Data Processing Agreement

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
• “Data Protection Laws” means all applicable laws relating to the processing of personal data, including the GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable national or state data protection legislation.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• “Sub-processor” means any third party engaged by ARX to process Personal Data on behalf of the Customer.
• “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914).

2. Scope and Roles

This DPA applies to the processing of Personal Data by ARX on behalf of the Customer in connection with the Services. The Customer acts as the Controller (or Processor on behalf of its own controllers) and ARX acts as the Processor. The subject matter, duration, nature, and purpose of processing, along with the categories of Personal Data and Data Subjects, are described in Annex I below.

3. Customer Obligations

The Customer shall:

• Ensure it has a lawful basis for the processing of Personal Data and for transferring such data to ARX
• Ensure that Data Subjects have been provided with required notices regarding the processing
• Be responsible for the accuracy, quality, and legality of Personal Data provided to ARX
• Comply with all applicable Data Protection Laws in its use of the Services

4. ARX Obligations

ARX shall:

• Process Personal Data only on documented instructions from the Customer, unless required by applicable law
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under statutory obligations of confidentiality
• Implement and maintain appropriate technical and organizational security measures as described in Section 6
• Respect the conditions for engaging Sub-processors as described in Section 7
• Assist the Customer in responding to Data Subject requests, taking into account the nature of the processing
• Assist the Customer in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations under Data Protection Laws
• At the Customer’s choice, delete or return all Personal Data upon termination of the Services, unless applicable law requires retention
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 8
• Not use Personal Data for any purpose other than providing the Services, and specifically shall not use Customer Personal Data for model training without explicit written consent

5. Data Subject Rights

ARX shall, to the extent legally permitted and technically feasible, promptly notify the Customer upon receiving a request from a Data Subject to exercise their rights under applicable Data Protection Laws. ARX shall assist the Customer by appropriate technical and organizational measures to fulfill the Customer’s obligation to respond to such requests. ARX shall not independently respond to a Data Subject request unless authorized by the Customer.

6. Security Measures

ARX implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Access control mechanisms, including role-based access and multi-factor authentication
• Regular security assessments, vulnerability scanning, and penetration testing
• Logging and monitoring of access to systems containing Personal Data
• Employee training on data protection and information security
• Physical security controls at data center locations (provided by infrastructure partners)
• Business continuity and disaster recovery procedures
• Incident detection, response, and reporting procedures

7. Sub-processors

Customer provides general authorization for ARX to engage Sub-processors to process Personal Data. ARX maintains a current list of Sub-processors at arxqm.com/legal/subprocessors.

ARX shall notify the Customer of any intended changes to its Sub-processors by updating the list and providing at least 30 days’ notice before the new Sub-processor begins processing Personal Data. If the Customer objects to a new Sub-processor on reasonable grounds related to data protection, ARX shall use commercially reasonable efforts to make available an alternative. If no alternative can be provided, either party may terminate the affected Services.

ARX shall impose on each Sub-processor data protection obligations substantially similar to those set out in this DPA. ARX remains liable for the acts and omissions of its Sub-processors.

8. Audits

Upon Customer’s written request and subject to reasonable confidentiality obligations, ARX shall make available information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct an audit of ARX’s processing activities, or appoint an independent auditor to do so, subject to the following:

• Audits shall be conducted no more than once per year, unless required by a supervisory authority or following a Personal Data breach
• Customer shall provide at least 30 days’ prior written notice
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt ARX’s operations
• Customer shall bear the costs of the audit
• ARX may satisfy audit requests by providing relevant third-party audit reports or certifications (e.g., SOC 2 Type II)

9. Personal Data Breach

ARX shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed on behalf of the Customer (“Personal Data Breach”).

The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of the point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

ARX shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

10. International Data Transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, ARX shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable)
• The UK International Data Transfer Addendum, where required
• Supplementary measures as necessary to ensure an essentially equivalent level of protection

The SCCs are hereby incorporated by reference into this DPA. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail with respect to the transfer of Personal Data.

11. Term and Termination

This DPA shall remain in effect for the duration of ARX’s processing of Personal Data on behalf of the Customer. Upon termination of the Services, ARX shall, at the Customer’s election, delete or return all Personal Data within 30 days, unless applicable law requires continued retention. ARX shall certify deletion in writing upon request.

12. Governing Law

This DPA shall be governed by the laws of the State of Delaware, United States, without regard to conflict of law principles, except to the extent that mandatory provisions of Data Protection Laws of another jurisdiction apply.

Annex I: Details of Processing

Contact

For DPA-related inquiries or to execute a custom DPA for enterprise agreements: