Arcamatrix

Data Processing Agreement

Standard template · effective 2026-05-25 · custom riders via legal@arcamatrix.com

Preamble

This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement between Arcamatrix ("Processor") and the Customer ("Controller") and reflects the parties' agreement with regard to the processing of personal data carried out by Arcamatrix on behalf of Customer in connection with the service.

1. Definitions

Terms not defined herein have the meaning ascribed to them in GDPR (Regulation (EU) 2016/679). "Customer Personal Data" means personal data that Arcamatrix processes on behalf of Customer to provide the service.

2. Subject + duration

Subject: Arcamatrix processes Customer Personal Data solely to provide the agreed service (AI-driven content generation, video orchestration, webhook delivery, API access).

Duration: the term of the Master Subscription Agreement, plus a 30-day retention window after termination for account-data export, after which all Customer Personal Data is deleted per §11.

3. Nature + purpose of processing

Arcamatrix processes Customer Personal Data to (a) authenticate users, (b) store + retrieve their pipeline runs, (c) generate AI-derived content from their prompts, (d) deliver webhooks to Customer-specified URLs, (e) calculate + bill usage.

4. Categories of data + data subjects

Categories of personal data: account identifiers (email, hashed password), usage data (token counts, API call metadata), Customer-supplied content (prompts, briefs, generated assets which may incidentally contain personal data of the Customer's end users).

Data subjects: Customer's employees with Arcamatrix accounts, plus any natural persons referenced in Customer-supplied content.

5. Obligations of Arcamatrix

  • Process Customer Personal Data only on documented instructions from Customer.
  • Ensure personnel authorised to process Customer Personal Data are bound by confidentiality.
  • Implement appropriate technical + organizational measures per Art. 32 (see §7).
  • Assist Customer in fulfilling Data Subject Rights requests (access, erasure, portability).
  • Notify Customer of any Personal Data Breach without undue delay (≤72h).
  • Provide audit logs + records of processing on reasonable request.

6. Subprocessors

Customer authorizes Arcamatrix to engage the subprocessors listed at arcamatrix.com/subprocessors. Customer is notified ≥30 days in advance of any new subprocessor; Customer may object in writing, in which case Arcamatrix shall propose a commercially reasonable alternative or, failing that, Customer may terminate the affected service with a pro-rata refund.

7. Security measures (Art. 32)

  • TLS 1.2+ for data in transit; AES-256 for data at rest in S3 + Postgres.
  • Bearer tokens HMAC-SHA256 signed; webhook payloads HMAC-signed with timestamp-bound signatures (5-min replay window).
  • SSRF guard on all outbound HTTP from user-controlled URLs (blocks RFC1918, loopback, cloud metadata).
  • Quarterly internal access review; least-privilege production access via SSH bastion.
  • Automated daily backups with 30-day retention; tested restore procedure quarterly.
  • Penetration test annually by independent third party; report available to Customer under NDA.

8. International transfers (Module 2 SCC)

Where Customer Personal Data is transferred to a country without an EU adequacy decision (notably US for AI inference + Stripe billing), the parties incorporate by reference the EU Standard Contractual Clauses Module Two (Commission Implementing Decision (EU) 2021/914), with Customer as data exporter + Arcamatrix as data importer. Annexes I-III are populated by §4 + §6 + §7 above.

9. Breach notification

Arcamatrix shall notify Customer at the Customer's registered admin email within 72 hours of becoming aware of a Personal Data Breach. Notification includes: nature of breach, affected categories + approximate number of data subjects, likely consequences, measures taken or proposed.

10. Audit rights

Customer may, no more than once per 12 months + at Customer's expense, audit Arcamatrix's compliance with this DPA either (a) by reviewing the latest independent third-party audit report under NDA, or (b) by on-site inspection during business hours with ≥30 days' notice + reasonable confidentiality undertakings.

11. Termination + return / deletion

Within 30 days of termination of the Master Subscription Agreement, Customer may export all Customer Personal Data via the documented API endpoints + Account > Export. Thereafter Arcamatrix deletes all Customer Personal Data within 30 days, except as required by law to retain (e.g. Stripe billing records under tax-record-keeping obligations).

12. Liability + miscellaneous

Liability under this DPA is subject to the limitations + caps set out in the Master Subscription Agreement. In case of conflict between this DPA + the Master Subscription Agreement, this DPA prevails with respect to data processing matters.

See also: Privacy Policy · Subprocessors · Acceptable Use Policy

Data Processing Agreement — Arcamatrix