standard Contractual Clauses as a defense-in-depth safeguard. The Company monitors the continuing validity of the DPF, including any invalidation or modification by the Court of Justice of the European Union, the European Commission, the United Kingdom Information Commissioner, or the Swiss Federal Data Protection and Information Commissioner. In the event the DPF ceases to provide an adequate transfer mechanism, the Company will rely exclusively on Standard Contractual Clauses supplemented by appropriate technical and organizational measures.
With respect to any Personal Data of California residents within Customer Data, the Company is acting as a “Service Provider” as that term is defined under the CCPA/CPRA. The Company will not: (a) sell or share Personal Data of California residents; (b) retain, use, or disclose Personal Data for any purpose other than the business purpose of providing the Platform; (c) retain, use, or disclose Personal Data outside the direct business relationship between the Company and Customer; or (d) combine Personal Data of California residents with personal information received from other sources.
The Company certifies that it understands the restrictions set forth in this Section 21 and will comply with them.
If the Company determines that it can no longer meet its obligations under the CCPA/CPRA with respect to Personal Data of California residents, the Company will promptly notify Customer. Upon such notification, Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.
The Company will process Personal Data of Texas residents in accordance with the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541 et seq., and any amendments thereto. The Company acts as a “processor” as defined under the TDPSA with respect to Personal Data it processes on behalf of Customer.
The Company will not sell Personal Data of Texas residents, as “sale” is defined under the TDPSA.
The following third-party Subprocessors are currently authorized by Customer under this Agreement to process Customer Data in connection with the Platform:
| Subprocessor | Purpose | Processing Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, and file storage | AWS US East (N. Virginia) |
| Vercel, Inc. | Application hosting and deployment | US (global CDN edge) |
| Anthropic, PBC | AI document extraction (Claude API) | United States |
| Amazon Web Services, Inc. (KMS) | Per-user encryption key management | AWS US East (N. Virginia) |
| Stripe, Inc. | Payment processing and subscription management | United States |
| Cloudflare, Inc. | Bot protection (Turnstile) | Global |
| Upstash, Inc. | Rate limiting (Redis) | United States |
| PDFShift SAS | PDF rendering and report generation | France (EU) — transfers pursuant to SCCs |
| Google LLC | User authentication (OAuth 2.0); email reply detection for business outreach (Gmail API via domain-wide delegation, gmail.readonly scope); analytics and performance measurement on the public marketing website (Google Analytics 4), consent-gated | United States — EU-U.S. DPF self-certified |
| Google Ireland Limited | EEA / UK / Swiss data controller of record for Google Analytics 4 on the public marketing website; onward transfer to Google LLC | Ireland (EU) — onward transfers under EU-U.S. DPF + SCCs |
| Logo.dev (Synthesia Limited) | Company logo retrieval for PDF reports and analysis display | United States |
| Functional Software, Inc. (Sentry) | Error monitoring and application performance tracking | United States |
| Resend, Inc. | Transactional email delivery; business outreach email delivery and engagement tracking (opens, clicks, bounces, complaints) | United States |
Notes: (1) PDFShift SAS is located in France (EU). Transfers of Customer Data to PDFShift are made pursuant to Standard Contractual Clauses in compliance with GDPR Chapter V. (2) Google LLC processes Customer Data (OAuth, Gmail API) and marketing-site analytics data (Google Analytics 4) under the Google Ads Data Processing Terms and the Google Cloud Data Processing Addendum. Google LLC is self-certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. For EEA, UK, and Swiss marketing-site visitors, Google Ireland Limited acts as the data controller of record and transfers personal data to Google LLC in the United States under the EU-U.S. DPF and, as a supplementary safeguard, Standard Contractual Clauses. Google Analytics 4 is loaded on the public marketing website only after affirmative consent and is configured with IP-anonymization, Google Signals disabled, and a 2-month event-data retention window. The Google Cloud Data Processing Addendum is available at business.safety.google/adsprocessorterms.
The Company maintains an updated subprocessor list at accomplicere.com/legal/dpa. Customers will be notified of changes per Section 17.2.
The following security measures are implemented and maintained by Accomplice Real Estate, LLC d/b/a AccompliceRE to protect Customer Data processed through the Platform.
Extracted Data (the proposals table) benefits from two independent, stacked layers of AES-256 encryption at rest:
For data protection inquiries, to exercise data subject rights, or to report a security concern:
Data Protection & Security Inquiries: legal@accomplicere.com
Accomplice Real Estate, LLC d/b/a AccompliceRE
Attn: Legal
720 Brazos Street, Floor 12, Austin, TX 78701