# Data Processing Agreement — Template — Apache-3 Inc.

**Document version:** 1.0 — Template
**Effective:** 2026-05-20

This is a template Data Processing Agreement that Apache-3 Inc. ("Apache-3") executes with customers who require formal data-processing terms. It is offered as a starting point. Final terms are negotiated per engagement.

## 1. Definitions

**Customer Data** means any data provided by the Customer to Apache-3 in connection with the Services, including PII, business records, and any data subject to confidentiality.

**Processor** means Apache-3 Inc.

**Controller** means the Customer.

**Sub-Processor** means any third party Apache-3 uses to perform parts of the Services.

## 2. Scope

This DPA applies to all Customer Data processed by Apache-3 in connection with the underlying services agreement.

## 3. Roles

The Customer is the Controller. Apache-3 is the Processor. Apache-3 processes Customer Data only on documented instructions from the Customer.

## 4. Apache-3 obligations

Apache-3 will:

a. Process Customer Data only as needed to perform the Services.
b. Maintain confidentiality of Customer Data.
c. Ensure personnel authorized to process Customer Data are bound by confidentiality.
d. Implement technical and organizational measures appropriate to the risk (see Annex A).
e. Promptly notify Customer of any data breach (within 72 hours of confirmed incident).
f. Cooperate with Customer in responding to data subject requests (access, correction, deletion).
g. Delete or return Customer Data upon termination of services, except where retention is required by law.

## 5. Sub-Processors

Apache-3 may engage Sub-Processors only with the Customer's prior written consent (which may be given as a category, e.g., "cloud hosting providers"). A current list of Sub-Processors is maintained at: apache3.com/compliance/subprocessors.

## 6. Audit rights

Customer may, upon reasonable notice and no more than once per 12 months, request from Apache-3 reasonable evidence of Apache-3's compliance with this DPA. This may include written attestations, security certifications (SOC 2, ISO 27001 once attained), or copies of relevant policies. On-site audit rights are reserved for materially regulated industries and require separate agreement.

## 7. Data location

Apache-3 stores Customer Data in the United States. Specific cloud-host regions are listed in Annex B. International transfer of Customer Data is prohibited without Customer's prior written consent.

## 8. Term and termination

This DPA remains in effect for the term of the underlying services agreement. Upon termination, Apache-3 will return or delete Customer Data within 30 calendar days unless a longer retention period is required by law or by the underlying services agreement.

## 9. Breach notification

In the event of an actual or reasonably suspected breach of security affecting Customer Data, Apache-3 will:

a. Notify Customer within 72 hours of confirmation of the breach.
b. Provide preliminary details: scope, suspected cause, immediate mitigations.
c. Cooperate in investigation and remediation.
d. Provide a written post-incident report within 30 days.

## 10. Limitations and exclusions

a. This DPA does not apply to data Customer voluntarily makes public.
b. Customer represents that it has lawful authority to provide Customer Data to Apache-3.
c. Apache-3's liability under this DPA is bounded by the limitation of liability in the underlying services agreement.

---

## Annex A — Technical and Organizational Measures

Apache-3 implements the following measures:

**Access Control**
- MFA on all administrative systems
- Role-based access control
- Quarterly access reviews
- Account revocation within 1 business day of personnel departure

**Encryption**
- All data encrypted in transit via TLS 1.2 or higher
- All data encrypted at rest via per-platform AES-256
- Workstation disk encryption (FileVault/BitLocker)

**Network Security**
- All customer-facing endpoints behind a CDN with DDoS mitigation
- No production data stored on workstations

**Personnel**
- Confidentiality agreements with all personnel
- Annual security-awareness training
- Background checks per role sensitivity

**Audit Logging**
- Per-platform audit logging enabled
- Logs retained per platform terms (typically 90+ days)
- Material events reviewed via daily-check scripts

**Incident Response**
- Documented incident-response runbook (public-facing version: apache3.com/compliance/incident-response-runbook.md)
- 72-hour breach notification commitment

---

## Annex B — Sub-Processor List

| Sub-Processor | Purpose | Region |
|---|---|---|
| Supabase | Database hosting | US (us-east-1) |
| Vercel | Frontend hosting | US (multi-region) |
| Stripe | Payment processing | US |
| Resend | Transactional email | US |
| Anthropic | AI / LLM API | US |
| GitHub | Source code | US |
| Google Workspace | Email + Calendar | US |
| Cloudflare | CDN + DNS | US (global edge) |

This list is maintained at apache3.com/compliance/subprocessors and updated as Apache-3 adds or removes vendors.

---

*Apache-3 Inc. — UEI JQMHLJNNJYN1 — CAGE 8DFR5 — 118 E COMMERCIAL ST STE 2, OBERLIN, KS 67749*

*This is a template. The version executed with a specific Customer governs the relationship.*