This Data Processing Addendum (“DPA”) supplements the ArqZero Terms of Service and Privacy Policy for customers whose use of the Service involves processing personal data subject to the EU GDPR, UK GDPR, Swiss FADP, California CCPA/CPRA, or comparable data-protection laws.
For Team-tier customers, this DPA is automatically incorporated into your subscription. Individual users on the Free or Pro tier are typically the controller of any personal data they process and may rely on the same commitments below.
1. Definitions
- Controller, Processor, Personal Data, Process / Processing, Data Subject: as defined in GDPR Art. 4 (and equivalent under other regimes).
- Customer Data: personal data submitted by you to the Service, including account data, Team Memory entries, and opt-in telemetry.
- Sub-processor: a third party engaged by us to process Customer Data.
2. Roles
You are the Controller of Customer Data. We are the Processor, acting only on documented instructions consistent with the Terms of Service and your configured use of the Service.
3. Scope and duration
Processing under this DPA continues for the term of your subscription plus any retention period required by law or this DPA. The nature, purpose, types of data, and categories of data subjects are described in the Privacy Policy.
4. Our obligations
We will:
- Process Customer Data only on your documented instructions or as required by applicable law (we will notify you of such legal requirement unless prohibited).
- Ensure persons authorized to process Customer Data are under appropriate confidentiality obligations.
- Implement appropriate technical and organizational measures (TLS, encryption at rest with sub-processors, RLS, hashed authentication tokens, secret rotation, least-privilege access).
- Assist you with data subject requests where you cannot directly comply.
- Assist with breach notification, DPIAs, and prior consultations as required.
- Delete or return Customer Data at end of service, except where retention is legally required.
- Make available information necessary to demonstrate compliance, including reasonable audit rights with prior notice and confidentiality.
5. Sub-processors
You authorize us to engage the sub-processors listed below. We will provide at least 30 days' advance notice of changes to this list via email and via this page. You may object to a new sub-processor for reasonable data-protection reasons; we will work with you to address concerns, and you may terminate the affected service if we cannot.
Current sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database (Postgres) hosting | USA |
| Fly.io (HashiCorp Cloud Platform) | Backend compute | USA (multi-region) |
| Cloudflare, Inc. | CDN, DNS, WAF, static site hosting | Global |
| Upstash, Inc. | Rate-limit + caching (Redis) | USA |
| Resend, Inc. | Transactional email delivery | USA |
| Stripe, Inc. | Payment processing | USA |
| Functional Software, Inc. (Sentry) | Error reporting | USA |
| Plausible Insights OÜ | Privacy-preserving website analytics | EU |
6. International transfers
Where Customer Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision:
- EU/EEA → third country: the parties incorporate by reference Module Two (controller-to-processor) of the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021). Annex I (parties, transfer details), Annex II (technical and organisational measures — see Section 12 below), and Annex III (sub-processors — see Section 5) are populated by reference to this DPA and the Privacy Policy. The optional docking clause is included; the supervisory authority is the lead authority of the customer.
- UK → third country: the parties incorporate by reference the UK International Data Transfer Addendum to the EU SCCs (IDTA), as published by the UK Information Commissioner's Office.
- Switzerland → third country: the Swiss Federal Data Protection and Information Commissioner (FDPIC)'s adapted SCCs apply, with references to Swiss law substituted as required.
Where a sub-processor offers its own SCCs covering the same transfer, those SCCs supplement (and where applicable, satisfy) the obligations under this Section 6.
6.1 CCPA service provider terms
With respect to personal information of California residents (CCPA §1798.140), we act as a “service provider” to you. We shall:
- Process personal information only for the limited and specified business purpose of providing the Service.
- Not sell or share personal information.
- Not retain, use, or disclose personal information outside our direct business relationship with you, or for any commercial purpose other than the business purpose specified in this DPA, except as permitted by CCPA.
- Not combine personal information received from you with personal information received from other sources, except as permitted by CCPA §7050(b).
- Comply with applicable CCPA obligations and provide the same level of privacy protection as required of businesses by CCPA.
- Notify you if we determine we can no longer meet these obligations; on such notice you may take reasonable and appropriate steps to stop and remediate unauthorised use.
7. Data subject requests
You are responsible for responding to data subject requests. We provide tools (data export, account deletion) to assist; we will also support requests sent to us directly by directing data subjects to you where appropriate, and by forwarding the request to you within 5 business days.
8. Security incident notification
We will notify you without undue delay (and in any event within 72 hours of confirmed knowledge where reasonably possible) of any breach involving Customer Data. Notice will include the nature of the breach, affected data categories, likely consequences, and remedial measures.
9. Audits
On reasonable prior written notice of at least 30 days (and no more than once per 12-month period absent a confirmed breach), and subject to confidentiality, you may request information necessary to verify our compliance with this DPA. We may satisfy this obligation by providing: (a) the most recent independent audit reports of our material sub-processors (e.g. SOC 2 Type II from Cloudflare, Supabase, Fly.io where available); (b) responses to a standard security questionnaire (e.g. CAIQ); and (c) where (a) and (b) are insufficient for a documented regulatory requirement, a remote-only inspection at your expense conducted by you or an independent third-party auditor not in competition with us, under appropriate confidentiality terms. Audit scope is limited to our processing of your Customer Data; it does not extend to other customers, internal financial records, or proprietary information.
10. Liability and limits
Each party's liability under this DPA is subject to the limitation of liability provisions of the Terms of Service.
11. Governing law
This DPA is governed by the same law and venue as the Terms of Service. The SCCs (where incorporated by reference for a particular sub-processor) take precedence on matters within their scope.
12. Annex II — Technical and organisational measures
We implement the following technical and organisational measures to ensure the security of Customer Data appropriate to the risk:
Pseudonymisation and encryption
- TLS 1.2+ in transit on all customer-facing endpoints.
- Database connections encrypted with sub-processor-managed TLS (Supabase).
- Authentication tokens hashed (SHA-256) at rest; plaintext never stored.
- Encryption at rest at the sub-processor level (Supabase, Cloudflare, Fly).
- Database backups encrypted with
agepublic-key encryption before being stored outside the primary DB.
Confidentiality, integrity, availability, resilience
- Row-Level Security policies on all user-data tables (Postgres RLS).
- Least-privilege service-role access.
- Distributed rate-limiting (Upstash Redis) protecting auth endpoints.
- Daily encrypted database backups + weekly restore tests.
- Multi-machine deployment with health-checks and auto-restart (Fly.io).
- Cloudflare WAF and Bot Fight Mode on the API edge.
Process for testing, assessing, evaluating
- Pre-launch security audit (manual + automated) by
labs:security-reviewer. - Continuous gitleaks CI scanning of source control.
npm auditon production dependencies, fixing HIGH/CRITICAL before deploy.- Annual security review pass.
User identification and authorisation
- Email-based device authentication with verification code (15-min expiry, 5-attempt lockout).
- JWT access tokens (1 h) + refresh tokens (90 d) with 7-day offline grace.
- Boot-time secret validation enforcing minimum lengths and prefixes.
- Secret rotation procedures documented (see internal secrets.md).
Personnel
- Confidentiality obligations on all persons authorised to process Customer Data.
- Single-operator current scope; access tracked via audit logs.
Incident response
- Sentry error reporting and Axiom log retention for forensics.
- Status page (status.arqzero.dev) for public incident communication.
- 72-hour breach notification commitment (Section 8 above).
13. Contact
Data Protection contact: privacy@arqzero.dev