Data Processing Agreement

This Data Processing Agreement (“DPA”) forms Part II of the Agreement between Accomplice Real Estate, LLC d/b/a AccompliceRE (“Company,” “Processor,” “Service Provider”) and Customer (“Controller,” “Business”). It governs how the Company processes Customer Data containing Personal Data on behalf of Customer in connection with the AccompliceRE platform. Capitalized terms not defined herein have the meanings given in the Terms of Service (Part I).

Section 13. Roles of the Parties and Legal Basis for Processing

13.1 Controller and Processor

With respect to any Personal Data contained within Customer Data processed through the Platform, Customer acts as the data controller (or “Business” under CCPA/CPRA) and the Company acts as the data processor (or “Service Provider” under CCPA/CPRA). The Company processes Personal Data only on behalf of Customer and in accordance with Customer's documented instructions as set forth in this DPA.

13.2 Customer as Controller

Customer represents and warrants that: (a) it has a lawful basis under Applicable Data Protection Laws for processing the Personal Data it submits to the Platform; (b) it has provided all required notices to, and obtained all required consents from, any natural persons whose Personal Data is included in Customer Data; and (c) Customer's instructions to the Company are lawful.

13.3 Company as Controller for Business Development Data

With respect to contact information of prospective customers collected and processed by the Company for its own direct business development purposes (“Prospect Data”), the Company acts as an independent data controller. Prospect Data is not Customer Data and is not processed on behalf of any Customer. The Company's processing of Prospect Data is governed by its Privacy Policy. Prospect Data includes names, email addresses, company names, job titles, geographic information, phone numbers, and communication engagement metrics collected in connection with the Company's business outreach activities. Where Prospect Data relates to individuals in the European Economic Area or United Kingdom, the Company relies on legitimate interest under GDPR Article 6(1)(f) as the legal basis for processing. The Company's obligations as controller of Prospect Data are further described in the Privacy Policy.

13.4 Purpose Limitation

The Company will process Personal Data within Customer Data solely for the following purposes:

• Providing the Platform services, including AI extraction, financial modeling, and document analysis, as requested by Customer;
• Storing and displaying Customer Data and Extracted Data to authorized Users;
• Providing customer support in response to issues raised by Customer;
• Maintaining, securing, debugging, and improving the Platform infrastructure;
• Complying with applicable legal obligations;
• Enforcing the terms of the Agreement, including investigating suspected violations.

The Company will not process Customer Data containing Personal Data for any purpose not enumerated above, including advertising directed at Customers based on Customer Data, consumer marketing profiling, data brokerage, model training, or sharing Customer Data with third parties except as expressly permitted in this DPA. This restriction applies to Customer Data only. The Company's processing of Prospect Data for its own business development purposes is governed by the Privacy Policy and is separate from this DPA.

Section 14. Data Handling Practices and Operator Access Policy

14.1 Platform Operator Access

Customer acknowledges and understands the following regarding the Company's technical capability to access Customer Data:

• The Company, as the platform operator and administrator of the underlying infrastructure, maintains technical access to the environment in which Customer Data is stored.
• Customer Data stored in the Company's database is encrypted at rest using AES-256-GCM encryption. Encryption key material is managed exclusively by AWS Key Management Service (KMS) on FIPS 140-2 validated hardware security modules. AWS access credentials are stored in the Company's server-side environment variables, separate from the database infrastructure.
• Decrypting and accessing Customer Data requires a deliberate, affirmative technical act by an authorized Company employee. It is not passively accessible through ordinary platform operation.
• Uploaded source documents (lease proposals, LOIs, and similar documents) are automatically and permanently deleted from the Company's storage systems immediately following completion of AI extraction processing. The Company does not retain copies of source documents beyond this immediate processing window.

Customer further understands that the Company's commitment not to access Customer Data without authorization is a contractual obligation governed by this DPA, not a technical impossibility. The encryption architecture creates meaningful practical barriers to unauthorized access and ensures that any access would be a deliberate, auditable act in violation of this Agreement.

14.2 Authorized Access Circumstances

The Company has designed the Platform so that no Company employee views, accesses, or decrypts Customer Data except under the limited circumstances enumerated below. All document processing is fully automated.

• (a) Automated Service Delivery.Automated processing necessary to provide the Platform's features, including rendering analyses, generating reports, and executing the financial model. No human is involved in this processing.
• (b) Customer-Directed Support. When Customer has submitted a support request, the Company will provide guidance through screen-sharing sessions or walkthroughs where Customer controls what data is visible. The Company will not independently access, view, or decrypt Customer Data to diagnose or resolve issues.
• (c) Legally Compelled Disclosure. When required to comply with a valid and legally binding court order, subpoena, judicial process, or other lawful governmental request, subject to Section 14.3. The Company will notify Customer before complying to the extent permitted by law and will disclose only the minimum data required.
• (d) Critical Security Incidents. When necessary to investigate or remediate a confirmed Security Incident that threatens the integrity or availability of Customer Data or the Platform. In such circumstances, the Company will access only system logs, error reports, and infrastructure-level metadata. If decryption of Customer Data becomes technically unavoidable to remediate the incident, Customer will be notified within 48 hours of such access.

14.3 Legal Process and Government Requests

If the Company receives a lawful governmental or regulatory request, subpoena, court order, or other legal process requiring access to or disclosure of Customer Data, the Company will: (a) promptly notify Customer of the request, to the extent permitted by applicable law; (b) cooperate with Customer's reasonable efforts to obtain a protective order or similar protection; and (c) disclose only the minimum amount of Customer Data required to comply with the applicable legal obligation.

14.4 Notification of Unauthorized Access

If any Company employee, contractor, or agent accesses Customer Data outside the authorized circumstances described in Section 14.2, the Company will: (a) immediately investigate and remediate the unauthorized access; (b) notify Customer within 48 hours of confirming the unauthorized access; and (c) provide Customer with a written summary of the nature and scope of the access and the remediation steps taken.

14.5 Internal Access Controls

The Company maintains the following internal controls governing access to Customer Data:

• Access to the production database and encryption keys is limited to named Company personnel with a business need;
• All administrative access to production systems is logged with timestamps, user identity, and nature of the access;
• Access logs are retained for a minimum of 12 months;
• Any access to Customer Data for purposes other than automated service delivery is subject to prior internal authorization;
• Company employees and contractors with access to Customer Data are bound by confidentiality obligations no less restrictive than those in Section 6 of the Terms of Service.

14.6 Data Retention and Deletion

The Company retains Customer Data in accordance with the following schedule:

• Source Documents (uploaded PDFs, DOCXs, etc.): Deleted immediately and permanently upon completion of AI extraction. No backup copies are retained.
• Extracted Data (proposals table): Retained for the duration of the Subscription Term and for 30 days following termination or expiration, during which Customer may export its data. Deleted upon expiration of the export period or receipt of a valid deletion request from Customer, whichever is earlier.
• Account and Billing Records: Retained for 7 years following termination of the Agreement, as required for financial recordkeeping compliance.
• Access and Security Logs: Retained for 12 months.
• Aggregated, De-identified Analytics: May be retained indefinitely, as such data is not Customer Data.

Upon Customer's written request, the Company will certify in writing that Customer Data has been deleted in accordance with this Section, except for data required to be retained by applicable law.

14.7 AI Processing — Anthropic API

The Platform's AI extraction feature transmits document text content directly to Anthropic's Claude API for processing. This architecture operates under the following data handling controls:

• Anthropic processes all API requests under commercial API terms that explicitly prohibit using API content for model training, fine-tuning, or improving Anthropic's AI systems. Under Anthropic's standard commercial API data handling policy, API request and response inputs and outputs are automatically deleted within 30 days of receipt or generation.
• Only the extracted text content of uploaded documents is transmitted to Anthropic. No account information, billing data, or other personal information of Users is included in AI processing requests. Uploaded source documents are permanently deleted from the Company's storage infrastructure immediately following extraction.
• The Company enforces data minimization at the application layer by not storing, logging, or caching any AI request or response data beyond the immediate extraction processing window. Once extracted terms are encrypted and saved to the database, no copy of the raw AI request or response is retained anywhere in the Company's infrastructure.
• The Platform's AI extraction features are designed as professional productivity tools that assist licensed commercial real estate professionals in analyzing lease documents. All AI-generated outputs require human review and validation prior to use. The Company has assessed its AI processing activities and determined they fall within the minimal risk category under applicable AI governance frameworks.

Section 15. Security Measures

15.1 Technical and Organizational Measures

The Company implements and maintains the following security measures, detailed in full in Exhibit B:

• Application-Layer Encryption: Customer Data in the proposals table is encrypted using AES-256-GCM with a per-user encryption key managed by AWS Key Management Service (KMS). AWS credentials for KMS access are stored in server-side environment variables.
• Supabase Platform-Level Encryption:Independent of and in addition to application-layer encryption, the Supabase PostgreSQL database independently encrypts all data at rest using AES-256. The Company's application-layer encryption key and Supabase's infrastructure-layer key are held by different parties.
• Encryption in Transit:All data transmitted between Customer's browser and the Platform is encrypted using TLS 1.2 or higher. HSTS is enforced.

15.2 Updates to Security Measures

The Company may update its security measures from time to time. The Company will not reduce the overall level of security protection afforded to Customer Data without prior written notice and Customer's consent.

15.3 Vulnerability Management

The Company will use commercially reasonable efforts to identify and remediate security vulnerabilities in the Platform in a timely manner commensurate with the risk presented.

Section 16. Security Incident Notification

16.1 Notification Obligation

In the event of a confirmed Security Incident affecting Customer Data, the Company will notify Customer without undue delay and in no event later than 72 hours after the Company becomes aware of the Security Incident, to the extent notification within such timeframe is reasonably practicable.

16.2 Notification Content

The Company's Security Incident notification will include, to the extent available at the time of notification:

• A description of the nature of the Security Incident, including the type of data involved;
• The approximate date and time the Security Incident occurred and was discovered;
• The approximate number of Customer records or individuals affected;
• The likely consequences of the Security Incident;
• Measures taken or proposed to address the Security Incident and mitigate its effects;
• Contact information for the Company's designated point of contact for the incident.

16.3 Post-Incident Obligations

Following a Security Incident, the Company will: (a) conduct a prompt investigation and take reasonable steps to identify the root cause; (b) implement remediation measures to prevent recurrence; and (c) provide Customer with reasonable updates as additional information becomes available.

16.4 No Admission

The Company's notification of a Security Incident shall not constitute an admission of liability or fault by the Company.

Section 17. Subprocessors

17.1 Authorized Subprocessors

Customer provides general authorization for the Company to engage the Subprocessors listed in Exhibit A to process Customer Data in connection with providing the Platform. The Company will enter into written agreements with each Subprocessor that impose data protection obligations no less protective than those in this DPA.

17.2 Subprocessor Changes

The Company will provide at least 30 days' advance written notice to Customer of any addition or replacement of a Subprocessor. If Customer objects to a new Subprocessor on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the Agreement without penalty with respect to the affected services.

Section 18. Data Subject Rights

18.1 Assistance with Requests

To the extent Customer Data contains Personal Data subject to data subject rights requests under Applicable Data Protection Laws, the Company will provide reasonable technical and organizational assistance to Customer to enable Customer to fulfill such requests. Customer, as the data controller, is responsible for responding to data subject rights requests.

18.2 Direct Requests

If the Company receives a data subject rights request directly from an individual regarding Customer Data, the Company will promptly forward the request to Customer without responding to it directly, unless legally required to do so.

18.3 Deletion Requests

The Company will delete or de-identify specific Customer Data records upon written request from Customer within 30 days, except where retention is required by applicable law.

Section 19. Audits and Compliance Verification

19.1 Audit Rights

No more than once per calendar year, and upon at least 30 days' prior written notice, Customer may request a written compliance assessment or audit of the Company's data processing practices under this DPA. Such audit will be conducted in a manner that does not unreasonably interfere with the Company's business operations.

19.2 Certifications

To the extent the Company obtains third-party security certifications or audit reports related to the Platform, the Company will provide Customer with reasonable access to relevant summary information upon request.

19.3 Cooperation

The Company will cooperate with Customer's reasonable compliance assessments and will provide information reasonably necessary for Customer to demonstrate compliance with Applicable Data Protection Laws.

19.4 Data Protection Impact Assessments

To the extent required by Applicable Data Protection Laws, the Company will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments under GDPR Article 35 and prior consultations with supervisory authorities under GDPR Article 36, where such assessments or consultations relate to the processing of Customer Data through the Platform.

Section 20. International Data Transfers

20.1 Processing Location

The Company's primary data processing facilities are located in the United States (AWS US East region, N. Virginia). By using the Platform, Customer agrees to the transfer and processing of Customer Data in the United States.

20.2 Cross-Border Transfers

To the extent any Customer Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or other countries not deemed to provide adequate data protection, the Company will ensure such transfers are made pursuant to appropriate safeguards, including Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other legally recognized transfer mechanisms.

Where Customer Data is transferred to PDFShift SAS, located in France (EU), such transfers are made pursuant to Standard Contractual Clauses in compliance with GDPR Chapter V.

20.3 GDPR Compatibility

This DPA is designed to be compatible with GDPR Article 28 requirements. Customers processing Personal Data of EEA residents should contact legal@accomplicere.com to discuss any additional documentation required for GDPR compliance.

Section 21. California Privacy Rights (CCPA/CPRA)

21.1 Service Provider Status

With respect to any Personal Data of California residents within Customer Data, the Company is acting as a “Service Provider” as that term is defined under the CCPA/CPRA. The Company will not: (a) sell or share Personal Data of California residents; (b) retain, use, or disclose Personal Data for any purpose other than the business purpose of providing the Platform; (c) retain, use, or disclose Personal Data outside the direct business relationship between the Company and Customer; or (d) combine Personal Data of California residents with personal information received from other sources.

21.2 Certification

The Company certifies that it understands the restrictions set forth in this Section 21 and will comply with them.

21.3 Notification of Inability to Comply

If the Company determines that it can no longer meet its obligations under the CCPA/CPRA with respect to Personal Data of California residents, the Company will promptly notify Customer. Upon such notification, Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.

Section 22. Texas Data Privacy and Security Act (TDPSA)

22.1 Compliance

The Company will process Personal Data of Texas residents in accordance with the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541 et seq., and any amendments thereto. The Company acts as a “processor” as defined under the TDPSA with respect to Personal Data it processes on behalf of Customer.

22.2 No Sale of Personal Data

The Company will not sell Personal Data of Texas residents, as “sale” is defined under the TDPSA.

Exhibit A — Authorized Subprocessors

The following third-party Subprocessors are currently authorized by Customer under this Agreement to process Customer Data in connection with the Platform:

Note: PDFShift SAS is located in France (EU). Transfers of Customer Data to PDFShift are made pursuant to Standard Contractual Clauses in compliance with GDPR Chapter V.

The Company maintains an updated subprocessor list at accomplicere.com/legal/dpa. Customers will be notified of changes per Section 17.2.

Exhibit B — Technical and Organizational Security Measures

The following security measures are implemented and maintained by Accomplice Real Estate, LLC d/b/a AccompliceRE to protect Customer Data processed through the Platform.

B.1 Encryption — Two Independent Layers

Extracted Data (the proposals table) benefits from two independent, stacked layers of AES-256 encryption at rest:

• Layer 1 — Application-Layer Encryption (Key in AWS KMS): Customer Data is encrypted at the application layer using AES-256-GCM with a per-user encryption key managed by AWS Key Management Service (KMS) on FIPS 140-2 validated hardware security modules. AWS access credentials are stored in server-side environment variables and are not accessible to the database infrastructure provider.
• Layer 2 — Supabase Platform Encryption (Key held by Supabase): The Supabase PostgreSQL database independently encrypts all data at rest using AES-256. The Supabase infrastructure-layer key is held and managed by Supabase independently of the Company.
• Key Separation: The Company holds the application-layer key (Vercel). Supabase holds the infrastructure-layer key independently. A breach of one key store does not compromise both layers.
• Data in Transit:All data transmitted between Customer's browser and the Platform, and all service-to-service communication, is encrypted using TLS 1.2 or higher. HSTS prevents protocol downgrade attacks.

B.2 Access Control

• Row-Level Security (RLS):Database-level RLS policies are enforced on all Customer Data tables, ensuring that each query is hard-filtered to the requesting user's ID. No user can access another user's data through any application pathway.
• Role-Based Access: The Platform implements a four-tier role hierarchy (super_admin, admin, broker, client) with permissions enforced at the database level via RLS policies.
• Principle of Least Privilege: Company personnel are granted access to production systems only to the extent necessary for their job function.
• Authentication:User authentication is provided via Google OAuth 2.0, Microsoft OAuth 2.0, and email/password. OAuth-based authentication methods eliminate credential database attack vectors for users who choose those options. Password-based authentication is protected by Supabase Auth's built-in security controls, including bcrypt hashing and brute-force protection.
• Service Keys: The Supabase service role key is stored only in server-side Vercel environment variables and is never exposed to client-side code or included in public repositories.

B.3 Document Handling

• Immediate Deletion of Source Documents:Uploaded documents are permanently deleted from Supabase Storage immediately upon completion of AI extraction. No copy is retained anywhere in the Company's infrastructure after extraction completes.
• Scoped Storage Paths: During the extraction window, uploaded documents are stored at user-scoped paths ({userId}/filename). Storage RLS policies enforce that users can only read and write their own storage folder.

B.4 AI Processing Controls

• AI API Architecture:All AI extraction requests are transmitted directly to Anthropic's Claude API under commercial API terms that prohibit using API content for model training.
• Application-Layer Data Minimization:The Platform does not store, log, or cache any AI request or response data beyond the immediate extraction processing window. Once extracted terms are encrypted and saved to the database, no copy of the raw AI request or response is retained in the Company's infrastructure.
• No Training on Customer Data:Anthropic does not use Customer Data transmitted through the AI processing path for training AI models. Anthropic's commercial API terms explicitly prohibit such use. API inputs and outputs are automatically deleted by Anthropic within 30 days.
• Minimal Data Scope: Only the text content of uploaded documents is transmitted through the AI processing path. No account information, billing data, or personal information of Users is included in AI requests.

B.5 Infrastructure Security

• Vercel Hosting: The Platform is hosted on Vercel (Pro plan), which provides DDoS protection, Web Application Firewall capabilities, and automated deployment security.
• Database Hosting: The PostgreSQL database is hosted on Supabase on AWS US East (N. Virginia). Supabase provides infrastructure-level encryption, automated backups, and point-in-time recovery.
• Environment Variable Security: All credentials, API keys, and encryption keys are stored in Vercel environment variables and are never committed to source code repositories or included in build artifacts.

B.6 Bot and Fraud Prevention

• Cloudflare Turnstile: All signup, login, and authentication entry points are protected by Cloudflare Turnstile (privacy-preserving, no Google dependency).
• Supabase Auth CAPTCHA:Supabase's authentication API is independently configured with CAPTCHA protection at the database infrastructure layer, providing defense in depth independent of the application layer.
• Rate Limiting: All API routes touching the AI extraction pipeline and authentication endpoints are rate limited using Upstash Redis with a sliding-window algorithm. Upload routes are limited to 20 uploads per hour per user.
• Stripe Radar: All payment transactions are processed through Stripe with Radar fraud rules enabled, including CVC verification and postal code matching.

B.7 Incident Response

• Security Incident Procedures: The Company maintains internal procedures for detecting, investigating, and responding to Security Incidents, including escalation paths and notification timelines as described in Section 16.
• Breach Notification: In the event of a confirmed Security Incident affecting Customer Data, Customer will be notified within 72 hours as described in Section 16.1.

B.8 Personnel Security

• Confidentiality Obligations: All Company employees and contractors with access to production systems or Customer Data are bound by written confidentiality obligations covering Customer Data.
• Access Logging: Administrative access to production systems is logged with timestamps and user identity. Logs are retained for 12 months.

Data Protection Contact

For data protection inquiries, to exercise data subject rights, or to report a security concern:

Data Protection & Security Inquiries: legal@accomplicere.com

Accomplice Real Estate, LLC d/b/a AccompliceRE
Attn: Legal
720 Brazos Street, Floor 12, Austin, TX 78701