Data Processing Agreement
This Data Processing Agreement ("DPA") regulates how we collect, process, and secure customer personal data on behalf of your organization to ensure compliance with global data protection laws.
This DPA acts as a binding supplement to our Terms of Service, outlining commitments to GDPR, CCPA, and standard contractual clauses.
We operate primarily as a data processor for the content and bookmarks you save, while maintaining strict organizational and technical security measures.
Data transfers outside the EEA or UK are safeguarded through standard contractual clauses (SCCs) to ensure equivalent protection.
Our list of sub-processors is transparent and managed to ensure your library data remains secure at all times.
Effective April 21, 2026. This DPA governs all processing of Customer Personal Data initiated by the use of Cache App.
This Data Processing Agreement ("DPA") supplements the Terms of Service (the "Agreement") entered into by and between Customer (as defined in the Agreement) and Cachd.App, Inc., a Delaware corporation ("Provider", "we", "us", or "our").
By executing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates, if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.
1. Definitions
- "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
- "Authorized Sub-Processor" means a third-party engaged by Provider who has a need to access Customer Personal Data to enable us to perform our obligations under this DPA or the Agreement, as listed in Exhibit B.
- "Customer Account Data" means personal data that relates to Customer's relationship with Provider, including account credentials, contact information of authorized users, and billing details.
- "Customer Usage Data" means technical usage data collected in connection with the provision of the Services, such as access logs, performance metrics, and security signals.
- "Customer Personal Data" means any Personal Data provided to us by or on behalf of Customer in the course of using the Services (including bookmarks, note contents, URLs, and metadata).
- "Data Protection Laws" means any applicable laws and regulations relating to the use or processing of Personal Data, including: (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), (ii) the UK Data Protection Act 2018, and (iii) the California Consumer Privacy Act ("CCPA"), in each case as updated, amended or replaced from time to time.
2. Relationship of the Parties; Processing of Data
The parties acknowledge and agree that with regard to the processing of Customer Personal Data, Customer is the controller and Provider is the processor. Customer shall, in its use of the Services, process Personal Data and provide instructions in compliance with Data Protection Laws.
Provider shall process Customer Personal Data only: (i) to provide the Services in accordance with the Agreement, (ii) in compliance with documented instructions from Customer, and (iii) in accordance with the specifications in Exhibit A.
Following completion of the Services, at Customer's choice, Provider shall delete or return all Customer Personal Data, unless further storage of such Personal Data is required or authorized by applicable law.
CCPA compliance: Provider acts as a service provider under the CCPA. Provider will not sell, retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purposes of performing the Services specified in the Agreement.
3. Authorized Sub-Processors
Customer agrees that Provider may engage the Authorized Sub-Processors listed in Exhibit B to access and process Personal Data in connection with the Services.
Provider will update Exhibit B from time to time and will notify Customer of any new sub-processors at least fifteen (15) days before giving such sub-processor access to Customer Personal Data. Customer may object to a new sub-processor in writing on reasonable data protection grounds within ten (10) days of receipt of such notice.
Provider will enter into written agreements with all sub-processors imposing data protection obligations comparable to those in this DPA. Provider remains fully liable to Customer for the performance of its sub-processors' obligations.
4. Security of Personal Data
Taking into account the state of the art, the costs of implementation, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Customer Personal Data.
Exhibit C sets forth additional information about Provider's technical and organizational security measures.
5. Transfers of Personal Data
Customer acknowledges that Provider's primary processing operations take place in the United States and that the transfer of Customer Personal Data is necessary to provide the Services.
If Provider transfers Customer Personal Data outside the EEA or the UK to a country without an adequacy decision, such transfers will be made pursuant to the European Commission's Standard Contractual Clauses (EU SCCs) or the UK International Data Transfer Addendum, which are incorporated by reference and deemed completed as of the Effective Date.
6. Rights of Data Subjects
Provider shall, to the extent permitted by law, notify Customer if it receives a request from a Data Subject to exercise their rights of access, rectification, erasure, portability, or restriction. Provider will advise the Data Subject to submit their request directly to Customer, and Customer will remain responsible for responding.
Taking into account the nature of processing, Provider will assist Customer with appropriate technical and organizational measures to fulfill Customer's obligations to respond to Data Subject requests.
7. Audits and Inspections
Provider shall maintain records sufficient to demonstrate compliance with its obligations under this DPA.
Upon Customer's written request at reasonable intervals, and subject to confidentiality controls, Provider shall make available certifications or reports demonstrating compliance with prevailing data security standards (such as SOC2 reports, if available).
In the event of a Personal Data Breach, Provider shall notify Customer without undue delay after becoming aware of the breach, and will take reasonable and necessary steps to remediate and secure Customer Personal Data.
8. Conflict
In the event of any conflict or inconsistency between the Terms of Service, this DPA, and the Standard Contractual Clauses, the order of precedence shall be: (1) the Standard Contractual Clauses, (2) the terms of this DPA, and (3) the Terms of Service.
Exhibit A: Details of Processing
Subject Matter and Nature of Processing: Provision of a cross-platform bookmarking, organizing, and syncing service to consolidate user bookmarks, notes, and collections.
Duration of Processing: For the duration of the Agreement and until all Customer Personal Data is deleted in accordance with Section 2.
Categories of Data Subjects: Customer's end-users, employees, and authorized platform members.
Categories of Personal Data: Library content (bookmarks, custom notes, collection metadata, tags, captured page titles, page content, descriptions, and thumbnails) and account parameters (name, email address, and linked third-party service identifiers).
Exhibit B: List of Authorized Sub-Processors
To deliver the features and capabilities of Cache App, we partner with the following infrastructure and service vendors:
| Company | Purpose | Location |
|---|---|---|
| Google LLC | Cloud platform, database hosting, and Google API integration services | United States |
| Stripe, Inc. | Billing, payment processing, and subscription management | United States |
| Arcjet, Inc. | API security, rate limiting, and sensitive data redaction | United States |
| Tavily, Inc. | AI search, metadata enrichment, and information retrieval | United States |
| OpenAI OpCo, LLC | AI-assisted categorizations, summaries, and smart collection features | United States |
Exhibit C: Technical and Organizational Security Measures
| Security Measure | Implementation Details |
|---|---|
| Encryption of Personal Data | All data is encrypted in transit using industry-standard TLS 1.3 encryption. Storage databases are encrypted at rest using AES-256 database level policies. |
| Logical Instance Separation | Data is isolated logically at the PostgreSQL query level to ensure tenant instances and libraries can never access other accounts without explicit sharing. |
| Backups and Disaster Recovery | Daily automated database backups are retained for up to 30 days and tested regularly to guarantee recovery options in the event of local infrastructure failures. |
| Access Control and 2FA | Provider employees access core infrastructure via secure single sign-on (SSO) with mandatory multi-factor authentication (MFA/2FA) on all developer environments. |
| Vulnerability Scanning | Continuous code scanning, dependency auditing, and Biome linting checks are integrated directly into our build and deployment pipeline to block potential threats. |