Data Privacy Commitment

Version 2.2026 | Effective 20 March 2026

1 Our Commitment to Your Data

Arcadier Pte. Ltd. ("Arcadier", "we", "us", or "our") builds and operates the Arcadier Marketplace Platform ("Platform") - software that enables businesses to launch and run online marketplaces. We take the privacy and security of the personal data entrusted to us seriously, and this document explains what we do with that data, how we protect it, and what rights you and your customers have.

This Data Privacy Commitment is a public statement of our practices and standards. It is not a contract. Clients with a contract with Arcadier have a binding Data Processing Addendum ("DPA") as part of their commercial agreement. If they do not because their contract is older, they may request one from their Arcadier client success manager.

2 Our Role in Processing Your Data

When a business ("Client") uses the Arcadier Platform, that Client is the Data Controller - the organisation that determines what personal data is collected and why. Arcadier acts as the Data Processor, processing personal data solely on behalf of, and under the documented instructions of, that Client.

Arcadier does not sell, rent, or monetise the personal data of any Client or its end-users. We process data only to the extent necessary to deliver the contracted services. Arcadier will inform the Client in writing if it believes a legal obligation requires processing in a manner inconsistent with the Client's instructions.

3 The Personal Data We Process

As part of operating the Platform on behalf of our Clients, we may process the following categories of personal data:

  • Identity: Full legal name

  • Contact: Email address, phone number, postal address

  • Digital identity: IP address, device identifier, session data

  • Transactional metadata: Order references, transaction IDs, marketplace activity records

  • Account credentials: Usernames and encrypted passwords for marketplace accounts

The specific categories processed for any individual Client depend on that Client's marketplace configuration and are documented in the applicable Data Processing Addendum. Where the Platform facilitates connections to third-party payment, identity verification, or financial service providers, those providers process relevant data under their own data protection terms.

4 Who The Data Relates To

Depending on a Client’s marketplace, personal data we process may relate to:

  • Buyers - natural persons who register and transact as buyers on the Client's marketplace;

  • Sellers / Merchants - natural persons or business representatives who list and sell on the Client's marketplace;

  • Client administrators - employees and contractors of the Client with administrative access to the Platform; and

  • Third-party vendors and service providers - business representatives operating on or integrated with the Client's marketplace.

5 Why We Process Personal Data

Arcadier processes personal data strictly for the following purposes, all in service of the Client's contracted use of the Platform:

  • Platform provisioning, hosting, and operations;

  • User account registration and management;

  • Customer and technical support; and

  • Compliance with applicable law.

We do not process personal data for any purpose beyond what is necessary to fulfil our obligations to the Client.

6 Applicable Law

Arcadier is committed to processing personal data in compliance with all data protection laws applicable to a given Client engagement. The specific legal framework that applies depends on:

  • the jurisdiction(s) in which the Client operates;

  • the location(s) where personal data is processed or stored; and

  • the residency of the Data Subjects whose data is processed.

Our standard Data Processing Addendum incorporates jurisdiction-specific obligations as required. Where a Client operates in a jurisdiction with specific mandatory requirements - such as the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or equivalent national laws - Arcadier will agree the applicable terms in writing with that Client.

7 Where your Data Is Stored

Arcadier operates on Microsoft Azure. We offer Clients a choice of data residency region to support their compliance and data sovereignty requirements. The specific region applicable to a Client's deployment is agreed at onboarding and documented in their Data Processing Addendum.

Where personal data is transferred to or accessed from a jurisdiction with a materially different standard of data protection, Arcadier imposes equivalent contractual obligations on the relevant sub-processor or service provider to ensure the data remains protected to an equivalent standard.

8 How We Protect Your Data

Arcadier implements and maintains appropriate technical and organisational security measures designed to protect personal data against unauthorised access, disclosure, loss, or destruction. These measures are reviewed at least annually and updated following any material security incident.

Access Controls

  • Role-based access on a least-privilege basis;\

  • Multi-factor authentication required for all privileged and remote access;

  • Administrative access restricted to authorised personnel only;

  • Access rights reviewed periodically and revoked immediately on offboarding; and

  • Access activity logged within Azure for monitoring and audit purposes.

Encryption

  • All data in transit protected using TLS 1.2 or higher between all clients, servers, and third parties; and

  • All data at rest encrypted using AES-256 or equivalent, including on endpoint devices.

Network & Infrastructure

  • Network access restricted to required ports only, with all other inbound traffic denied by default;

  • Built-in DDoS protection at the Azure platform level;

  • Production and non-production environments logically separated;

  • Operating systems maintained through regular security updates and patches; and

  • Anti-virus and anti-malware programmes maintained and kept current on all systems processing Client data.

Backup & Recovery

  • All data backed up and stored securely within Microsoft Azure with encryption applied at rest and in transit;

  • Production systems backed up with a 30-day retention window; and

  • Access to backup resources restricted to authorised personnel with safeguards against accidental deletion.

Personnel

  • Pre-hire screening conducted on candidates whose roles require access to Client data, in accordance with applicable law;

  • Mandatory data security training on onboarding and annually thereafter; and

  • All personnel subject to enforceable confidentiality obligations, with immediate access revocation on offboarding.

Security Testing & Review

  • Annual penetration testing conducted on networks and systems holding Client data, with findings reviewed and remediated promptly;

  • Annual independent review of Arcadier's information security practices; and

  • Documented Incident Response Plan maintained and periodically tested.

Security Certification

Arcadier is actively pursuing SOC 2 Type II and ISO 27001 certification, with completion targeted in Q2 2026. These certifications will provide independent, third-party assurance of our security controls and formal controls framework. Clients will be notified upon certification and certificates will be made available on request.

9 Sub-Processors

Arcadier may engage trusted third-party service providers ("sub-processors") to assist in delivering the Platform. Before engaging any sub-processor, Arcadier conducts due diligence on their data protection practices and imposes contractual obligations at least equivalent to those in this Commitment and any applicable DPA. Arcadier remains fully responsible for the acts and omissions of any sub-processor as if it had performed the processing directly.

Clients with an active agreement will be notified in advance of any sub-processor change that materially affects the processing of their personal data. Specific notice periods and objection rights are set out in each Client's binding Data Processing Addendum.

A current list of Arcadier's sub-processors is available on written request. Please contact your sales contact or client success manager to request the list.

10 Data Breach Notification

Arcadier maintains documented policies and procedures to detect, respond to, and address security incidents. In the event of a data breach involving a Client's personal data, Arcadier will:

  • take immediate reasonable steps to contain and mitigate the impact;

  • notify the affected Client without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach;

  • include in that notification all information reasonably required for the Client to assess its own obligations to notify regulatory authorities and affected individuals; and

  • provide further information as it becomes available and cooperate fully with the Client's investigation, including facilitating engagement with specialist forensic providers where required.

The Client remains responsible for notifying its own Data Subjects and regulatory authorities in its jurisdiction. Arcadier will not make any public statement or regulatory submission regarding a breach on a Client's behalf without that Client's prior written consent. Where Arcadier is separately required by law to notify a regulator, it will inform the Client before doing so.

11 Data Retention & Deletion

Arcadier retains personal data only for as long as necessary to provide the contracted services or to comply with applicable legal obligations. Our standard retention schedule is:

  • General Personal & Account Data: Contract term + 90 days.

  • Transactional Metadata: Contract term + 7 years.

  • Security, Audit & Activity Logs: 2 years.

  • Privacy & Breach Response Records: 7 years.

Where the Platform facilitates connections to third-party payment processors, identity verification providers, or financial services providers, those providers retain relevant records under their own retention obligations. Arcadier holds only the transactional metadata necessary to operate the Platform.

On termination of a Client's agreement, Arcadier will provide a final export of all User, Transaction, and Product Data within thirty (30) days of the termination date. Following the Client's confirmed receipt of that export, all remaining marketplace data will be hard deleted and the Client will receive a Certificate of Data Deletion signed by the CTO. Jurisdiction-specific deletion requirements are addressed in the applicable Data Processing Addendum.

12 Data Subject Rights

Arcadier supports Clients in responding to requests from individuals exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, and data portability. Assistance requests should be submitted in writing with sufficient notice for Arcadier to respond within statutory deadlines. Arcadier will not respond directly to Data Subjects without the Client's prior written authorisation, except where required by law.

13 Client Responsibilities

To support the security and integrity of the Platform and the personal data processed on it, Clients are responsible for:

  • maintaining the security of their own systems and devices used to access the Platform, including keeping operating systems, browsers, and security software up to date;

  • implementing appropriate security and anti-virus measures on systems integrated with the Platform;

  • safeguarding their Platform access credentials and taking responsibility for all activity conducted under those credentials;

  • ensuring the accuracy, quality, and lawfulness of the personal data they provide to Arcadier for processing; and

  • complying with applicable data protection law in respect of their own collection and use of personal data on their marketplace.

14 Privacy Policy

Our full Privacy Policy, which describes how Arcadier processes personal data in connection with its own business operations (including website visitors, marketing contacts, and sales activities), is available at www.arcadier.com/privacy

15 Updates to This Commitment

Arcadier may update this Data Privacy Commitment from time to time to reflect changes in applicable law, regulatory guidance, or our processing activities. Material updates will be communicated to active Clients with reasonable advance notice. The current version will always be available on our website. Clients with a binding Data Processing Addendum will receive separate notice of any amendments to that DPA in accordance with its terms.

16 Contact Us

For any questions, concerns or requests relating to this Commitment or the processing of personal data, we endeavour to return to you as soon as possible when you use this form to make contact.