Last updated: April 2026
"Data Controller" means the fund manager (Customer) who determines the purposes and means of processing personal data through the Archstone platform. "Data Processor" means Archstone, which processes personal data on behalf of the Data Controller. "Data Subject" means any identified or identifiable natural person whose personal data is processed, including limited partners, founders, and team members. "Personal Data" means any information relating to a Data Subject, including names, email addresses, phone numbers, financial information, tax identification numbers, and accreditation documentation. "Sub-processor" means any third party engaged by Archstone to process Personal Data on behalf of the Data Controller.
Archstone processes Personal Data solely to provide the fund management platform services described in the Terms of Service. This includes: storing and managing LP records and communications, processing fund financial data and capital call records, generating AI-assisted reports and documents, delivering email communications on behalf of the fund manager, and maintaining audit logs for regulatory compliance. Archstone will not process Personal Data for any purpose other than providing the contracted services.
The Data Controller is responsible for: (a) ensuring that the collection of Personal Data complies with applicable data protection laws, (b) providing appropriate notice to Data Subjects about the processing of their data through Archstone, (c) obtaining any necessary consents from Data Subjects where required by law, (d) ensuring the accuracy of Personal Data entered into the platform, and (e) complying with all applicable securities regulations regarding the use of LP and investor data.
Archstone shall: (a) process Personal Data only on documented instructions from the Data Controller, (b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality, (c) implement appropriate technical and organizational security measures as described in our Security page, (d) assist the Data Controller in responding to Data Subject requests, (e) notify the Data Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach, (f) delete or return all Personal Data upon termination of services, subject to the 30-day data export grace period, and (g) make available to the Data Controller all information necessary to demonstrate compliance with these obligations.
The Data Controller authorizes Archstone to engage the following sub-processors: Supabase Inc. (database hosting, authentication, file storage — US), Stripe Inc. (payment processing — US), Anthropic PBC (AI processing — US; receives only anonymized/aggregated fund data, not individual LP personal data), Vercel Inc. (application hosting — US), Resend Inc. (email delivery — US; receives recipient email addresses and email content for delivery), Functional Software Inc. d/b/a Sentry (error monitoring — US; receives anonymized error data only), and PostHog Inc. (product analytics — US; receives anonymized usage data only). Archstone will notify the Data Controller at least 30 days before adding or replacing a sub-processor. The Data Controller may object to a new sub-processor within 14 days of notification.
All Personal Data is processed and stored within the United States. For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States, Archstone relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. The Data Controller may request a copy of the applicable SCCs by contacting privacy@archstone.app.
Archstone implements the following technical and organizational measures: encryption in transit (TLS 1.2+) and at rest (AES-256-GCM for sensitive fields), row-level security ensuring data isolation between funds, role-based access controls with least-privilege principles, audit logging of all data access and modifications, rate limiting and abuse prevention on all endpoints, regular security assessments, incident response procedures, and employee access controls with multi-factor authentication. A detailed description of our security posture is available at archstone.app/security.
Archstone will assist the Data Controller in fulfilling Data Subject requests including: access to Personal Data, rectification of inaccurate data, erasure of Personal Data, restriction of processing, data portability, and objection to processing. The Data Controller may fulfill most requests directly through the platform's data management features. For requests requiring Archstone's assistance, contact privacy@archstone.app.
In the event of a Personal Data breach, Archstone will: (a) notify the Data Controller within 72 hours of becoming aware of the breach, (b) provide all available information about the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to address the breach, (c) cooperate with the Data Controller in investigating and remediating the breach, and (d) maintain records of all data breaches including facts, effects, and remedial actions taken.
This DPA is effective for the duration of the Data Controller's subscription to Archstone. Upon termination, Archstone will delete all Personal Data within 30 days, unless retention is required by applicable law. The Data Controller may export their data at any time during the subscription period and during the 30-day post-termination grace period.
For questions about this Data Processing Agreement or to exercise any rights hereunder, contact: privacy@archstone.app. Archstone, Tampa, FL, United States.