Data Processing Agreement (DPA)
Arc OS — GDPR Art. 28 Compliant Template
Version: 1.0
Date: 2026-05-28
Issue: #166
Status: Template — fill placeholders before signing
How to use: Replace all
[PLACEHOLDERS]with actual values. Both parties sign and date. Keep a signed copy on file. Review annually or when Arc OS updates its sub-processor list.
Agreement
This Data Processing Agreement ("DPA") is entered into between:
Controller (Customer):
Company name: [CUSTOMER LEGAL NAME]
Registration number: [REG NUMBER]
Address: [REGISTERED ADDRESS]
Contact (data protection): [DPO EMAIL OR RESPONSIBLE PERSON]
("Controller")
Processor:
Arc OS, operated by [ARC OS LEGAL ENTITY — pending registration]
Address: [REGISTERED ADDRESS — pending e-Residency / Diia.City]
Contact: [email protected]
("Processor")
The parties have entered into a Master Service Agreement ("MSA") / subscription to arc-os.co dated [DATE OF MSA] ("Main Agreement"), under which the Processor provides AI workforce management services ("Services").
This DPA supplements and forms part of the Main Agreement. In case of conflict between this DPA and the Main Agreement, this DPA shall prevail with respect to data protection matters.
1. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1) |
| Processing | Any operation on Personal Data, as defined in GDPR Art. 4(2) |
| Data Subject | Natural person whose Personal Data is processed |
| Sub-processor | Third party engaged by Processor to process Personal Data on Controller's behalf |
| GDPR | EU General Data Protection Regulation 2016/679 |
| Standard Contractual Clauses (SCCs) | European Commission Decision 2021/914/EU |
2. Subject Matter and Duration
2.1 The Processor processes Personal Data on behalf of the Controller in connection with the Services described in the Main Agreement.
2.2 This DPA takes effect on the date of the Main Agreement and remains in force until the Main Agreement is terminated or the DPA is superseded by a revised version signed by both parties.
3. Nature, Purpose, and Categories of Processing
3.1 Nature of processing:
Collection, storage, retrieval, transmission, deletion of Personal Data in connection with the operation of Arc OS AI workforce management platform.
3.2 Purpose:
To provide the Controller with AI agent orchestration, project management, and persistent-context AI sessions as described in the Main Agreement.
3.3 Categories of Personal Data:
| Category | Examples | Required? |
|---|---|---|
| Account identifiers | Email address, OAuth ID (Google/GitHub) | ✅ Mandatory |
| Authentication data | Hashed password (bcrypt), JWT tokens | ✅ Mandatory |
| Usage data | AI token consumption, session durations | ✅ Mandatory |
| Activity logs | Project events, issue activity | ✅ Mandatory |
| Chat content | AI conversation messages (encrypted at rest) | ✅ Mandatory |
| Auth events | Login timestamps, IP address, user agent | ✅ Mandatory |
| End-user data submitted by Controller | Depends on Controller's use case | ⚠️ Controller's responsibility |
3.4 Categories of Data Subjects:
Employees, contractors, or users of the Controller who are granted access to Arc OS by the Controller.
4. Obligations of the Processor
The Processor shall:
4.1 Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required by Union or Member State law to which the Processor is subject (in which case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on grounds of public interest).
4.2 Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Take all measures required pursuant to GDPR Art. 32 (technical and organisational security), including:
- AES-256-GCM encryption of chat messages at rest
- HMAC-SHA256 JWT authentication with 24h TTL
- Zero-knowledge E2EE via WebCrypto PBKDF2 for sensitive fields
- TLS 1.2+ for all data in transit
- Access controls and authentication gates on all API endpoints
- Daily automated backups with integrity verification
- Annual security reviews and penetration testing
4.4 Respect the conditions for engaging Sub-processors (see Section 6).
4.5 Assist the Controller in ensuring compliance with GDPR obligations regarding security (Art. 32), breach notification (Arts. 33–34), data protection impact assessments (Arts. 35–36), and prior consultation (Art. 36), taking into account the nature of processing and the information available to the Processor.
4.6 At the choice of the Controller, delete or return all Personal Data upon termination of the Services, and delete existing copies, unless Union or Member State law requires storage.
4.7 Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28, and allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller (with reasonable notice, no more than once per year, at Controller's cost).
4.8 Notify the Controller without undue delay after becoming aware of a Personal Data Breach — within 72 hours to the extent feasible — to: [CONTROLLER DPO EMAIL].
5. Obligations of the Controller
The Controller shall:
5.1 Ensure it has a lawful basis (GDPR Art. 6) for processing Personal Data transmitted to the Processor.
5.2 Provide clear and complete instructions to the Processor regarding the processing of Personal Data.
5.3 Ensure that Data Subjects have been informed about the processing of their Personal Data (or that another lawful basis applies) before submitting their data to Arc OS.
5.4 Not instruct the Processor to process special categories of data (GDPR Art. 9) — health data, biometric data, racial origin, etc. — without explicit prior agreement and appropriate safeguards.
6. Sub-processors
6.1 The Controller grants the Processor general written authorisation to engage sub-processors as listed in Annex B.
6.2 The Processor shall notify the Controller of any intended changes to sub-processors (additions or replacements) via email to [CONTROLLER DPO EMAIL] with 14 days' advance notice, giving the Controller the opportunity to object.
6.3 The Processor shall impose equivalent data protection obligations on all sub-processors by contract, as set out in this DPA.
6.4 The Processor remains fully liable to the Controller for the performance of sub-processor obligations.
7. International Transfers
7.1 Personal Data is processed on servers located in the European Union (Contabo GmbH, Munich, Germany; Hetzner Online GmbH, Gunzenhausen, Germany).
7.2 Where sub-processors process data outside the EEA, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) per Commission Decision 2021/914/EU or adequacy decisions under GDPR Art. 45.
7.3 The Controller authorises the international data transfers described in Annex B subject to the safeguards listed therein.
8. Data Subject Rights
8.1 The Processor shall assist the Controller in responding to Data Subject requests (GDPR Arts. 15–22) — access, rectification, erasure, restriction, portability, objection — via:
GET /api/auth/export— GDPR Art. 20 data portability (rate-limited 3/24h)DELETE /api/auth/account— GDPR Art. 17 right to erasure (cascades 15+ tables)
8.2 The Processor shall not respond directly to Data Subject requests on behalf of the Controller without prior authorisation, except to acknowledge receipt and redirect to the Controller.
9. Liability and Indemnification
9.1 Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with GDPR Art. 82.
9.2 The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
9.3 Total liability of the Processor under this DPA is limited to the amounts paid by the Controller under the Main Agreement in the 12 months preceding the event giving rise to the claim.
10. Governing Law and Jurisdiction
This DPA is governed by the laws of [GOVERNING LAW — e.g. EU / EE / DE]. Disputes shall be resolved in [JURISDICTION].
Signatures
| Controller | Processor | |
|---|---|---|
| Name | [AUTHORISED SIGNATORY] |
[ARC OS REPRESENTATIVE] |
| Title | [TITLE] |
[TITLE] |
| Date | [DATE] |
[DATE] |
| Signature | _________________ | _________________ |
Annex A — Processing Details Summary
| Field | Value |
|---|---|
| Subject matter | AI workforce management platform |
| Duration | Duration of Main Agreement |
| Nature | Collection, storage, retrieval, deletion |
| Purpose | AI agent orchestration, persistent project context |
| Data types | Account, auth, usage, activity, chat (encrypted) |
| Data subjects | Controller's employees / end users |
Annex B — Authorised Sub-processors
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Contabo GmbH | Primary server hosting (API, DB) | Munich, DE 🇩🇪 | EU-based, no transfer |
| Hetzner Online GmbH | Cloud container hosting (Starter Cloud) | Nuremberg, DE 🇩🇪 | EU-based, no transfer |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | US 🇺🇸 | SCCs (2021/914/EU) |
| Resend, Inc. | Transactional email (auth, invites) | US 🇺🇸 | SCCs |
| Anthropic, PBC | AI model inference (Claude API — trial credits only) | US 🇺🇸 | SCCs + DPA with Anthropic |
| Backblaze, Inc. | Off-site DB backup storage | US 🇺🇸 | SCCs |
Note: Customer brings their own Anthropic API key (Claude Pro). In this case, Anthropic is the Customer's sub-processor, not Arc OS's.
Annex C — Technical and Organisational Measures (TOMs)
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256-GCM for chat messages and vault secrets |
| Encryption in transit | TLS 1.2+ enforced via nginx; HSTS enabled |
| E2EE | WebCrypto PBKDF2 (100k iterations) → AES-256-GCM master key in sessionStorage |
| Authentication | HMAC-SHA256 JWT (24h TTL), bcrypt password hashing |
| Access control | Per-project canAccessProject() gate on every API route |
| API security | CSP headers, X-Frame-Options: DENY, nosniff, Permissions-Policy |
| Internal network | API server binds to 127.0.0.1 only; nginx proxies |
| Backup | Daily automated backups; integrity check (PRAGMA integrity_check); off-site upload |
| Breach detection | Auth event logging; fail2ban on SSH; anomaly alerting planned (#223) |
| Data deletion | GDPR Art. 17 cascade delete across 15+ tables; data retention cron |
| Audit log | Immutable activity_log + platform_audit_log tables |
| Penetration testing | Annual review target; Phase 53 Sentinel sprint completed 2026-05 |
| Access to prod | SSH key only; no password auth; MFA on GitHub |