Data Processing Agreement

“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing” and “Sub-processor” have the meanings assigned to them by applicable data-protection law (including the Digital Personal Data Protection Act 2023 for India and, where applicable, the GDPR).

You (the customer) act as Controller of the Personal Data you submit to the platform. We act as Processor, processing such data only on your documented instructions, which include: providing the service, responding to your support requests, and complying with applicable law. The scope, nature, purpose and duration of processing, the categories of Data Subjects and the types of Personal Data are set out in Annex A of this DPA.

We will:

• process Personal Data only as necessary to provide the service and as instructed;
• ensure that personnel authorised to process Personal Data are bound by confidentiality;
• implement and maintain the technical and organisational measures described in Annex B;
• assist you in fulfilling your obligations to Data Subjects;
• assist you with Data Protection Impact Assessments and prior consultations with supervisory authorities where applicable;
• make available the information necessary to demonstrate compliance with this DPA.

You authorise us to engage sub-processors to perform parts of the service (infrastructure hosting, email delivery, payment processing, rate-limiting / CDN). We enter written agreements with each sub-processor imposing obligations at least as protective as those in this DPA. A current list of sub-processors is available on request. We will give you advance notice of any intended changes concerning the addition or replacement of sub-processors and you may object on reasonable grounds.

Our measures include:

• encryption of Personal Data in transit (TLS) and at rest;
• strict per-tenant data isolation enforced at the application and database layers;
• role-based and module-based access control inside the product;
• comprehensive audit logging of all create, update, delete and approval actions;
• regular automated backups with tested restoration;
• rate-limiting and anomaly detection on authentication endpoints;
• principle-of-least-privilege access for ARKcelerate personnel;
• incident-response procedures with defined escalation paths.

Taking into account the nature of the processing, we will assist you in responding to Data Subject requests (access, rectification, erasure, portability, objection) through the platform’s self-service export and deletion tooling and, where further assistance is required, through support engagement.

We will notify you without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting your data, providing the information reasonably necessary to allow you to meet your notification obligations to supervisory authorities and Data Subjects.

Where Personal Data is transferred across borders, we rely on legally recognised transfer mechanisms (for example, Standard Contractual Clauses) and maintain equivalent protection. Where you request a specific hosting region, we will use reasonable efforts to accommodate subject to service availability in that region.

On reasonable notice and at reasonable frequency, you may audit our compliance with this DPA. Audits will be conducted during business hours and in a manner that does not unreasonably interfere with our operations. We may satisfy audit requirements by providing recent third-party audit reports and compliance summaries.

On termination of your subscription, you have a reasonable grace period during which you may export all Customer Data through the platform’s standard export tooling. After the grace period, we delete the Personal Data from our active systems; backups are overwritten in the normal course of the backup rotation.

The liability of each party under this DPA is subject to the limitations set out in the main subscription agreement / Terms of Service, except where applicable law prohibits such limitation.

This DPA takes effect when you accept the Terms of Service and continues for the duration of our processing of Personal Data on your behalf.

Data-protection queries: [email protected]. Request a countersigned DPA for your records from the same address.