Data Processing Agreement

1. Definitions

1.1 "Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to the performance of this DPA, including, where applicable, the California Consumer Privacy Act (CCPA), state-level privacy statutes, and the EU General Data Protection Regulation (GDPR) to the extent it applies to the parties.

1.2 "Controller" means the entity that determines the purposes and means of the Processing of Personal Data. Under this DPA, the Customer is the Controller.

1.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed under this DPA.

1.4 "Personal Data" means any information relating to a Data Subject that is Processed by Arcova on behalf of the Customer in connection with the Service, as further described in Schedule 1.

1.5 "Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

1.6 "Processor" means the entity that Processes Personal Data on behalf of the Controller. Under this DPA, Arcova is the Processor.

1.7 "Subprocessor" means any third party engaged by Arcova to Process Personal Data on behalf of the Customer in connection with the Service.

1.8 "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Arcova or its Subprocessors.

1.9 "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the European Commission (or other competent authority) for the transfer of Personal Data to countries not recognized as providing adequate data protection, as may become applicable in the future.

2. Scope and Purpose of Processing

2.1 Arcova Processes Personal Data solely on behalf of the Customer and in accordance with the Customer's documented instructions as set forth in this DPA, the Agreement, and any subsequent written instructions agreed upon by the parties.

2.2 The purpose of Processing is to provide the Service, which includes security workforce management capabilities such as employee management, scheduling and rostering, attendance and time tracking, billing and invoicing, incident reporting, training management, community portal operations, AI-assisted operational tools, and related analytics.

2.3 Arcova shall not Process Personal Data for any purpose other than as specified in this DPA or as required by Applicable Data Protection Law. If Arcova is required by law to Process Personal Data for another purpose, Arcova shall inform the Customer of that legal requirement before Processing, unless prohibited by law from doing so.

3. Types of Personal Data Processed

The following categories of Personal Data may be Processed under this DPA, depending on the Customer's use of the Service:

4. Categories of Data Subjects

Personal Data Processed under this DPA may relate to the following categories of Data Subjects:

• Employees and Security Guards employed or contracted by the Customer
• Administrative Users of the Customer's organization
• Client Contacts of the Customer's end clients
• Students and Trainees enrolled in training programs
• Instructors and Trainers delivering training content
• Community Portal Users including residents and property managers
• Visitors registered through community or site access systems

5. Duration of Processing

5.1 Arcova shall Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

5.2 Upon termination or expiration of the Agreement, Arcova shall handle Personal Data in accordance with Section 13 (Return and Deletion of Data).

6. Obligations of the Processor (Arcova)

Arcova shall:

6.1 Process on Instructions. Process Personal Data only on the documented instructions of the Customer, including with respect to transfers of Personal Data outside the United States, unless required to do so by Applicable Data Protection Law.

6.2 Confidentiality. Ensure that all personnel authorized to Process Personal Data are bound by contractual or statutory obligations of confidentiality.

6.3 Security. Implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents, as described in Section 9.

6.4 Subprocessor Management. Engage Subprocessors only in accordance with Section 8 and impose data protection obligations on each Subprocessor that are no less protective than those in this DPA.

6.5 Data Subject Requests. Assist the Customer, taking into account the nature of the Processing, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, as described in Section 11.

6.6 Security Incident Notification. Notify the Customer of any Security Incident in accordance with Section 10.

6.7 Data Protection Impact Assessments. Provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, where required under Applicable Data Protection Law, to the extent that the Customer cannot fulfill such obligations independently using information available through the Service.

6.8 Deletion and Return. Delete or return all Personal Data upon termination of the Agreement in accordance with Section 13.

6.9 Audit. Make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA and allow for audits as described in Section 12.

6.10 Inform of Conflicting Instructions. Promptly inform the Customer if, in Arcova's opinion, an instruction from the Customer infringes Applicable Data Protection Law.

7. Obligations of the Controller (Customer)

The Customer shall:

7.1 Lawful Basis. Ensure that there is a lawful basis for the Processing of Personal Data instructed by the Customer, including any required consents, notices, or authorizations.

7.2 Data Accuracy. Be responsible for the accuracy, quality, and legality of Personal Data provided to Arcova.

7.3 Instructions. Provide Processing instructions that comply with Applicable Data Protection Law.

7.4 GPS and Location Data Consent. Where the Customer enables GPS tracking, geofence validation, patrol tracking, or other location-based features of the Service:

• (a) The Customer acknowledges that it is the Controller determining the purposes and means of collecting and Processing employee location data.
• (b) The Customer is solely responsible for providing adequate notice to its employees and, where required by Applicable Data Protection Law, obtaining valid consent for the collection and Processing of GPS and location data.
• (c) The Customer shall maintain records of such notices and consents and make them available to Arcova upon request.
• (d) Arcova Processes GPS and location data solely as instructed by the Customer through the Customer's configuration and use of the Service. Arcova does not independently determine when or how location data is collected from the Customer's employees.

7.5 Employee Notification. Inform its employees and other Data Subjects, as required by Applicable Data Protection Law, about the Processing of their Personal Data through the Service, including the categories of data collected and the purposes of Processing.

7.6 Compliance. Comply with its obligations under Applicable Data Protection Law as they relate to the Customer's use of the Service and the Processing of Personal Data.

8. Subprocessor Management

8.1 Authorized Subprocessors. The Customer provides general authorization for Arcova to engage Subprocessors to Process Personal Data on behalf of the Customer. The current list of Subprocessors is maintained as a separate document referenced in this DPA (the "Subprocessor List") and is available at the Subprocessor List page or upon request to [email protected].

8.2 Obligations on Subprocessors. Arcova shall impose data protection obligations on each Subprocessor by way of a written agreement that provides at least the same level of protection as this DPA.

8.3 Notice of Changes. Arcova shall notify the Customer at least thirty (30) days before engaging a new Subprocessor or replacing an existing Subprocessor. Notification shall be sent to the email address of the Customer's account administrator on file.

8.4 Right to Object. The Customer may object to the engagement of a new or replacement Subprocessor by notifying Arcova in writing within fifteen (15) days of receiving notice. The objection must state reasonable grounds relating to data protection. Upon receipt of an objection, Arcova shall:

• (a) Make commercially reasonable efforts to address the Customer's concerns and provide a reasonable alternative;
• (b) If the parties cannot reach a resolution within thirty (30) days of the objection, either party may terminate the affected portion of the Service (or the Agreement in its entirety if the Subprocessor is integral to the Service) without penalty.

8.5 Liability. Arcova shall remain fully liable to the Customer for the performance of each Subprocessor's obligations under this DPA.

9. Security Measures

9.1 Arcova shall implement and maintain technical and organizational security measures appropriate to the risk, including:

9.2 Arcova shall periodically review and update its security measures to address evolving threats, provided that such updates shall not materially decrease the overall level of protection.

10. Security Incident Notification

10.1 Notification Timeline. Arcova shall notify the Customer of any confirmed Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the Security Incident.

10.2 Content of Notification. The notification shall include, to the extent reasonably available:

• (a) A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected;
• (b) The name and contact details of Arcova's point of contact for further information;
• (c) A description of the likely consequences of the Security Incident;
• (d) A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its potential adverse effects.

10.3 Supplemental Information. If it is not possible to provide all information at the time of initial notification, Arcova shall provide the information in phases without further undue delay as it becomes available.

10.4 Cooperation. Arcova shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Security Incident.

10.5 Notification Not an Admission. Arcova's notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment of fault or liability.

10.6 Customer Obligations. The Customer is solely responsible for determining whether a Security Incident triggers any notification obligations to Data Subjects, regulators, or other third parties under Applicable Data Protection Law, and for fulfilling any such obligations.

11. Data Subject Rights Assistance

11.1 Arcova shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligations to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

11.2 If Arcova receives a request directly from a Data Subject, Arcova shall promptly redirect the Data Subject to the Customer and notify the Customer of the request, unless otherwise required by law.

11.3 The Customer shall be responsible for responding to Data Subject requests. Arcova shall provide reasonable assistance at the Customer's expense if such assistance requires significant effort beyond the standard functionality of the Service.

12. Audit Rights

12.1 Right to Audit. The Customer may audit Arcova's compliance with this DPA up to once per twelve (12) month period, subject to the following conditions:

• (a) The Customer shall provide at least thirty (30) days' prior written notice of its intent to audit;
• (b) Audits shall be conducted during Arcova's normal business hours;
• (c) Audits shall not unreasonably interfere with Arcova's business operations;
• (d) The Customer shall bear the costs of any audit, including any fees for third-party auditors;
• (e) The auditor shall execute a confidentiality agreement with Arcova prior to commencing the audit.

12.2 SOC 2 Reports. Where Arcova obtains a SOC 2 Type II report (or equivalent third-party certification), the Customer agrees to accept such report as satisfaction of its audit rights under this Section for the period covered by the report, unless the Customer can demonstrate that an additional audit is reasonably necessary due to a specific Security Incident or credible evidence of non-compliance.

12.3 Audit Scope. Audits shall be limited to Arcova's Processing of the Customer's Personal Data and compliance with this DPA. Arcova shall not be required to disclose information relating to other customers or proprietary systems unrelated to the Processing.

13. Return and Deletion of Data

13.1 Termination Period. Upon termination or expiration of the Agreement, Arcova shall make the Customer's Personal Data available for export through the Service's standard export functionality for a period of ninety (90) days (the "Recovery Window").

13.2 Deletion. Following the expiration of the Recovery Window, Arcova shall delete all Personal Data in its possession or control within ninety (90) days, unless Applicable Data Protection Law requires further storage. This includes Personal Data held by Subprocessors, to the extent within Arcova's control.

13.3 Certification. Upon the Customer's written request following deletion, Arcova shall provide written certification that all Personal Data has been deleted, except to the extent that retention is required by Applicable Data Protection Law or legitimate archival purposes (e.g., backup systems from which specific deletion is not technically feasible, provided such data remains protected and is not actively Processed).

13.4 Backup Retention. Personal Data retained in backup systems after the deletion period shall be securely isolated and protected. Arcova shall delete such data when the backup is rotated or overwritten in the ordinary course of business, and shall not actively Process such data for any purpose other than maintaining the backup.

14. AI Data Processing Addendum

This Section governs the Processing of Personal Data in connection with AI-powered features of the Service, including the AI assistant known as "IRIS."

14.4 No Sensitive Data in AI Prompts. Arcova's PII masking is applied as a technical safeguard. The Customer shall instruct its users not to input sensitive Personal Data (such as Social Security numbers, financial account numbers, or medical information) directly into AI chat interfaces.

14.5 Continuous Improvement. Arcova shall periodically review and improve its PII masking techniques and shall update the Customer if material changes are made to the AI data flow described in this Section.

15. International Data Transfers

15.1 As of the effective date of this DPA, the Service is operated within the United States and Personal Data is Processed within the United States.

15.2 Arcova shall not transfer Personal Data outside the United States without the prior written consent of the Customer, except where required by Applicable Data Protection Law.

15.3 If international transfers become necessary (for example, due to changes in Subprocessor infrastructure or expansion of the Service), Arcova shall:

• (a) Notify the Customer in advance;
• (b) Ensure that appropriate safeguards are in place, such as Standard Contractual Clauses, adequacy decisions, or other mechanisms recognized under Applicable Data Protection Law;
• (c) Update this DPA or enter into supplementary agreements as necessary to reflect the transfer mechanism.

15.4 If the GDPR or other international data protection laws become applicable to the Processing, the parties agree to negotiate in good faith any amendments to this DPA necessary to comply with such laws, including the execution of Standard Contractual Clauses.

16. Liability

16.1 Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.

16.2 For the avoidance of doubt, Arcova's total aggregate liability under this DPA shall not exceed the amounts paid by the Customer to Arcova in the twelve (12) months preceding the event giving rise to the claim.

16.3 Nothing in this Section shall limit either party's liability for (a) fraud or willful misconduct, (b) death or personal injury caused by negligence, or (c) any liability that cannot be limited by Applicable Data Protection Law.

17. General Provisions

17.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles.

17.2 Entire Agreement. This DPA, together with the Agreement and the Subprocessor List, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes all prior discussions, negotiations, and agreements relating thereto.

17.3 Amendments. This DPA may be amended only by a written instrument signed by both parties, except that Arcova may update the Subprocessor List in accordance with Section 8.

17.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

17.5 Term. This DPA shall remain in effect for the duration of the Agreement and shall survive termination to the extent necessary to complete the Processing described herein, including the deletion obligations in Section 13.

17.6 Notices. All notices under this DPA shall be in writing and sent to the contact addresses specified above or as updated by the parties in writing. Notices to Arcova regarding data protection matters should be directed to [email protected]. Legal notices should be directed to [email protected].

17.7 No Third-Party Beneficiaries. This DPA is entered into for the benefit of the parties and is not intended to confer any rights on any third party, except as expressly provided herein.

Schedule 1: Details of Processing