Data Processing Agreement

Overview

This page describes Coplain's approach to data processing agreements (DPAs) for customers subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or other data protection frameworks that require contractual commitments between data controllers and data processors.

Coplain, operated by Price Legacy Group LLC ("Processor"), acts as a data processor when processing personal data on behalf of its customers ("Controllers") who use the Service to process documents that may contain personal data.

Requesting a DPA

If your organization requires a signed Data Processing Agreement as a condition of using the Coplain Service — for example, because you are subject to GDPR Article 28 obligations — please contact us at support@coplain.comwith the subject line "DPA Request."

We will provide a DPA that includes the European Commission's Standard Contractual Clauses (SCCs) as a lawful mechanism for international data transfers from the EU/EEA to the United States. The DPA will cover:

• Subject matter, nature, and purpose of processing
• Categories of personal data and data subjects
• Obligations and rights of the Controller
• Processor's technical and organizational security measures
• Sub-processor authorization and notification procedures
• Assistance with data subject rights requests
• Breach notification obligations
• Standard Contractual Clauses (Module Two: Controller to Processor)

International Transfers

Price Legacy Group LLC is based in the United States. When personal data is transferred from the EU/EEA or UK to the United States in the course of using the Coplain Service, we rely on the Standard Contractual Clauses approved by the European Commission as the lawful transfer mechanism (European Commission Decision 2021/914).

For UK customers, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable.

Sub-Processors

Coplain engages the following sub-processors to assist in delivering the Service. By executing a DPA with us, you authorize the engagement of these sub-processors subject to the conditions in Article 28(4) GDPR. We will notify you of any material changes to this sub-processor list in advance.

Security Measures

Our technical and organizational security measures are described on our Security page. In summary, these include:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Row-level security on all database tables via Supabase RLS
• Bcrypt password hashing; no plain-text credential storage
• Rate limiting and access controls on all API endpoints
• No document retention after processing is complete
• Incident response and breach notification within 72 hours

Data Subject Rights

As the data processor, Coplain will assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) to the extent technically possible given the nature of the processing. Controllers are responsible for their own obligations to data subjects under applicable law.

If a data subject contacts Coplain directly with a rights request, we will forward that request to the relevant Controller without undue delay.

Breach Notification

In the event of a personal data breach affecting data processed on your behalf, Coplain will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Our notification will include the information required under GDPR Article 33(3) to the extent known at the time.

Contact

To request a DPA, ask questions about our data processing practices, or notify us of a potential data protection issue: