Data Processing Addendum

This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Service between Digital Arcadia LLC ("Processor" or "A3") and the entity agreeing to the Terms ("Controller" or "Customer"). This DPA governs the processing of personal data by A3 on behalf of the Customer.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by A3 on behalf of the Customer through the Service.
• "Processing" means any operation performed on Personal Data, including collection, use, storage, disclosure, or deletion.
• "Service" means the A3 Age Assurance API as described in the Terms of Service.
• "Applicable Data Protection Laws" means the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and any other applicable US federal or state data protection laws.

2. Scope of Processing

• Purpose: A3 processes data solely to provide the age-assurance Service as described in the Terms. A3 does not process data for any other purpose, including marketing, profiling, or resale.
• Data Categories: The Service processes anonymized behavioral metrics, device context metadata, contextual signals, account longevity data, input complexity statistics, and OS age-bracket signals. The Service does not process directly identifying information (names, email addresses, government IDs, or raw biometric data).
• Data Subjects: End users of the Customer's application whose age is being assessed.
• Duration: Processing occurs in real-time for each API request. Under our zero-retention architecture, request payloads are purged from memory immediately after the response is returned.

3. Processor Obligations

• Instructions: A3 will process Personal Data only in accordance with the Customer's documented instructions as embodied in the API request. A3 will not process Personal Data for any purpose other than providing the Service.
• Confidentiality: A3 ensures that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
• Security Measures: A3 implements and maintains appropriate technical and organizational security measures, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256 via AWS KMS)
• Timing-safe API key validation
• Stateless, zero-retention compute (AWS Lambda)
• K-anonymous aggregated logging (no PII in logs)
• Physical isolation of billing ledger from scoring logic

• Data Retention: A3 does not retain request payloads. Aggregated analytics logs (de-identified, k-anonymous) are retained for 90 days. Billing ledger records (API key hash and request status only) are retained for 7 years per IRS requirements.
• Deletion: Due to the zero-retention architecture, no deletion mechanism is needed for request data. Upon termination of the Service agreement, any Customer-specific billing records will be retained only as required by law.

4. Subprocessors

A3 uses the following subprocessors to provide the Service:

• Amazon Web Services (AWS) — Compute (Lambda), logging (CloudWatch), encryption (KMS). Region: us-west-2.
• Zuplo — API gateway for rate limiting and authentication.
• Stripe — Payment processing and subscription management (processes Customer billing data, not end-user data).

A3 will notify the Customer at least 30 days before engaging a new subprocessor. The Customer may object to a new subprocessor by providing written notice to [email protected] within 30 days of notification. If the objection cannot be reasonably resolved, either party may terminate the affected Service.

5. Controller Obligations

• Lawful Basis: The Customer is responsible for ensuring that it has a lawful basis for transmitting data to A3 and for providing any required notices or obtaining any required consents from its end users.
• Biometric Consent: If the Customer uses the face-estimation fallback feature, the Customer is solely responsible for obtaining all required biometric data consents from end users under applicable law (including Illinois BIPA, Texas CUBI, and similar statutes).
• Compliance: The Customer is responsible for its own compliance with Applicable Data Protection Laws. Use of A3 does not constitute legal advice or guarantee regulatory compliance.

6. Data Subject Rights

Due to A3's zero-retention architecture, A3 does not hold identifiable Personal Data after processing. If A3 receives a data subject rights request that it can identify as relating to the Customer's end users, A3 will promptly notify the Customer and provide reasonable cooperation to fulfill the request. A3 will not independently respond to data subject requests unless legally required to do so.

7. Data Breach Notification

In the event of a Personal Data breach, A3 will notify the Customer without undue delay (and in any event within 72 hours of becoming aware of the breach). The notification will include the nature of the breach, the categories and approximate number of data subjects affected (if known), the likely consequences, and the measures taken or proposed to mitigate the breach.

8. Audit Rights

A3 will make available to the Customer, upon reasonable request and subject to confidentiality obligations, information necessary to demonstrate compliance with this DPA. A3 will permit and contribute to audits conducted by the Customer or an independent auditor mandated by the Customer, provided that such audits are conducted no more than once per year, with at least 30 days' notice, and during regular business hours.

9. Geographic Restrictions

The Service is available exclusively within the United States. All data processing occurs in the AWS us-west-2 region. A3 does not transfer Personal Data outside of the United States and does not offer the Service in the EU/EEA or United Kingdom.

10. Term and Termination

This DPA is effective for the duration of the Customer's use of the Service under the Terms of Service. Upon termination, A3's obligations under this DPA continue with respect to any Personal Data retained in accordance with Section 3 (Data Retention).

11. Contact

For questions about this DPA or to exercise any rights hereunder, contact:

Digital Arcadia LLC
522 W Riverside Ave Ste N
Spokane, WA 99201, United States
[email protected]