Issue 08/Legal/Data Processing Addendum

How we process your data.

This DPA governs how ArbiBase handles personal data on behalf of customers subject to GDPR, UK GDPR, or similar laws. It forms part of our Terms of Service and controls on data protection matters where conflicts arise.

Plain-English Summary
  1. 01
    You control. We process.

    You are the Controller. ArbiBase is the Processor. We only act on your documented instructions.

  2. 02
    Security is built in.

    AES-256 at rest, TLS 1.2+ in transit, role-based access, and monitoring. No system is 100% secure, but we're close.

  3. 03
    Sub-processors are contractually bound.

    Stripe, Supabase, HubSpot, AWS, Cloudflare. All under written DPA-equivalent agreements.

  4. 04
    Breaches are reported fast.

    We notify you without undue delay. We include scope, categories, and mitigation steps.

  5. 05
    Data subject requests: we assist.

    Access, rectification, erasure, portability, restriction. You respond; we provide the technical legwork.

  6. 06
    Cross-border: SCCs in place.

    EEA/UK data transferred to the US under Standard Contractual Clauses or equivalent mechanisms.

§ 01

Definitions

For purposes of this DPA, the following terms apply:

Personal Data
Any information relating to an identified or identifiable natural person.
Processing
Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
Controller
The entity determining the purposes and means of processing Personal Data (the Customer).
Processor
The entity processing Personal Data on behalf of the Controller (ArbiBase).
Sub-processor
Any third party engaged by ArbiBase to process Personal Data.
§ 02

Roles of the parties

The Customer is the Controller of Personal Data uploaded or submitted to the Services. ArbiBase acts as a Processor solely for the purpose of providing the Services. ArbiBase does not determine independent purposes for processing Customer data beyond service operation.

§ 03

Subject matter & duration

Subject matter

Processing necessary to: provide subscription-based platform access; store user-submitted data; facilitate verification workflows; provide customer support; and maintain system security.

Duration

Processing continues for the duration of the Customer's subscription and any lawful retention period thereafter, as described in our Privacy Policy.

§ 04

Nature & purpose of processing

Processing activities

  • Storage of account information
  • Processing of contact data
  • Display of property verification records
  • Communication with platform users
  • Security logging, backup, and recovery
  • Technical support

Personal data categories

  • Names, email addresses, phone numbers
  • Business details and property-related data
  • Communications and operator-submitted comps

Data subjects

  • Operators, property owners, managers
  • Employees and contractors of the Customer
§ 05

Processor obligations

ArbiBase shall:

  • Process Personal Data only on documented instructions from Customer
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Customer in responding to data subject requests
  • Assist Customer with applicable GDPR compliance obligations
  • Notify Customer of Personal Data breaches without undue delay
  • Delete or return Personal Data upon termination, subject to lawful retention requirements
§ 06

Security measures

ArbiBase implements the following security measures:

Encryption at rest
AES-256 for all stored Personal Data.
Encryption in transit
TLS 1.2+ (HTTPS enforced across all endpoints).
Access controls
Role-based access controls; least-privilege principle enforced.
Authentication
Multi-factor authentication available for all accounts.
Monitoring
Automated alerting for anomalous activity; security logging.
Patch management
Regular security updates and infrastructure patches.

ArbiBase evaluates security practices periodically. No system is 100% secure, but commercially reasonable safeguards are maintained and continuously improved.

§ 07

Sub-processors

ArbiBase engages the following Sub-processors to support service delivery. All Sub-processors are bound by contractual data protection obligations consistent with this DPA:

Stripe
Payment processing and fraud prevention
Supabase
Database and backend infrastructure
HubSpot
CRM and outreach
AWS
Hosting and storage infrastructure
Cloudflare
CDN, DDoS protection, and security

A complete list of Sub-processors may be provided upon written request to privacy@arbibase.com. ArbiBase will provide reasonable advance notice of material Sub-processor changes.

§ 08

International data transfers

ArbiBase is based in the United States. If Personal Data subject to GDPR is transferred outside the European Economic Area or United Kingdom, ArbiBase will implement appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required by applicable law.

§ 09

Data subject rights assistance

ArbiBase shall assist Customer, where technically feasible, in responding to data subject requests for:

  • Access and portability
  • Rectification of inaccurate data
  • Erasure (right to be forgotten)
  • Restriction of processing
  • Objection to processing

Customer remains responsible for communicating with and responding to data subjects. ArbiBase provides the technical means to facilitate compliance.

§ 10

Personal data breach

In the event of a confirmed Personal Data breach affecting Customer data, ArbiBase shall notify Customer without undue delay (and in any case within 72 hours of becoming aware, where GDPR applies), provide information reasonably necessary for Customer's own regulatory compliance, and take appropriate mitigation steps. Notification does not constitute an admission of fault or liability.

§ 11

Deletion or return of data

Upon termination of Services, Customer may request deletion or return of Personal Data. ArbiBase will fulfill such requests within 30 days, subject to a 90-day export window. ArbiBase may retain data as required for legal compliance, accounting, fraud prevention, and dispute resolution as outlined in our Privacy Policy.

§ 12

Audit rights

Where required by applicable law, Customer may request reasonable documentation demonstrating ArbiBase's compliance with this DPA. Audits must: be requested with reasonable advance notice; not disrupt operations; protect the confidentiality of ArbiBase's systems and other customers; and be limited to the relevant processing scope.

§ 13

Limitation of liability

Liability under this DPA is subject to the limitation of liability provisions contained in the Terms of Service (§ 13). Neither party's aggregate liability under this DPA will exceed the amount paid by Customer in the three (3) months preceding the event giving rise to the claim, or US$500, whichever is greater.

§ 14

Governing law

This DPA is governed by the law specified in the Terms of Service (State of Florida). Where GDPR applies, disputes may also be subject to mandatory EU legal requirements and applicable supervisory authority jurisdiction.

§ 15

Updates

ArbiBase may update this DPA as required by changes in applicable law or operational practice. Material changes will be communicated via platform notice or email with at least 14 days' advance notice to active subscribers.

§ 16

Contact

For data protection inquiries or to exercise rights under this DPA:

ArbiBase, LLC
1111b South Governors Ave STE 48151
Dover, DE 19904 US
privacy@arbibase.com
support@arbibase.com

Data processing

We process. You control.

Questions about how ArbiBase handles your data as a processor, or need a signed DPA for enterprise purposes? Contact our privacy team.

Revision history

  • 2026-05-01v2.0 · Full editorial redesign. Added named sub-processor list, 72-hour breach notification, and AES-256 security detail.
  • 2025-10-14v1.1 · Added Supabase as named sub-processor. Updated SCC transfer language.
  • 2025-06-01v1.0 · Initial release.