Data Processing Addendum
This DPA forms part of the Terms or your Order. It applies where Arrowdot processes Customer Personal Data on your behalf.
1. Roles
You are the Controller and Arrowdot is the Processor.
For End-User Data collected by apps you publish, you are Controller and Arrowdot is your Processor.
For Customer-managed integrations you connect directly (for example, your own OpenAI key or your own S3 bucket), Arrowdot is not a sub-processor of that third-party service. Each of you has a direct relationship with that provider.
2. Processing instructions
We will process Customer Personal Data only:
- to provide, secure, and support the service,
- as documented in this DPA and the Terms, and
- on your written instructions, including via product configuration and APIs.
We will promptly inform you if we believe an instruction violates law.
3. Confidentiality and personnel
We ensure personnel with access are bound by confidentiality and receive appropriate privacy/security training.
4. Security
We implement the technical and organisational measures described in Annex II and at Security & Vulnerability Disclosure, including encryption in transit, access control with MFA, logging, and backups.
5. Sub-processors
You authorise our use of sub-processors listed at Sub-processors. We will:
- impose data protection terms no less protective than this DPA, and
- provide advance notice of new sub-processors on that page and via email if you subscribe.
You may object on reasonable grounds; we will work in good faith to resolve or suggest alternatives.
6. International transfers
If we transfer Customer Personal Data outside the UK/EEA, we will use valid transfer safeguards (EU SCCs 2021/914, Module 2; UK IDTA/Addendum).
Details are in Annex I, Section C.
7. Assistance
Taking into account the nature of processing, we will assist you with:
- data subject requests,
- security and breach notifications,
- DPIAs and consultation with regulators,
- deletion or return on termination.
8. Breach notification
We will notify you without undue delay and within 72 hours of confirming a Personal Data Breach affecting Customer Personal Data, and provide updates with available details.
9. Audits
On reasonable prior notice, once per 12 months and in emergencies, you may audit our compliance via:
- current third-party reports we provide (e.g., penetration test summaries), and where necessary,
- a focused on-site or remote review. Audits must not unreasonably disrupt our business, and you will protect our confidentiality.
10. Return or deletion
Within 30 days after termination, on your request we will return Customer Personal Data and then delete or anonymise it from systems, subject to legal retention.
11. Duration
This DPA follows the Term and survives as required to complete deletion, legal retention, and audits.
12. Order of precedence
If this DPA conflicts with the Terms, this DPA controls for data protection matters.
Annex I – Description of processing
A. Controller
Customer named in the Order.
B. Processor
Arrowdot Ltd.
Subject matter
Hosting, execution, and operation of AI-assisted apps and data pipelines; platform telemetry and support.
Duration
Term of the service plus 30 days for export/deletion, unless law requires longer.
Nature and purpose
To provide the platform and related support; secure, monitor, and improve service performance; handle incidents.
Categories of data subjects
Your employees and contractors, end users of your published apps, and other individuals whose data you choose to process.
Categories of personal data
Determined by you. Typical examples: identifiers, contact data, usage events, business records, file contents. Special categories are not intended, but may be processed if you choose to.
Frequency of transfer
Continuous as needed to provide the service.
Location of processing
The Arrowdot platform operates in multiple regions, including the United Kingdom and the United States. Customer data may be processed or stored in any region where Arrowdot or its sub-processors operate. At this time, customer data is not isolated to a single region. International transfer safeguards are described in Annex I-C and the Sub-processors page.
Annex I-C – International transfers and safeguards
- EEA to non-EEA: EU SCCs 2021/914, Module 2 (Controller→Processor).
- UK to non-adequate: UK Addendum to the EU SCCs.
- Transfers are limited to sub-processors identified in the Sub-processors list and our hosting region.
Annex II – Technical and organisational measures (summary)
- Access control with SSO/MFA; least-privilege roles; quarterly access reviews.
- Encryption in transit (TLS 1.2+) and at rest for platform-hosted data.
- Secrets management and key rotation.
- Network security, firewall rules, WAF/CDN as applicable.
- Logging and audit trails; security event monitoring.
- Backups with periodic restore testing.
- Secure SDLC, code review, dependency scanning.
- Vendor risk review for sub-processors.
- Incident response runbook; 24x7 paging for critical incidents.
- Staff training and confidentiality obligations.
Annex III – Sub-processors
See live list at Sub-processors.