Adenda de procesamiento de datos

Last update: 21st of November 2025

This Online Data Processing Addendum (the "Addendum") forms part of and is incorporated into: (i) the Archie Terms and Conditions (https://archieapp.co/agreements-and-terms/terms-and- conditions), Service Level Agreement (https://archieapp.co/agreements-and-terms/service-level- agreement), Privacy Policy (https://archieapp.co/agreements-and-terms/privacy-policy) and (ii) any Order Form, quotation, or other ordering document referencing this Addendum (each an “Order Form”), (together, the “Principal Agreement”) entered into by and between 9338-9666 Québec inc. (“Archie”) and the customer identified in the applicable Order Form (“Subscriber”). By executing an Order Form, or by accessing or using the Services after the effective date of an Order Form, Subscriber agrees to be bound by this Addendum. GDPR-specific provisions apply only to Subscribers to whom the GDPR (including the UK GDPR) applies.

The Addendum sets out the additional terms, requirements and conditions on which Archie will process the Subscriber’s Personal Data when providing services under the Principal Agreement. The Addendum contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

Archie may update this Addendum from time to time as its business or applicable laws evolve. Any update becomes effective on the earlier of: (a) the date Archie posts the revised Addendum at a designated URL on its archieapp.co domain or (b) the date Archie otherwise notifies Subscriber. Subscriber can review the most current version at any time at the URL above. Continued use of the Services after the effective date of an update constitutes Subscriber’s acceptance of the updated Addendum.

1. Definitions For the purposes of this Addendum, capitalized terms shall have the following meanings. Capitalized terms not otherwise defined shall have the meaning given to them in the Principal Agreement.

1. "Subscriber's Personal Data" means any personal data that is processed by Archie on behalf of the Subscriber as a result of, or in connection with, the provision of the Services under the Principal Agreement.

2. "Data Protection Laws" means all laws, rules and regulations which relate to the protection of individuals with regards to the processing of the Subscriber’s Personal Data applicable in Europe and/or the UK including (i) national laws implementing the EU Data Protection Directive 95/46/EC and the EU Electronic Communications Data Protection Directive 2002/58/ES; (ii) EU General Data Protection Regulation 2016/679 (“GDPR”) and the national laws implementing the GDPR; (iii) The UK GDPR meaning the retained EU law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419);(iv) UK Data Protection Act 2018 as well as (v) any other EU or UK laws, regulations and rules, relating to the processing of the Subscriber’s Personal Data, and any guidance or code of practice relating to the such processing issued by relevant regulatory authority or other relevant competent authority. References to this term include replacements, modifications of re- enactments of Data Protection Laws.

3. "EEA" means the European Economic Area.

4. "Archie Infrastructure" means (i) Archie physical facilities; (ii) hosted cloud infrastructure; (iii) Archie's corporate network and the non-public internal network, software, and hardware necessary to provide the Services and which is controlled by Archie; in each case to the extent used to provide the Services.

5. "Restricted Transfer" means a transfer of the Subscriber's Personal Data which would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of appropriate safeguards required for such transfers under Data Protection Laws.

6. "Services" means the services provided to the Subscriber by Archie pursuant to the Principal Agreement.

7. "Standard Contractual Clauses" means the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.

8. The terms "controller", "data subject", "Member State", "personal data", "personal data breach", "processor", "sub processor", "processing", and "supervisory authority" shall have the meanings ascribed to them in the GDPR, and their cognate terms shall be construed accordingly.

9. Notwithstanding anything to the contrary herein, to the extent the UK GDPR applies, any references in this Addendum to defined terms shall be construed and interpreted in accordance with the UK GDPR, as well as to the extent the GDPR applies, the same defined terms and references shall be construed and interpreted in accordance with the GDPR in order to comply with it.

2. Compliance with Data Protection Laws

1. Each of Archie and the Subscriber shall comply with the provisions and obligations imposed on them by the Data Protection Laws and shall procure that their employees, agents and contractors observe the provisions of the Data Protection Laws.

3. Controller and Processor

1. For the purposes of this Addendum, the Subscriber is the controller of the Subscriber's Personal Data and Archie is the processor of such data where such data is processed in order to provide the Services under the Principal Agreement.

2. The Subscriber is responsible for its compliance obligations under Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents to enable Archie to process the Subscriber Personal Data as set out in this Addendum and the Principal Agreement.

3. The Subscriber warrants that:

1. The processing of the Subscriber's Personal Data is compliant with the principles of the Data Protection Laws, based on legal grounds for processing, as may be required by Data Protection Laws and that it has made and shall maintain throughout the term of the Principal Agreement all necessary rights, permissions, registrations and consents in accordance with and as required by Data Protection Laws with respect to Archie's processing of the Subscriber's Personal Data under this Addendum and the Principal Agreement; and

2. it is entitled to and has all necessary rights, permissions, and consents to transfer the Subscriber's Personal Data to Archie and otherwise permit Archie to process the Subscriber's Personal Data on its behalf, so that Archie may lawfully use, process and transfer the Customer's Personal Data in order to carry out the Services and perform Archie's other rights and obligations under this Addendum and the Principal Agreement.

4. Scope of processing

1. In order for Archie to provide the Services under the Principal Agreement, Archie will process the Subscriber's Personal Data. Annex 1 to this Addendum sets out certain information regarding the processing of the Subscriber's Personal Data as required by the Data Protection Laws. The parties may amend Annex 1 from time to time, as the parties may reasonably consider necessary to meet those requirements.

2. Archie shall only process the Subscriber's Personal Data (i) for the purposes of fulfilling its obligations under the Principal Agreement and (ii) in accordance with the Subscriber’s documented instructions described in this Addendum or as otherwise instructed by the Subscriber in writing from time to time, unless required to use the Subscriber’s Personal Data by law to which Archie is subject; in such a case, Archie shall inform the Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3. For the purpose of Paragraph 4(b)(ii) the Subscriber's written instructions shall be documented in the applicable order, services description, support ticket, other written communication or as directed by Subscriber using the Services (such as through an Application Programming Interface (API) or service portal).

4. Where Archie reasonably believes that a Subscriber instruction is contrary to: (i) applicable law and regulations or (ii) the provisions of the Principal Agreement or this Addendum, Archie may inform the Subscriber and is authorized to defer the performance of the relevant instruction until it has been amended by Subscriber or is mutually agreed by both Subscriber and Archie.

5. The Subscriber is solely responsible for its utilization and management of Subscriber’s Personal Data input into or transmitted by the Services, including: (i) verifying recipient's addresses and that they are correctly entered into the Services, (ii) reasonably limiting the amount or type of information disclosed through the Services.

5. Confidentiality

1. Archie shall ensure that its personnel that are authorized to process the Subscriber's Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in respect of such Subscriber’s Personal Data.

6. Technical and Organizational Measures

1. Archie shall, in relation to the Subscriber's Personal Data, (i) implement and maintain appropriate technical and organizational measures that are designed to protect Subscriber’s Personal Data from personal data breaches and to preserve the security and confidentiality of Subscriber’s Personal Data and (ii) on reasonable request, take into account such measures as recommended by the Subscriber to protect Subscriber’s Personal Data.

2. The measures implemented by Archie pursuant to Paragraph 6(a)(i) above are those described in Annex 2 of this Addendum which are considered adequate to comply with Article 32 GDPR by both parties.

3. Subject to express written agreement by the Archie to implement additional measures requested by the Subscriber pursuant to Paragraph 6(a)(ii), the parties agree that all reasonable costs associated with the implementation and maintenance of such additional measures shall be borne solely by the subscriber and shall be invoiced by the Archie on a direct, pass-through basis with no additional mark-up.

7. Audits

1. Subject to Paragraph 7(b), Archie shall make available to the Subscriber on reasonable request, information that is reasonably necessary to demonstrate Archie's compliance with this Addendum and shall allow for and contribute to audits, including inspections, by the Subscriber or an auditor mandated by the Subscriber in relation to the processing of the Subscriber's Personal Data by Archie, provided always that any third party auditors mandated by the Subscriber enter into appropriate confidentiality agreements as reasonably required by the Archie.

2. The audits allowed by Archie pursuant to Paragraph 7(a) above shall be subject to the Subscriber (i) bearing any costs and expenses of Archie arising from the provision of such information and audit rights; (ii) giving Archie reasonable prior notice of such audit, being at least 30 days’ prior to the requested audit date; (iii) such audit is undertaken so as to cause minimal disruption to Archie’s business and carried out during Archie normal operating hours

3. The Subscriber's information and audit rights only arise under Paragraph 7(a) above to the extent that the Principal Agreement and/or any other information available to the Subscriber in relation to the Services does not otherwise give the Subscriber information and audit rights meeting the requirements of Paragraph 7(a) above.

8. Data Subject Requests

1. Archie shall provide the Subscriber with reasonable cooperation and assistance, in so far it is reasonably possible and taking into account the nature of processing, by providing specific tools in order to assist Subscriber in replying to requests received from data subjects. These tools may include Archie’s APIs and interfaces to Subscriber’s Personal Data held on Archie Infrastructure.

2. If Archie receives a complaint, inquiry or request (including requests made by data subjects to exercise their rights pursuant to Data Protection Laws) related to the Subscriber's Personal Data directly from data subjects, Archie will notify and redirect such requests to the Subscriber within seven (7) days from the receipt of the complaint, inquiry or request

9. Data Breach

1. Archie shall notify the Subscriber without undue delay and in any event within twenty four (24) hours if Archie becomes aware of a personal data breach affecting the Subscriber's Personal Data.

2. Archie shall, taking into account the nature of the processing and the information available to Archie, use commercially reasonable efforts to provide the Subscriber with sufficient information to allow the Subscriber, to meet any obligations to report or inform regulatory authorities, data subjects and other entities of such personal data breach to the extent required under Data Protection Laws.

10. Data Protection Impact Assessments

1. Archie shall, taking into account the nature of the processing and the information available to Archie, provide reasonable assistance to the Subscriber, with any data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory authorities as required for the Subscriber to fulfill its obligations under Data Protection Laws.

2. The Parties hereby agree that by providing the information in Annex 1 and Annex 2, Archie fulfills its obligation to assist the Subscriber in ensuring compliance with its obligations to carry out data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory authorities.

3. Notwithstanding the above, if necessary, Subscriber may request Archie to provide additional support regarding data protection impact assessments and prior consultations with the supervisory authority, which however, may be subject to payment by Subscriber of additional remuneration determined at Archie’s sole discretion.

11. Return or Destruction of the Subscriber's Personal Data

1. Within ninety (90) days of the date of cessation of any Services involving the processing of the Subscriber's Personal Data, Archie shall at the choice of the Subscriber and at Subscriber’s sole cost (i) return all copies of the Subscriber's Personal Data in the control or possession of Archie and its sub-processors; or (ii) to the extent reasonably possible delete and procure the deletion of all copies of the Subscriber's Personal Data processed by Archie and sub-processors. Notwithstanding the foregoing, Archie may retain the Subscriber's Personal Data to the extent required by EU Laws solely for the purpose of complying with data retention requirements. Archie may retain electronic copies of files containing Subscriber's Personal Data created pursuant to automatic archiving or back-up procedures which cannot reasonably be deleted within the abovementioned period solely for the period technically necessary for such archiving or back-up purposes. In these cases, Archie shall ensure that the Subscriber's Personal Data is not further actively processed and stored in such a manner to protect it from unauthorized access or use. However, once the archiving or back-up period is over, your data will be irreversibly removed from our systems.

2. If any law, regulation, or government or regulatory body requires Archie to retain any documents, materials or Subscriber’s Personal Data that Archie would otherwise be required to return or destroy, Archie will notify the Subscriber of that requirement, giving details and establishing a timeline for deletion or destruction once the retention requirement ends.

12. Restricted Data Transfers

1. The Subscriber, as a data exporter, and Archie, as a data importer established in Canada, shall access and process the personal data of the Subscriber on the basis of the European Commission’s adequacy decision regarding Canada pursuant to Article 45 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). Under this adequacy decision, Canada is deemed to provide an adequate level of protection for personal data transferred from the EEA to Canada.

2. Any revision of the abovementioned Commission Implementing Decision, or occurrence of another event or circumstance which may render this decision totally or partially unenforceable, or invalid, shall require that the Parties hereto work together in good faith to implement appropriate safeguards as required by the Data Protection Laws, including by executing Standard Contractual Clauses adopted by the European Commission, prior to performing any Restricted Transfer.

3. Archie shall ensure that any onward transfer is subject to the same appropriate safeguards as the ones established for the Restricted Transfer between the parties. If the Restricted Transfer relies on the Standard Contractual Clauses, Archie shall ensure that it enters into Standard Contractual Clauses with any recipient of the sub-processor.

13. Sub-processing

1. The Subscriber hereby authorizes Archie to appoint sub-processors in accordance with this Paragraph 13, subject to any restrictions in the Principal Agreement. Archie will ensure that sub-processors are bound by written agreements that require them to provide at least the level of data protection required of Archie by this Addendum.

2. Archie may continue to use those sub-processors already engaged as at the date of this Addendum which are those disclosed by Archie as listed in Annex 3 of this Addendum.

3. Archie shall give the Subscriber prior written notice of the appointment of any new sub-processor. If, within ten (10) business days of receipt of that notice, the Subscriber notifies Archie in writing of any objections (on reasonable grounds) to the proposed appointment, Archie shall not appoint that proposed sub-processor until reasonable steps have been taken to address the objections raised by the Subscriber and the Subscriber has been provided with a reasonable written explanation of the steps taken. If Archie and the Subscriber are not able to resolve the appointment of a sub-processor within a reasonable period, Archie shall have the right to terminate the Principal Agreement for cause.

4. Archie shall be responsible for the acts and omissions of any sub-processors as it is to the Subscriber for its own acts and omissions in relation to the matters provided in this Addendum.

14. Governing law and jurisdiction

1. The parties to this Addendum hereby submit to the competent courts of Ireland with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.

2. This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of Ireland.

15. Order of precedence

1. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

16. Changes in Data Protection Laws, etc.

1. Archie may also modify or supplement this Addendum, with reasonable notice to the Subscriber:

1. If required to do so by a supervisory authority or other government or regulatory entity;

2. If necessary to comply with applicable law;

3. To implement new or updated appropriate safeguards for Restricted Transfers, including Standard Contractual Clauses approved by the European Commission; or

4. To adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 GDPR.

17. Severance

1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

18. Termination

1. This Addendum will terminate contemporaneously and automatically with the termination of the Principal Agreement.

ANNEX 1

DETAILS OF PROCESSING OF PERSONAL DATA

This Annex 1 forms part of this Addendum and is incorporated by reference.

This Annex includes certain details of the processing of Personal Data:

Subject matter and duration of the processing of Personal Data:

The subject matter and duration of the processing of Personal Data are set out in the Principal Agreement.

The nature and purpose of the processing of Personal Data:

Under the Principal Agreement, Archie provides certain workspace management services (the “Services”) to the Subscriber. Archie may therefore process personal data. Such processing activities include (a) providing the Services and any communication related thereto; (b) the detection, prevention and resolution of security and technical issues; and (c) responding to Subscriber support requests and providing Support Services.

The types of Personal Data to be processed:

The Personal Data processed by Archie depends on the Archie products and features used by the Subscriber. Such Personal Data may include, as applicable:

1. Identification and contact information

• Name

• Email address

• Address

• Profile photograph (optional)

• Job title, role, department or team

• Workplace location or assigned workspace

2. Account and authentication data

• Login credentials (hashed and salted passwords or SSO identifiers)

• Authentication events and access logs

• User preferences and settings

3. Booking and workspace usage data

• Desk, room, resource, equipment or parking bookings and related booking information

• Check-in/check-out events

• Attendance status

• Floor plan selections, assigned zones and seating preferences

• Visitor logs, host information and visit details (when using visitor management features)

4. Calendar, contact or directory data (only if Subscriber enables integrations)

• Calendar event metadata (e.g., meeting title, time, attendees, room association)

• Contact name, email address or group information

• Directory attributes from SSO or HRIS systems (Access limited to the specific fields authorized by the Subscriber or integration provider.)

5. Technical and device information

• IP address

• Browser type and version

• Device type, operating system and platform

• Time zone setting and language preference

• Session identifiers and security events

6. Service usage and telemetry data

• Feature usage metrics and interaction logs

• Clickstream and navigation paths (e.g., pages or screens viewed, links clicked)

• Session duration, response times, errors and performance events

• Methods used to access or leave the Services

7. Communication and support information

• Content of messages sent to Archie for support

• Attachments, screenshots or diagnostic information voluntarily provided

8. Visitor identity verification, check-in, and custom form data

When using Archie’s visitor management features, the Subscriber may instruct Archie, through its use of Archie, to process the following Personal Data relating to visitors, contractors, or temporary guests:

• Visitor name and contact information

• Visitor photograph or identification image captured at check-in

• Signature data (including signatures captured electronically on consent forms, NDAs, liability waivers, or other documents)

• Visit purpose, host information, and expected arrival time

• Time-stamped entry and exit logs

• Responses to custom forms created by the Subscriber, which may include:

• text-entry responses

• uploaded files or attachments

• identification details

• compliance or safety information

• any other data fields configured by the Subscriber

This category also includes any documents, waivers, declarations, or agreements uploaded or signed by visitors as part of the check-in process.

9. Billing & subscription administration data (For Archie Coworking Subscribers only)

• Billing contact email and phone

• Company or personal billing address

• VAT/GST/tax IDs (if linked to a person)

• Subscription plan or product details

• Billing history (amounts, due dates, invoices)

• Payment status and transaction metadata

Payment card details are processed directly by our PCI-DSS compliant payment provider (e.g., Stripe, GoCardless, ect) and are not stored by Archie.

This category also includes any other Personal Data reasonably necessary for billing, invoicing, payment administration, or financial account management, as instructed by the Subscriber.

10. Other information provided by the Subscriber

Any additional Personal Data submitted, imported or instructed by the Subscriber to be processed within the Services, including information required for workspace administration, coworking operations, billing contact information, or user management.

Special categories of personal data:

No special categories of personal data are processed.

The categories of data subject to whom the Personal Data relates:

Employees of the Subscriber, individuals with whom the Subscriber has business relationships developed using the Services as well as Users, Members, Account Holders, and other clients of the Subscriber.

ANNEX 2

INFORMATION SECURITY

This Annex 2 forms part of this Addendum and is incorporated by reference.

For the purpose of securing the personal data processed, Archie uses industry best practices, including:

1. Access Control

1. Preventing Unauthorized Product Access:

1. Outsourced processing: Archie hosts its Service with outsourced cloud infrastructure providers. Additionally, Archie maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. Archie relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

2. Physical and environmental security: Archie hosts its product infrastructure with a multi-tenant, outsourced infrastructure provider. The physical and environmental security controls are audited for compliance with the Trust Service Criteria (TSC) and have SOC 2 Type II report and EN ISO 27001 compliance, among other certifications.

3. Authentication: Archie implemented a uniform password policy for its customer products. Subscribers who interact with the products via the user interface must authenticate before accessing non-public customer data.

4. Authorization: Subscriber data is stored in multi-tenant storage systems accessible to Subscribers via only application user interfaces and application programming interfaces. Subscribers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Archie’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

5. API access: Public product APIs may be accessed using an access token.

2. Preventing Unauthorized Product Use:

1. Archie implements industry-standard access controls and detection capabilities for the internal networks that support its products.

2. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and would include various techniques, including, but not limited to: Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall and Web Application Firewall (WAF) rules.

3. Vulnerability testing: The intent of the vulnerability tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. Annual penetration tests are conducted on the applications and the API. Identified vulnerabilities are remediated based on their severity and according to internal policies and procedures.

3. Limitations of Privilege & Authorization Requirements:

1. Product access: A subset of Archie’s employees have access to the products and to Subscriber data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, troubleshoot potential problems, to detect and respond to security incidents and implement data security. Employees are granted access by role following the “least privileged” principle. Employee roles and access are reviewed on a quarterly basis.

2. Background checks: All Archie employees undergo a background check prior to starting employment, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

2. Transmission Control

1. In-transit: Archie makes Hypertext Transfer Protocol Secure (HTTPS) encryption (also referred to as Secure Sockets Layers (SSL) or Transport Layer Security (TLS)) available on every one of its login interfaces. Archie’s HTTPS implementation uses industry standard algorithms and certificates (TLS 1.2 or above).

2. At-rest: Archie stores customer data following best practices - Advanced Encryption Standard (AES)-256 encryption for all sensitive data at rest. Stored credentials are hashed and salted

3. Input Control

1. Account lockout: To prevent unauthorized access to user accounts, Archie implemented an account lockout mechanism that temporarily locks a user account after a defined number of consecutive failed login attempts.

2. Response and tracking: Archie maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Archie will take appropriate steps to minimize product and Subscriber damage or unauthorized disclosure.

4. Availability Control

1. Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

2. Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Subscriber data is backed up to multiple durable data stores and replicated across multiple availability zones.

3. Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using the latest industry-standard methods. Archie’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Archie operations in maintaining and updating the product applications and backend while limiting downtime.

ANNEX 3

APPROVED SUB-PROCESSORS

The Sub-processors list forms part of this Addendum and is incorporated by reference.

Archie discloses its sub-processors on its website: https://archieapp.co/agreements-and-terms/sub-processors

The sub-processors list is updated upon the occurrence of any change thereto.