Including Global Compliance Annex (UK GDPR, CCPA/CPRA, Mexico LFPDPPP)
Operated by Plugcy, a company organised under the laws of Mexico
Effective date: 1 June 2026
Version 1.0
1. Purpose and Scope
1.1 This Data Processing Addendum (“DPA”) supplements the Atorse Terms and Conditions and Privacy Policy and applies to the extent Plugcy processes Personal Data on behalf of a business User as a processor, as well as setting out Plugcy’s own controller-side GDPR compliance commitments.
1.2 Capitalised terms not defined in this DPA have the meaning given in the Atorse Terms and Conditions or the Privacy Policy, or, where applicable, the GDPR.
2. Roles of the Parties
2.1 Controller role. For Personal Data collected directly from Users for account administration, billing, and the core discoverability service described in the Privacy Policy, Plugcy acts as an independent data controller.
2.2 Processor role. To the extent a business User submits, as part of Business Data, Personal Data relating to that business’s own customers, suppliers, or personnel (for example, named contacts embedded in product descriptions), Plugcy acts as a processor and the business User acts as controller in respect of that specific data, and the terms of this Section 2 onward apply to that processing.
2.3 Each business User, as controller under Section 2.2, instructs Plugcy to process such Personal Data solely for the purpose of providing the Services, including structuring and making such data available to AI Ecosystems for discoverability purposes, as described in the Terms and Conditions and Privacy Policy, which constitute the business User’s documented instructions for the purposes of Article 28(3)(a) GDPR.
3. Processor Obligations
3.1 Where acting as processor, Plugcy shall:
- Process Personal Data only on the documented instructions of the controller, including with regard to transfers to a third country, unless required to do otherwise by law applicable to Plugcy, in which case Plugcy shall inform the controller of that legal requirement before processing, unless that law prohibits such notification
- Ensure that persons authorised to process the Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organisational measures as described in Annex 1
- Not engage another processor (Subprocessor) without prior general or specific written authorisation, as described in Section 4
- Assist the controller, insofar as reasonably possible, in responding to data subject rights requests and in meeting obligations under Articles 32 to 36 GDPR
- Delete or return all Personal Data to the controller at the end of the provision of the Services, save to the extent retention is required by applicable law
- Make available information reasonably necessary to demonstrate compliance with this Section 3, and allow for audits as described in Section 7
4. Subprocessors
4.1 The business User provides general authorisation for Plugcy to engage Subprocessors to support delivery of the Services, including cloud hosting providers, authentication providers, analytics providers, and payment processors.
4.2 Plugcy shall maintain a current list of Subprocessors and shall notify business Users of any intended addition or replacement of a Subprocessor, giving the business User a reasonable opportunity to object on reasonable data-protection grounds.
| Subprocessor Category | Purpose | Location (indicative — to confirm) |
| Cloud hosting / database provider | Hosting of application and data | [EU / US — to be confirmed] |
| Authentication provider (Google) | OAuth sign-in | United States / Global |
| Analytics provider | Usage analytics | [to be confirmed] |
| Payment processor | Subscription billing | [to be confirmed] |
| AI Ecosystem partners | Indexing and discoverability distribution | Global (multiple jurisdictions) |
4.3 Plugcy remains liable to the controller for the performance of each Subprocessor’s obligations to the same extent Plugcy would be liable if performing those services directly, except as otherwise limited under the Terms and Conditions.
5. Security Measures (Annex 1)
Plugcy implements the following measures, which may be updated over time provided they do not materially reduce the overall level of protection:
- Encryption of passwords using a strong, salted hashing algorithm; encryption of data in transit via TLS
- Role-based access controls limiting internal access to Personal Data on a need-to-know basis
- Logging and monitoring of access to production systems
- Regular review of Subprocessor security posture prior to onboarding
- A documented incident response process, as described in Section 6
- Periodic review of access permissions and prompt revocation upon role change or departure
6. Personal Data Breach Notification
6.1 Plugcy shall notify the affected business User without undue delay, and in any event within 48 hours of becoming aware, after becoming aware of a Personal Data breach affecting Personal Data processed under Section 2.2.
6.2 Such notification shall describe, to the extent then known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach, with further information provided in phases as it becomes available.
6.3 Plugcy shall provide reasonable cooperation and information to enable the controller to comply with its own notification obligations under Articles 33 and 34 GDPR.
7. International Transfers
7.1 Where Personal Data is transferred from the EEA or UK to Plugcy in Mexico, or onward to a Subprocessor in a third country not benefiting from an adequacy decision, the parties agree that such transfer is governed by the European Commission’s Standard Contractual Clauses (Module 2: Controller-to-Processor, or Module 3: Processor-to-Processor, as applicable), incorporated by reference into this DPA, together with the UK International Data Transfer Addendum for transfers subject to UK GDPR.
7.2 Plugcy shall, on request, provide the controller with the executed Standard Contractual Clauses and any transfer impact assessment then available.
8. Audit Rights
8.1 On reasonable prior written notice (not less than 30 days, except in the case of a suspected security incident), and not more than once per 12-month period absent cause, a business User may request a summary of Plugcy’s compliance with this DPA, which Plugcy may satisfy through the provision of a third-party audit report, security questionnaire response, or equivalent documentation, in lieu of an on-site audit, except where required by a supervisory authority.
8.2 Any audit shall be conducted during normal business hours, shall not unreasonably interfere with Plugcy’s operations, and shall be subject to confidentiality obligations.
9. Data Deletion and Return
Upon termination of the Services, or upon request, Plugcy shall, within a commercially reasonable period not exceeding 30 days, delete or, where technically feasible and requested, return Personal Data processed under Section 2.2, save to the extent continued storage is required by applicable law, in which case Plugcy shall continue to protect that data in accordance with this DPA for the duration of such retention.
10. Liability
Liability under this DPA is subject to the limitations of liability set out in the Atorse Terms and Conditions, except to the extent such limitations are not permitted under applicable mandatory data protection law.
11. Term
This DPA takes effect on the date the business User first submits Personal Data to the Services and remains in effect for as long as Plugcy processes such Personal Data on the business User’s behalf.
Global Compliance Annex
This Annex summarises how the Atorse compliance framework maps onto data protection regimes beyond the EU GDPR, given that the Services are offered to EU and global Users from a Mexico-registered operating entity.
A. UK GDPR
Plugcy applies the same standards described in this DPA and the Privacy Policy to Personal Data of UK Users, treating the UK GDPR and Data Protection Act 2018 as applying in parallel with the EU GDPR. References to Standard Contractual Clauses in Section 7 are read as including the UK International Data Transfer Addendum for UK-originating transfers.
B. United States — CCPA/CPRA (California)
For California resident Users, Plugcy honours the rights to know, delete, correct, and opt out of sale or sharing of personal information as described in the Privacy Policy, Section 13. Plugcy does not sell Personal Data for monetary consideration and treats any AI Ecosystem distribution that may constitute “sharing” under the CPRA as subject to an opt-out mechanism.
C. Mexico — LFPDPPP
As the entity operating Atorse, Plugcy is directly subject to the Ley Federal de Protección de Datos Personales en Posesión de los Particulares. Plugcy maintains a Privacy Notice (Aviso de Privacidad) consistent with this Policy, honours ARCO rights as described in the Privacy Policy, Section 14, and will register data transfers and processing activities as required under the LFPDPPP and its Regulations.
D. Other Jurisdictions
Where other jurisdictions in which Atorse operates introduce comprehensive data protection laws (for example, Brazil’s LGPD, Canada’s PIPEDA, or evolving US state laws beyond California), Plugcy will assess and extend equivalent protections on a rolling basis as part of its compliance roadmap, prioritising jurisdictions with the largest concentration of Users.