Data Processing Addendum (DPA) - Acrefy

Acrefy Data Processing Addendum (DPA) Effective Date: May 1^st, 2025

I. PURPOSE

This Acrefy Data Processing Addendum ("DPA") supplements and is incorporated into the Acrefy Terms of Use, including any applicable additional services ("Terms"), between you ("Customer") and Acrefy. In the event of a conflict between the Terms and this DPA, the DPA shall prevail regarding the processing of Customer Personal Data.

You and Acrefy (each a “Party,” collectively, the “Parties”) agree that this DPA governs Acrefy’s processing of Customer Personal Data. You act as the Data Controller (or "Business") and Acrefy acts as the Data Processor (or "Service Provider") as defined by applicable law.

Acrefy acts as a Data Processor or Service Provider only for the limited purpose of enabling technical functions such as API-based data transfer, display, and communication through its platform. Acrefy does not persistently store or archive Customer Personal Data. Any processing occurs in real time or as a transient pass-through to third-party integrations (e.g., Airtable, Stripe, or domain-hosted websites controlled by you).

If processing falls under the scope of the GDPR, UK GDPR, or Swiss law, Appendix C applies. For U.S. privacy laws, see Appendix D. For processing where Acrefy acts as a Data Controller, see Appendix E.

II. DEFINITIONS

Applicable Data Protection Laws: All applicable data protection, privacy, and security laws.

Customer Personal Data: Any Personal Data provided by you or your customers in connection with your use of the Services, excluding data that Acrefy does not store or retain.

Data Controller / Business: You, the Customer, who determines purposes and means of processing.

Data Processor / Service Provider: Acrefy, processing data only as instructed.

Data Rights Request: A legally valid request made by a data subject under applicable law.

Personal Data: Any information relating to an identified or identifiable natural person as defined under Applicable Data Protection Laws.

Process / Processing: Any operation on Customer Personal Data that occurs transiently, without permanent storage or retention by Acrefy.

Subprocessor: A third party engaged by Acrefy to assist with service delivery.

III. NATURE OF PROCESSING AND ROLES

Acrefy processes Customer Personal Data solely to provide, maintain, and improve its Services as a Data Processor or Service Provider. Acrefy will process data in accordance with your documented instructions and Applicable Data Protection Laws.

Unless otherwise stated in Appendix E, Acrefy does not store Customer Personal Data and acts as a real-time processing platform.

IV. OBLIGATIONS OF THE PARTIES

A. Mutual Compliance

Both Parties agree to comply with Applicable Data Protection Laws in connection with the processing of Customer Personal Data.

B. Acrefy’s Obligations

Data Security

Acrefy will maintain appropriate technical and organizational measures to protect Customer Personal Data during transit and temporary processing, as described in Appendix B.

Personal Data Breach
Acrefy will notify you without undue delay upon becoming aware of any Personal Data Breach affecting your Customer Personal Data, in compliance with applicable law. Notification is not an admission of fault.

Subprocessors
Acrefy may engage Subprocessors and will ensure that such parties are subject to data protection obligations consistent with this DPA. Subprocessors, if any, operate solely for transient routing and do not retain Customer Personal Data unless separately authorized by you.

C. Your Obligations

Lawfulness
You are solely responsible for ensuring that you have the necessary legal basis, rights, and consents to provide Acrefy with Customer Personal Data for processing under this DPA.

Privacy Notices and Disclosures
You must provide all legally required notices and disclosures to your customers regarding the collection, processing, and sharing of their Personal Data. This includes disclosing Acrefy’s role as a service provider and including links to Acrefy’s privacy policy where required.

Data Rights Requests
You are solely responsible for responding to Data Rights Requests (e.g., access, deletion, correction) received from your customers under any Applicable Data Protection Laws. Acrefy will not respond to such requests on your behalf.

Regulatory Inquiries
You must notify Acrefy without undue delay of any governmental, regulatory, or third-party inquiry or investigation concerning your use of the Services or processing of Customer Personal Data.

V. INTERNATIONAL TRANSFERS

Customer Personal Data may be transferred outside your jurisdiction to support the Services. Such transfers will comply with Applicable Data Protection Laws and, where applicable, use approved legal transfer mechanisms (e.g., Standard Contractual Clauses).

VI. LEGAL DISCLOSURES

Acrefy may disclose Customer Personal Data when required to comply with applicable law, government requests, court orders, legal processes, or to detect/prevent fraud, security incidents, or legal violations.

VII. CORPORATE TRANSACTIONS

In connection with a merger, acquisition, sale, or reorganization, Customer Personal Data may be disclosed as part of due diligence or transfer, subject to continued confidentiality and legal obligations.

VIII. AMENDMENTS

Acrefy may update this DPA from time to time. Updates will be effective upon posting to the Acrefy website. Continued use of the Services constitutes your acceptance of the revised DPA.

IX. DATA STORAGE & RETENTION

Acrefy does not store, archive, or persistently retain any Customer Personal Data. All data processed by Acrefy flows through temporary environments or is routed directly to third-party platforms via secure API connections.

Any long-term storage or backup of Customer Personal Data is managed by the third-party services you integrate with (e.g., Airtable, Stripe, or your domain-hosted property sites). You are solely responsible for configuring, managing, and maintaining such storage environments.

APPENDICES

Appendix A – Categories of Customer Personal Data

Acrefy does not collect or store data directly. However, while routing data via your connected systems, the following categories may pass through the platform:

Names, emails, phone numbers, and addresses

Property and transaction history

Website activity (views, inquiries)

Device, browser, and IP information

Payment-related metadata (if Stripe-connected)

Any additional data submitted through forms

Appendix B – Security Measures

Acrefy maintains a security program that includes:

Secure hosting infrastructure (for routing only)

Role-based access control for internal tools

Data encryption in transit

Intrusion detection and logging for transient data flows

Secure API gateway and key management

No persistent database storage of user data

Appendix C – GDPR / UK GDPR / Switzerland

Where applicable:

You are the Data Controller; Acrefy is the Data Processor.

You are solely responsible for identifying a lawful basis for processing, providing required notices, and responding to data subject rights.

International transfers to Acrefy will be subject to Standard Contractual Clauses or equivalent safeguards.

Appendix D – U.S. Data Protection Laws

For states such as CA, CO, CT, VA, and others:

Acrefy will not "sell" or "share" Customer Personal Data.

Acrefy processes data solely for business purposes under written contracts.

You are solely responsible for enabling and managing consumer rights.

Sensitive data must not be shared with Acrefy without valid consent, where required.

Appendix E – Acrefy as a Data Controller

In specific scenarios (e.g., AI models, analytics across customers), Acrefy may act as a Data Controller. This includes:

Aggregated usage analytics

AI feature training or optimization

Feedback loop improvements

In such cases:

Acrefy’s privacy policy applies

You are responsible for notifying end users

You may opt out of select use cases where offered