Data Processing Addendum

Acta Diurna LLC (“Arcana”) operates a confidential research panel that collects self-reported information from business contacts at participating organizations (“Customer”). With respect to personal data of Customer’s personnel that is processed in connection with the Platform, Customer is a controller and Arcana is a processor (each as defined under GDPR Article 4 and equivalent US state laws).

• Subject matter. Operation of the Arcana research panel and delivery of associated benchmarks, tear sheets, and reports.
• Duration. For as long as Customer’s personnel maintain active accounts on the Platform, plus the retention periods set out in Section 8.

Arcana processes personal data to: authenticate users, manage workspace membership, administer research instruments, deliver personalized benchmarks and reports, communicate with respondents, and produce aggregated, de-identified research outputs. Arcana does not use personal data for advertising, profiling, or any purpose outside the agreed scope.

• Data subjects. Customer’s personnel who voluntarily register or accept invitations to participate in Arcana research.
• Personal data categories. Business contact information (name, work email, employer, job title, role); self-reported research responses; technical data (IP address, user-agent, session timestamps, product analytics events).
• Special category data. None. Arcana does not knowingly collect health, biometric, racial, religious, or other special category data.

Arcana shall:

• Process personal data only on documented instructions from Customer, including those reflected in the Terms of Service and this Addendum.
• Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures consistent with Section 9.
• Assist Customer, taking into account the nature of processing, in responding to data subject requests under Articles 15–22 GDPR or equivalent law.
• Notify Customer without undue delay of any confirmed personal data breach, and in any case within 72 hours of becoming aware of the breach.
• At Customer’s choice, delete or return personal data after the end of services, subject to legal retention requirements.

Customer authorizes Arcana to engage the subprocessors listed at arcana-research.com/security. Arcana imposes data-protection obligations on subprocessors no less protective than those in this Addendum and remains responsible for their performance. Arcana will provide at least 14 days’ notice before adding or replacing a subprocessor; Customer may object on reasonable grounds within that period.

Personal data is hosted in the United States. For transfers from the EEA, UK, or Switzerland, the parties incorporate the European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum, as applicable. Where additional measures are warranted under Schrems II, Arcana implements encryption in transit and at rest, contractual zero-retention with AI subprocessors, and pseudonymization of identifiers in research outputs.

• Account data — until Customer or the data subject requests deletion, or 24 months of inactivity, whichever is sooner.
• Identified research responses — 24 months from collection.
• Aggregated, de-identified responses — retained for the lifetime of the research program.
• Security and audit logs — 90 days minimum.

Arcana implements the technical and organizational measures described at arcana-research.com/security, including but not limited to:

• TLS 1.2+ encryption in transit; AES-256 (provider-managed) at rest.
• bcrypt password hashing; signed, rotating session tokens.
• Role-based access control with MFA on internal admin tooling.
• Logging, monitoring, and automated dependency scanning.
• Documented incident response runbook with 72-hour notification.
• Annual external penetration testing (commencing 2026).
• Vendor security review of all subprocessors prior to onboarding.

Arcana will, on reasonable written request and no more than once per twelve-month period, provide Customer with summaries of its security posture, current subprocessor list, and copies of third-party audit reports (e.g., SOC 2 Type 2 once available). For organizations with binding regulatory obligations requiring on-site audit, Arcana will negotiate scope, timing, and confidentiality terms in good faith. Costs of any audit beyond document review are borne by Customer.

Where a data subject contacts Arcana directly, Arcana will, where reasonably possible, redirect the request to Customer or honor the request directly under the rights described in the Privacy Policy. Arcana will assist Customer in responding to verified requests within 30 days.

Each party’s liability under this Addendum is subject to the limitation of liability set out in the Terms of Service. Nothing in this Addendum limits liability that cannot be excluded under applicable law.

On termination of services, Arcana will, at Customer’s election, return or delete personal data within 30 days, except where retention is required by law or to defend legal claims. Aggregated, de-identified data derived from research responses may be retained as part of the research record.

In the event of a conflict between this Addendum and the Terms of Service or any other agreement between the parties, this Addendum prevails with respect to processing of personal data. The Standard Contractual Clauses, where incorporated, prevail over this Addendum to the extent of any conflict.

To request a countersigned copy of this DPA, the SCCs, or our subprocessor list: compliance@arcana-research.com.