Data Processing Agreement

This Data Processing Agreement (“DPA”) forms Part II of the Agreement between Accomplice Real Estate, LLC d/b/a AccompliceRE (“Company,” “Processor,” “Service Provider”) and Customer (“Controller,” “Business”). It governs how the Company processes Customer Data containing Personal Data on behalf of Customer in connection with the AccompliceRE platform. Capitalized terms not defined herein have the meanings given in the Terms of Service (Part I).

Section 13. Roles of the Parties and Legal Basis for Processing

13.1 Controller and Processor

With respect to any Personal Data contained within Customer Data processed through the Platform, Customer acts as the data controller (or “Business” under CCPA/CPRA) and the Company acts as the data processor (or “Service Provider” under CCPA/CPRA). The Company processes Personal Data only on behalf of Customer and in accordance with Customer's documented instructions as set forth in this DPA.

13.2 Customer as Controller

Customer represents and warrants that: (a) it has a lawful basis under Applicable Data Protection Laws for processing the Personal Data it submits to the Platform; (b) it has provided all required notices to, and obtained all required consents from, any natural persons whose Personal Data is included in Customer Data; and (c) Customer's instructions to the Company are lawful.

13.3 Purpose Limitation

The Company will process Personal Data within Customer Data solely for the following purposes:

• Providing the Platform services, including AI extraction, financial modeling, and document analysis, as requested by Customer;
• Storing and displaying Customer Data and Extracted Data to authorized Users;
• Providing customer support in response to issues raised by Customer;
• Maintaining, securing, debugging, and improving the Platform infrastructure;
• Complying with applicable legal obligations;
• Enforcing the terms of the Agreement, including investigating suspected violations.

The Company will not process Personal Data for any other purpose, including advertising, marketing, data brokerage, model training, or sharing with third parties except as expressly permitted in this DPA.

Section 14. Data Handling Practices and Operator Access Policy

14.1 Platform Operator Access

Customer acknowledges and understands the following regarding the Company's technical capability to access Customer Data:

• The Company, as the platform operator and administrator of the underlying infrastructure, maintains technical access to the environment in which Customer Data is stored.
• Customer Data stored in the Company's database is encrypted at rest using AES-256-GCM encryption. The encryption keys are stored in the Company's secure application environment (separate from the database) and are not accessible to the Company's database infrastructure provider.
• Decrypting and accessing Customer Data requires a deliberate, affirmative technical act by an authorized Company employee. It is not passively accessible through ordinary platform operation.
• Uploaded source documents (lease proposals, LOIs, and similar documents) are automatically and permanently deleted from the Company's storage systems immediately following completion of AI extraction processing. The Company does not retain copies of source documents beyond this immediate processing window.

Customer further understands that the Company's commitment not to access Customer Data without authorization is a contractual obligation governed by this DPA, not a technical impossibility. The encryption architecture creates meaningful practical barriers to unauthorized access and ensures that any access would be a deliberate, auditable act in violation of this Agreement.

14.2 Authorized Access Circumstances

The Company will access Customer Data (including decrypting Extracted Data) only under the following circumstances:

• Normal Service Delivery: Automated processing necessary to provide the Platform's features to Customer and its authorized Users, including rendering analyses, generating reports, and executing the financial model.
• Customer-Initiated Support: When Customer has submitted a support request and explicitly requested or consented to the Company reviewing specific data to diagnose or resolve an issue.
• Platform Maintenance and Security: When necessary to investigate, address, or remediate a Security Incident, vulnerability, or technical failure that may affect the integrity, availability, or security of Customer Data or the Platform.
• Legal Compliance: When required to comply with a valid and legally binding order, subpoena, judicial process, or other lawful governmental request, subject to Section 14.3.
• Terms of Service Enforcement: When the Company has a reasonable, good-faith basis to believe that specific Customer Data is directly implicated in a material violation of the Agreement or applicable law, and access is necessary to investigate such violation.

14.3 Legal Process and Government Requests

If the Company receives a lawful governmental or regulatory request, subpoena, court order, or other legal process requiring access to or disclosure of Customer Data, the Company will: (a) promptly notify Customer of the request, to the extent permitted by applicable law; (b) cooperate with Customer's reasonable efforts to obtain a protective order or similar protection; and (c) disclose only the minimum amount of Customer Data required to comply with the applicable legal obligation.

14.4 Notification of Unauthorized Access

If any Company employee, contractor, or agent accesses Customer Data outside the authorized circumstances described in Section 14.2, the Company will: (a) immediately investigate and remediate the unauthorized access; (b) notify Customer within 48 hours of confirming the unauthorized access; and (c) provide Customer with a written summary of the nature and scope of the access and the remediation steps taken.

14.5 Internal Access Controls

The Company maintains the following internal controls governing access to Customer Data:

• Access to the production database and encryption keys is limited to named Company personnel with a business need;
• All administrative access to production systems is logged with timestamps, user identity, and nature of the access;
• Access logs are retained for a minimum of 12 months;
• Any access to Customer Data for purposes other than automated service delivery is subject to prior internal authorization;
• Company employees and contractors with access to Customer Data are bound by confidentiality obligations no less restrictive than those in Section 6 of the Terms of Service.

14.6 Data Retention and Deletion

The Company retains Customer Data in accordance with the following schedule:

• Source Documents (uploaded PDFs, DOCXs, etc.): Deleted immediately and permanently upon completion of AI extraction. No backup copies are retained.
• Extracted Data (proposals table): Retained for the duration of the Subscription Term and for 30 days following termination or expiration, during which Customer may export its data. Deleted upon expiration of the export period or receipt of a valid deletion request from Customer, whichever is earlier.
• Account and Billing Records: Retained for 7 years following termination of the Agreement, as required for financial recordkeeping compliance.
• Access and Security Logs: Retained for 12 months.
• Aggregated, De-identified Analytics: May be retained indefinitely, as such data is not Customer Data.

Upon Customer's written request, the Company will certify in writing that Customer Data has been deleted in accordance with this Section, except for data required to be retained by applicable law.

14.7 AI Processing — Anthropic API

The Platform's AI extraction feature transmits document text content directly to Anthropic's Claude API for processing. This architecture operates under the following data handling controls:

• Anthropic processes all API requests under commercial API terms that explicitly prohibit using API content for model training, fine-tuning, or improving Anthropic's AI systems. Under Anthropic's standard commercial API data handling policy, API request and response inputs and outputs are automatically deleted within 30 days of receipt or generation.
• Only the extracted text content of uploaded documents is transmitted to Anthropic. No account information, billing data, or other personal information of Users is included in AI processing requests. Uploaded source documents are permanently deleted from the Company's storage infrastructure immediately following extraction.
• The Company enforces data minimization at the application layer by not storing, logging, or caching any AI request or response data beyond the immediate extraction processing window. Once extracted terms are encrypted and saved to the database, no copy of the raw AI request or response is retained anywhere in the Company's infrastructure.
• The Platform's AI extraction features are designed as professional productivity tools that assist licensed commercial real estate professionals in analyzing lease documents. All AI-generated outputs require human review and validation prior to use. The Company has assessed its AI processing activities and determined they fall within the minimal risk category under applicable AI governance frameworks.

Section 15. Security Measures

15.1 Technical and Organizational Measures

The Company implements and maintains the following security measures, detailed in full in Exhibit B:

• Application-Layer Encryption: Customer Data in the proposals table is encrypted using AES-256-GCM with a per-user encryption key managed through the Company's application layer, stored in Vercel environment variables.
• Supabase Platform-Level Encryption: Independent of and in addition to application-layer encryption, the Supabase PostgreSQL database independently encrypts all data at rest using AES-256. The Company's application-layer encryption key and Supabase's infrastructure-layer key are held by different parties.
• Encryption in Transit: All data transmitted between Customer's browser and the Platform is encrypted using TLS 1.2 or higher. HSTS is enforced.

15.2 Updates to Security Measures

The Company may update its security measures from time to time. The Company will not reduce the overall level of security protection afforded to Customer Data without prior written notice and Customer's consent.

15.3 Vulnerability Management

The Company will use commercially reasonable efforts to identify and remediate security vulnerabilities in the Platform in a timely manner commensurate with the risk presented.

Section 16. Security Incident Notification

16.1 Notification Obligation

In the event of a confirmed Security Incident affecting Customer Data, the Company will notify Customer without undue delay and in no event later than 72 hours after the Company becomes aware of the Security Incident, to the extent notification within such timeframe is reasonably practicable.

16.2 Notification Content

The Company's Security Incident notification will include, to the extent available at the time of notification:

• A description of the nature of the Security Incident, including the type of data involved;
• The approximate date and time the Security Incident occurred and was discovered;
• The approximate number of Customer records or individuals affected;
• The likely consequences of the Security Incident;
• Measures taken or proposed to address the Security Incident and mitigate its effects;
• Contact information for the Company's designated point of contact for the incident.

16.3 Post-Incident Obligations

Following a Security Incident, the Company will: (a) conduct a prompt investigation and take reasonable steps to identify the root cause; (b) implement remediation measures to prevent recurrence; and (c) provide Customer with reasonable updates as additional information becomes available.

16.4 No Admission

The Company's notification of a Security Incident shall not constitute an admission of liability or fault by the Company.

Section 17. Subprocessors

17.1 Authorized Subprocessors

Customer provides general authorization for the Company to engage the Subprocessors listed in Exhibit A to process Customer Data in connection with providing the Platform. The Company will enter into written agreements with each Subprocessor that impose data protection obligations no less protective than those in this DPA.

17.2 Subprocessor Changes

The Company will provide at least 30 days' advance written notice to Customer of any addition or replacement of a Subprocessor. If Customer objects to a new Subprocessor on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the Agreement without penalty with respect to the affected services.

Section 18. Data Subject Rights

18.1 Assistance with Requests

To the extent Customer Data contains Personal Data subject to data subject rights requests under Applicable Data Protection Laws, the Company will provide reasonable technical and organizational assistance to Customer to enable Customer to fulfill such requests. Customer, as the data controller, is responsible for responding to data subject rights requests.

18.2 Direct Requests

If the Company receives a data subject rights request directly from an individual regarding Customer Data, the Company will promptly forward the request to Customer without responding to it directly, unless legally required to do so.

18.3 Deletion Requests

The Company will delete or de-identify specific Customer Data records upon written request from Customer within 30 days, except where retention is required by applicable law.

Section 19. Audits and Compliance Verification

19.1 Audit Rights

No more than once per calendar year, and upon at least 30 days' prior written notice, Customer may request a written compliance assessment or audit of the Company's data processing practices under this DPA. Such audit will be conducted in a manner that does not unreasonably interfere with the Company's business operations.

19.2 Certifications

To the extent the Company obtains third-party security certifications or audit reports related to the Platform, the Company will provide Customer with reasonable access to relevant summary information upon request.

19.3 Cooperation

The Company will cooperate with Customer's reasonable compliance assessments and will provide information reasonably necessary for Customer to demonstrate compliance with Applicable Data Protection Laws.

Section 20. International Data Transfers

20.1 Processing Location

The Company's primary data processing facilities are located in the United States (AWS US East region, N. Virginia). By using the Platform, Customer agrees to the transfer and processing of Customer Data in the United States.

20.2 Cross-Border Transfers

To the extent any Customer Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or other countries not deemed to provide adequate data protection, the Company will ensure such transfers are made pursuant to appropriate safeguards, including Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other legally recognized transfer mechanisms.

Where Customer Data is transferred to PDFShift SAS, located in France (EU), such transfers are made pursuant to Standard Contractual Clauses in compliance with GDPR Chapter V.

20.3 GDPR Compatibility

This DPA is designed to be compatible with GDPR Article 28 requirements. Customers processing Personal Data of EEA residents should contact legal@accomplicere.com to discuss any additional documentation required for GDPR compliance.

Section 21. California Privacy Rights (CCPA/CPRA)

21.1 Service Provider Status

With respect to any Personal Data of California residents within Customer Data, the Company is acting as a “Service Provider” as that term is defined under the CCPA/CPRA. The Company will not: (a) sell or share Personal Data of California residents; (b) retain, use, or disclose Personal Data for any purpose other than the business purpose of providing the Platform; (c) retain, use, or disclose Personal Data outside the direct business relationship between the Company and Customer; or (d) combine Personal Data of California residents with personal information received from other sources.

21.2 Certification

The Company certifies that it understands the restrictions set forth in this Section 21 and will comply with them.

Section 22. Texas Data Privacy and Security Act (TDPSA)

22.1 Compliance

The Company will process Personal Data of Texas residents in accordance with the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541 et seq., and any amendments thereto. The Company acts as a “processor” as defined under the TDPSA with respect to Personal Data it processes on behalf of Customer.

22.2 No Sale of Personal Data

The Company will not sell Personal Data of Texas residents, as “sale” is defined under the TDPSA.

Exhibit A — Authorized Subprocessors

The following third-party Subprocessors are currently authorized by Customer under this Agreement to process Customer Data in connection with the Platform:

Note: PDFShift SAS is located in France (EU). Transfers of Customer Data to PDFShift are made pursuant to Standard Contractual Clauses in compliance with GDPR Chapter V.

The Company maintains an updated subprocessor list at accomplicere.com/legal/dpa. Customers will be notified of changes per Section 17.2.

Exhibit B — Technical and Organizational Security Measures

The following security measures are implemented and maintained by Peddie Holdings LLC d/b/a AccompliceRE to protect Customer Data processed through the Platform.

B.1 Encryption — Two Independent Layers

Extracted Data (the proposals table) benefits from two independent, stacked layers of AES-256 encryption at rest:

• Layer 1 — Application-Layer Encryption (Key in Vercel): Customer Data is encrypted at the application layer using AES-256-GCM with a per-user encryption key managed by AWS Key Management Service (KMS). The application-layer key is stored in Vercel environment variables and is not accessible to the database infrastructure provider.
• Layer 2 — Supabase Platform Encryption (Key held by Supabase): The Supabase PostgreSQL database independently encrypts all data at rest using AES-256. The Supabase infrastructure-layer key is held and managed by Supabase independently of the Company.
• Key Separation: The Company holds the application-layer key (Vercel). Supabase holds the infrastructure-layer key independently. A breach of one key store does not compromise both layers.
• Data in Transit: All data transmitted between Customer's browser and the Platform, and all service-to-service communication, is encrypted using TLS 1.2 or higher. HSTS prevents protocol downgrade attacks.

B.2 Access Control

• Row-Level Security (RLS): Database-level RLS policies are enforced on all Customer Data tables, ensuring that each query is hard-filtered to the requesting user's ID. No user can access another user's data through any application pathway.
• Role-Based Access: The Platform implements a four-tier role hierarchy (super_admin, admin, broker, client) with permissions enforced at the database level via RLS policies.
• Principle of Least Privilege: Company personnel are granted access to production systems only to the extent necessary for their job function.
• Authentication: User authentication is provided via Google OAuth 2.0. Password-based authentication is not supported, eliminating credential database attack vectors.
• Service Keys: The Supabase service role key is stored only in server-side Vercel environment variables and is never exposed to client-side code or included in public repositories.

B.3 Document Handling

• Immediate Deletion of Source Documents: Uploaded documents are permanently deleted from Supabase Storage immediately upon completion of AI extraction. No copy is retained anywhere in the Company's infrastructure after extraction completes.
• Scoped Storage Paths: During the extraction window, uploaded documents are stored at user-scoped paths ({userId}/filename). Storage RLS policies enforce that users can only read and write their own storage folder.

B.4 AI Processing Controls

• AI API Architecture: All AI extraction requests are transmitted directly to Anthropic's Claude API under commercial API terms that prohibit using API content for model training.
• Application-Layer Data Minimization: The Platform does not store, log, or cache any AI request or response data beyond the immediate extraction processing window. Once extracted terms are encrypted and saved to the database, no copy of the raw AI request or response is retained in the Company's infrastructure.
• No Training on Customer Data: Anthropic does not use Customer Data transmitted through the AI processing path for training AI models. Anthropic's commercial API terms explicitly prohibit such use. API inputs and outputs are automatically deleted by Anthropic within 30 days.
• Minimal Data Scope: Only the text content of uploaded documents is transmitted through the AI processing path. No account information, billing data, or personal information of Users is included in AI requests.

B.5 Infrastructure Security

• Vercel Hosting: The Platform is hosted on Vercel (Pro plan), which provides DDoS protection, Web Application Firewall capabilities, and automated deployment security.
• Database Hosting: The PostgreSQL database is hosted on Supabase on AWS US East (N. Virginia). Supabase provides infrastructure-level encryption, automated backups, and point-in-time recovery.
• Environment Variable Security: All credentials, API keys, and encryption keys are stored in Vercel environment variables and are never committed to source code repositories or included in build artifacts.

B.6 Bot and Fraud Prevention

• Cloudflare Turnstile: All signup, login, and authentication entry points are protected by Cloudflare Turnstile (privacy-preserving, no Google dependency).
• Supabase Auth CAPTCHA: Supabase's authentication API is independently configured with CAPTCHA protection at the database infrastructure layer, providing defense in depth independent of the application layer.
• Rate Limiting: All API routes touching the AI extraction pipeline and authentication endpoints are rate limited using Upstash Redis with a sliding-window algorithm. Upload routes are limited to 20 uploads per hour per user.
• Stripe Radar: All payment transactions are processed through Stripe with Radar fraud rules enabled, including CVC verification and postal code matching.

B.7 Incident Response

• Security Incident Procedures: The Company maintains internal procedures for detecting, investigating, and responding to Security Incidents, including escalation paths and notification timelines as described in Section 16.
• Breach Notification: In the event of a confirmed Security Incident affecting Customer Data, Customer will be notified within 72 hours as described in Section 16.1.

B.8 Personnel Security

• Confidentiality Obligations: All Company employees and contractors with access to production systems or Customer Data are bound by written confidentiality obligations covering Customer Data.
• Access Logging: Administrative access to production systems is logged with timestamps and user identity. Logs are retained for 12 months.

Data Protection Contact

For data protection inquiries, to exercise data subject rights, or to report a security concern:

Data Protection & Security Inquiries: legal@accomplicere.com

Accomplice Real Estate, LLC d/b/a AccompliceRE