# Data Processing Agreement **Last Updated:** May 9, 2026 **Version:** 2.0.0 **Effective Date:** May 9, 2026 --- ## 1. Scope & Purpose This Data Processing Agreement ("DPA") forms part of the Terms of Service and governs the processing of personal data by Arc Pilot on behalf of users. This DPA applies when: • You upload personal data to the Service • You use AI features to process personal data • You store files containing personal data Arc Pilot acts as a "data processor" processing data on your behalf as the "data controller." ## 2. Data Processing Details CATEGORIES OF DATA SUBJECTS: • Your customers, clients, or contacts • Individuals whose data you upload or process TYPES OF PERSONAL DATA: • Names and contact information • Business and professional data • Any data you choose to upload or process PROCESSING PURPOSES: • Storing and organizing your data • Providing AI-powered analysis and generation • Enabling collaboration and sharing features PROCESSING DURATION: • During your active use of the Service • Until data is deleted by you or upon account termination ## 3. Our Obligations As a data processor, Arc Pilot will: • Process data only according to your documented instructions • Ensure personnel are bound by confidentiality obligations • Implement appropriate technical and organizational security measures • Assist you in responding to data subject requests • Delete or return data upon termination of services • Make available information necessary for compliance audits • Notify you of data breaches without undue delay We will not process your data for our own purposes beyond providing the Service. ## 4. Sub-processors We use the following categories of sub-processors: • Cloud Infrastructure: Hosting and storage services • AI Providers: Anthropic (Claude AI models) • Payment Processing: Paddle • Analytics: Usage monitoring (anonymized) We maintain contracts with sub-processors requiring equivalent data protection. A list of current sub-processors is available upon request. We will notify you of changes to sub-processors with reasonable advance notice. ## 5. Security Measures We implement security measures including: TECHNICAL MEASURES: • Encryption in transit and at rest • Access controls and authentication • Regular security testing • Intrusion detection and monitoring ORGANIZATIONAL MEASURES: • Staff training on data protection • Access limited to necessary personnel • Incident response procedures • Regular security reviews ## 6. Data Breach Notification In the event of a personal data breach affecting your data: • We will notify you within 72 hours of becoming aware • Notification will include nature of breach, categories affected, and mitigation steps • We will cooperate with your breach notification obligations • We will document breaches and remediation actions ## 7. Your Responsibilities As data controller, you are responsible for: • Ensuring lawful basis for processing personal data • Providing necessary notices to data subjects • Responding to data subject rights requests • Ensuring data accuracy and relevance • Complying with applicable data protection laws • Not uploading data that violates laws or third-party rights ## 8. International Transfers Where data is transferred internationally: • We use Standard Contractual Clauses where required • We ensure adequate safeguards are in place • We comply with applicable transfer requirements By using the Service, you authorize necessary international transfers. --- _Contact: privacy@arc-pilot.com_