Definitions
For purposes of this DPA, the following terms apply:
- Personal Data
- Any information relating to an identified or identifiable natural person.
- Processing
- Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- Controller
- The entity determining the purposes and means of processing Personal Data (the Customer).
- Processor
- The entity processing Personal Data on behalf of the Controller (ArbiBase).
- Sub-processor
- Any third party engaged by ArbiBase to process Personal Data.
Roles of the parties
The Customer is the Controller of Personal Data uploaded or submitted to the Services. ArbiBase acts as a Processor solely for the purpose of providing the Services. ArbiBase does not determine independent purposes for processing Customer data beyond service operation.
Subject matter & duration
Subject matter
Processing necessary to: provide subscription-based platform access; store user-submitted data; facilitate verification workflows; provide customer support; and maintain system security.
Duration
Processing continues for the duration of the Customer's subscription and any lawful retention period thereafter, as described in our Privacy Policy.
Nature & purpose of processing
Processing activities
- Storage of account information
- Processing of contact data
- Display of property verification records
- Communication with platform users
- Security logging, backup, and recovery
- Technical support
Personal data categories
- Names, email addresses, phone numbers
- Business details and property-related data
- Communications and operator-submitted comps
Data subjects
- Operators, property owners, managers
- Employees and contractors of the Customer
Processor obligations
ArbiBase shall:
- Process Personal Data only on documented instructions from Customer
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist Customer in responding to data subject requests
- Assist Customer with applicable GDPR compliance obligations
- Notify Customer of Personal Data breaches without undue delay
- Delete or return Personal Data upon termination, subject to lawful retention requirements
Security measures
ArbiBase implements the following security measures:
- Encryption at rest
- AES-256 for all stored Personal Data.
- Encryption in transit
- TLS 1.2+ (HTTPS enforced across all endpoints).
- Access controls
- Role-based access controls; least-privilege principle enforced.
- Authentication
- Multi-factor authentication available for all accounts.
- Monitoring
- Automated alerting for anomalous activity; security logging.
- Patch management
- Regular security updates and infrastructure patches.
ArbiBase evaluates security practices periodically. No system is 100% secure, but commercially reasonable safeguards are maintained and continuously improved.
Sub-processors
ArbiBase engages the following Sub-processors to support service delivery. All Sub-processors are bound by contractual data protection obligations consistent with this DPA:
- Stripe
- Payment processing and fraud prevention
- Supabase
- Database and backend infrastructure
- HubSpot
- CRM and outreach
- AWS
- Hosting and storage infrastructure
- Cloudflare
- CDN, DDoS protection, and security
A complete list of Sub-processors may be provided upon written request to privacy@arbibase.com. ArbiBase will provide reasonable advance notice of material Sub-processor changes.
International data transfers
ArbiBase is based in the United States. If Personal Data subject to GDPR is transferred outside the European Economic Area or United Kingdom, ArbiBase will implement appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required by applicable law.
Data subject rights assistance
ArbiBase shall assist Customer, where technically feasible, in responding to data subject requests for:
- Access and portability
- Rectification of inaccurate data
- Erasure (right to be forgotten)
- Restriction of processing
- Objection to processing
Customer remains responsible for communicating with and responding to data subjects. ArbiBase provides the technical means to facilitate compliance.
Personal data breach
In the event of a confirmed Personal Data breach affecting Customer data, ArbiBase shall notify Customer without undue delay (and in any case within 72 hours of becoming aware, where GDPR applies), provide information reasonably necessary for Customer's own regulatory compliance, and take appropriate mitigation steps. Notification does not constitute an admission of fault or liability.
Deletion or return of data
Upon termination of Services, Customer may request deletion or return of Personal Data. ArbiBase will fulfill such requests within 30 days, subject to a 90-day export window. ArbiBase may retain data as required for legal compliance, accounting, fraud prevention, and dispute resolution as outlined in our Privacy Policy.
Audit rights
Where required by applicable law, Customer may request reasonable documentation demonstrating ArbiBase's compliance with this DPA. Audits must: be requested with reasonable advance notice; not disrupt operations; protect the confidentiality of ArbiBase's systems and other customers; and be limited to the relevant processing scope.
Limitation of liability
Liability under this DPA is subject to the limitation of liability provisions contained in the Terms of Service (§ 13). Neither party's aggregate liability under this DPA will exceed the amount paid by Customer in the three (3) months preceding the event giving rise to the claim, or US$500, whichever is greater.
Governing law
This DPA is governed by the law specified in the Terms of Service (State of Florida). Where GDPR applies, disputes may also be subject to mandatory EU legal requirements and applicable supervisory authority jurisdiction.
Updates
ArbiBase may update this DPA as required by changes in applicable law or operational practice. Material changes will be communicated via platform notice or email with at least 14 days' advance notice to active subscribers.
Contact
For data protection inquiries or to exercise rights under this DPA:
ArbiBase, LLC
1111b South Governors Ave STE 48151
Dover, DE 19904 US
privacy@arbibase.com
support@arbibase.com