Data Processing Agreement
Effective date: July 11, 2026
This Data Processing Agreement ("DPA") supplements the Ploti Terms of Service or other agreement governing Customer's use of the Service (the "Agreement"). It applies automatically when Ploti.ai Inc. ("Ploti") processes Customer Personal Data on behalf of Customer. A customer may request a countersigned copy by contacting support@ploti.ai.
1. Scope and definitions
This DPA applies only to Customer Personal Data that Ploti processes as a processor, service provider, or contractor on Customer's behalf. It does not apply to personal data for which Ploti acts as an independent controller, as described in Section 11.
"Customer Personal Data" means personal data, personal information, or similar regulated information contained in Customer Content and processed by Ploti on Customer's behalf through the Service.
"Data Protection Laws" means United States federal and state privacy and data-protection laws applicable to a party's processing under this DPA, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").
"Security Incident" means a confirmed breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Ploti. It excludes unsuccessful attempts that do not compromise Customer Personal Data and incidents caused solely by Customer or its Users.
Terms such as "controller," "processor," "business," "service provider," "contractor," "consumer," "sell," and "share" have the meanings assigned by applicable Data Protection Laws. Capitalized terms not defined here have the meanings given in the Agreement.
2. Roles and instructions
Customer is the controller or business for Customer Personal Data, or a processor acting for another controller. Ploti is Customer's processor, service provider, or contractor. Each party will comply with Data Protection Laws applicable to its role.
Customer instructs Ploti to process Customer Personal Data as necessary to provide, secure, support, and maintain the Service; comply with the Agreement, this DPA, and Customer's documented use and configuration of the Service; and comply with applicable law. The Agreement, this DPA, an Order, and Customer's authorized use of the Service constitute documented instructions.
Ploti will process Customer Personal Data only on Customer's instructions unless applicable law requires otherwise. Where legally permitted, Ploti will inform Customer before processing required by law. Ploti will promptly inform Customer if, in Ploti's reasonable opinion, an instruction violates applicable Data Protection Laws.
Customer is responsible for the accuracy, quality, legality, and source of Customer Personal Data; providing required notices; obtaining necessary rights and permissions; and ensuring its instructions and use of the Service comply with law and the Agreement.
3. United States privacy-law terms
To the extent the CCPA applies, Ploti receives Customer Personal Data for the limited and specified business purposes described in the Agreement and Exhibit A. Ploti will not:
- Sell or share Customer Personal Data;
- Retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for a purpose other than the specified business purposes, except as permitted by the CCPA;
- Combine Customer Personal Data with personal information received from another person or collected from Ploti's own interaction with an individual, except as permitted by the CCPA;
- Use Customer Personal Data for targeted or cross-context behavioral advertising.
Ploti certifies that it understands and will comply with these restrictions. Ploti will provide the same level of privacy protection required of service providers or contractors by applicable Data Protection Laws, and will notify Customer if it determines it can no longer meet an applicable obligation. Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
To the extent another United States state privacy law applies, Ploti will process Customer Personal Data only under Customer's instructions and subject to substantially similar duties of confidentiality, security, purpose limitation, deletion, and subprocessor oversight required of processors under that law.
4. Confidentiality and security
Ploti will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations and receive access only as necessary for their responsibilities.
Taking into account the nature of processing, implementation costs, and reasonably foreseeable risks, Ploti will maintain appropriate administrative, technical, and organizational safeguards designed to protect Customer Personal Data. The current categories of safeguards are described in Exhibit B.
Customer is responsible for securely configuring the Service, managing Users and permissions, protecting credentials and connected systems, and maintaining appropriate backups of Customer Content under its control.
5. Subprocessors
Customer generally authorizes Ploti to engage subprocessors to process Customer Personal Data. Ploti's current subprocessors and their purposes are listed on the Subprocessors page. Ploti may update that page when it adds, replaces, or removes a subprocessor. Publication of the updated list constitutes notice; Ploti does not provide separate advance notice unless required by a signed agreement or applicable law.
Ploti will enter into a written agreement requiring each subprocessor to protect Customer Personal Data under obligations appropriate to the services it performs. Ploti remains responsible for a subprocessor's performance of its data-protection obligations to the extent required by applicable law.
Customer may object to a new subprocessor by contacting support@ploti.ai on reasonable grounds relating to protection of Customer Personal Data. Ploti will consider the objection in good faith and, where commercially reasonable, seek an alternative. If no reasonable alternative is available, Customer may stop using the affected part of the Service. Objection does not relieve Customer of fees incurred or committed before discontinuation.
6. Consumer requests
If Ploti receives a request from an individual concerning Customer Personal Data, Ploti will, where legally permitted, direct the individual to Customer and notify Customer. Ploti will not independently respond except on Customer's instructions or as required by law.
Taking into account the nature of processing and functionality available to Customer, Ploti will provide reasonable assistance to help Customer respond to requests to access, correct, delete, or obtain a portable copy of Customer Personal Data. Customer is responsible for responding to the request and verifying the requester's identity and authority.
Assistance available through standard Service functionality or ordinary support is included. To the extent permitted by law, Customer will reimburse Ploti for reasonable costs of unusually burdensome, repetitive, or customized assistance.
7. Security incidents
Ploti will notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data. Notification is not an admission of fault or liability.
As information becomes reasonably available, Ploti will provide details needed for Customer to understand the nature of the Security Incident, categories of affected data, likely consequences, remediation taken or proposed, and an appropriate contact. Ploti may provide information in phases and may withhold information where disclosure would create a security risk or violate law.
Ploti will take reasonable steps within its control to contain, investigate, and remediate the Security Incident and will reasonably assist Customer with legally required notices. Customer is responsible for notices and regulatory filings required of Customer.
8. Compliance assistance and audits
Taking into account the nature of processing and information available to Ploti, Ploti will provide reasonable information and cooperation necessary for Customer to demonstrate compliance with applicable Data Protection Laws, including reasonable assistance with legally required risk or data protection assessments.
On written request at reasonable intervals and subject to confidentiality restrictions, Ploti will provide available security documentation, summaries, questionnaires, or independent reports reasonably sufficient to demonstrate compliance with this DPA.
If that information is not reasonably sufficient under applicable law, Customer may arrange an audit by a qualified, independent auditor. An audit must be limited to Customer Personal Data, occur no more than once per calendar year unless required by law or following a Security Incident, occur during normal business hours with reasonable advance notice, avoid access to other customers' data and Ploti trade secrets, and not unreasonably disrupt operations. Customer will pay its audit costs and reimburse Ploti for reasonable time and expenses associated with an onsite or customized audit.
9. Government requests
Ploti will not voluntarily disclose Customer Personal Data to law enforcement or another government authority except at Customer's direction or when Ploti reasonably believes disclosure is necessary to prevent imminent harm.
If Ploti receives a legally binding request for Customer Personal Data, Ploti will, where legally permitted, notify Customer before disclosure and provide reasonable information so Customer may seek a protective order or other remedy. Ploti may redirect the authority to Customer and may challenge a request it reasonably believes is invalid or overbroad.
10. Return and deletion
During the term, Customer may use available Service features to access or export Customer Personal Data. On termination or Customer's documented request, Ploti will delete Customer Personal Data unless retention is required or permitted by law or the Agreement.
Ploti will remove Customer Personal Data from active systems within 30 days after Customer deletes the relevant workspace or closes its account. Encrypted backups may remain until they expire or are overwritten through the ordinary backup cycle, generally within 90 days. While retained, backup data remains protected and is not restored except for disaster recovery, security, or legal purposes.
Ploti may retain billing, fraud-prevention, security, and legal records as reasonably necessary or required by law. A signed enterprise agreement may specify a different return or deletion schedule.
11. Ploti as an independent controller
Ploti acts as an independent controller or business for account, billing, relationship, website, security, and usage data that Ploti determines how to process for its own lawful business purposes. Those purposes include managing customer relationships, billing, accounting, product operations and improvement, support, fraud and abuse prevention, security, and legal compliance.
This DPA does not restrict Ploti's processing of that data as an independent controller. Ploti will process it in accordance with the Privacy Policy and applicable law. Ploti may create and use aggregated or de-identified data that does not identify Customer, a User, or the contents of Customer Content.
12. General terms
This DPA forms part of the Agreement. If there is a conflict concerning processing of Customer Personal Data, this DPA controls over the Agreement, and a separately signed data processing agreement controls over this online DPA.
The liability limitations, governing law, venue, termination, and other general provisions of the Agreement apply to this DPA. No person other than the parties and their permitted successors has a right to enforce this DPA.
Ploti may update this DPA to reflect changes in law or the Service. Material changes will apply in accordance with the change provisions of the Agreement. International transfer terms, including standard contractual clauses, are not part of this U.S.-focused DPA and may be added by written agreement if needed.
Exhibit A. Processing details
Subject matter and purpose: Providing, securing, supporting, and maintaining Ploti's geospatial collaboration, mapping, records, document, AI, agent, integration, and export features under the Agreement.
Nature of processing: Collection, recording, organization, storage, retrieval, consultation, analysis, transformation, generation, transmission, disclosure to authorized recipients, restriction, export, and deletion as initiated by Customer's use of the Service.
Duration: The term of the Agreement plus the deletion and legally required retention periods described in this DPA.
Data subjects: Customer's Users, employees, contractors, customers, prospects, property owners, contacts, and other individuals whose personal data Customer submits, selects, imports, or generates through the Service.
Categories of data: Names, business contact information, account identifiers, workspace membership, communications, documents, prompts, chat messages, usage and device information, addresses, parcel or property records, precise foreground location, map selections, project data, public-record information, and other personal data contained in Customer Content.
Sensitive or specially regulated data: Not intended for processing unless Ploti expressly agrees in writing. The Agreement and AUP prohibit submission of Social Security numbers, complete payment-card data, protected health information, biometric identifiers, children's personal data, and other specially regulated information without written approval.
Exhibit B. Security measures
Ploti's safeguards are designed to include, as appropriate to the Service and risk:
- Logical separation of customer workspaces and role-based access controls;
- Encryption of network communications in transit and encryption at rest for managed production data stores where supported;
- Credential, secret, and authentication controls, including restrictions on access to production systems;
- Logging, monitoring, rate limiting, and measures designed to detect misuse and security events;
- Backup, recovery, change-management, and incident-response processes appropriate to the Service;
- Vulnerability remediation, dependency maintenance, and security review practices;
- Confidentiality obligations and security awareness for personnel with access to Customer Personal Data;
- Contractual and risk-based review of subprocessors that may process Customer Personal Data.