Last updated: June 12, 2026
This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Arpixa Terms of Service between you (the "Customer") and Alokkumar Rajnish Barai, operating as Arpixa ("Arpixa", "we", "us"). It applies where Arpixa processes Personal Data on the Customer's behalf as a processor. If you are a Customer in the EEA, the UK, or another jurisdiction with comparable data-protection law, this DPA applies automatically to your use of the Service — no signature is required, though a countersigned copy is available on request at hello@arpixa.io.
Capitalised terms not defined here have the meaning given in the Terms of Service or in applicable Data Protection Law. "Data Protection Law" means all laws relating to data protection and privacy applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended ("CCPA/CPRA"), and India's Digital Personal Data Protection Act, 2023 ("DPDP Act"). "Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Personal Data Breach" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data that Arpixa processes on behalf of the Customer in providing the Service. "Sub-processor" means any processor engaged by Arpixa to process Customer Personal Data. "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914. "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.
The parties acknowledge that, in respect of Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of a third-party controller) and Arpixa is the Processor. Where the Customer is itself a processor, the Customer warrants that its instructions to Arpixa reflect the instructions of the relevant controller. Arpixa acts as an independent Controller only for the limited account, billing, security, and operational data described in the Privacy Policy; that data is not governed by this DPA.
Arpixa will process Customer Personal Data only: (a) to provide, secure, and support the Service in accordance with the Terms; (b) as documented in this DPA and Annex I; and (c) in accordance with the Customer's further written instructions, provided they are consistent with the Service. Arpixa will inform the Customer if, in its opinion, an instruction infringes Data Protection Law (unless legally prohibited from doing so). Arpixa will not "sell" or "share" Customer Personal Data, and will not process it for its own advertising or for training generalised AI models (see the AI section of the Privacy Policy).
The Customer provides general authorisation for Arpixa to engage Sub-processors to process Customer Personal Data. The current Sub-processors are listed in Annex III. Arpixa imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for the acts and omissions of its Sub-processors. Arpixa will give the Customer notice (by email or in-product notice) before adding or replacing a Sub-processor; the Customer may object on reasonable data-protection grounds within 30 days, in which case the parties will work in good faith to resolve the concern, and if they cannot, the Customer may terminate the affected Service.
Customer Personal Data may be processed in the United States, the European Union, and India (see Annex III). Where Arpixa transfers Customer Personal Data originating in the EEA to a country without an adequacy decision, the SCCs (Module Two: Controller-to-Processor) are incorporated into this DPA by reference and apply to that transfer; where Arpixa onward-transfers to a Sub-processor, Module Three applies. For transfers subject to the UK GDPR, the UK Addendum applies. For Personal Data subject to the DPDP Act, transfers are made consistent with that Act. The parties agree the SCCs are completed as set out in Annex IV.
Arpixa will, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise rights of access, rectification, erasure, restriction, portability, or objection in respect of Customer Personal Data. Arpixa will not respond to such a request itself except on the Customer's documented instructions or as required by law, and will provide the Customer with self-service tools and reasonable assistance to respond.
Arpixa will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably required for the Customer to meet its own breach-notification obligations, together with the remediation steps taken.
Arpixa will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. The Customer may, on reasonable prior notice and no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), request an audit, which may be satisfied by Arpixa providing existing documentation, security summaries, or responses to a reasonable security questionnaire, so as not to disrupt the Service or compromise the confidentiality of other customers.
On termination of the Service, Arpixa will, at the Customer's choice, delete or return Customer Personal Data, and delete existing copies, within a reasonable period, except to the extent retention is required by law. Backup and log copies are deleted on the rolling cycle described in the Privacy Policy (up to 90 days). The Customer can export workspace data using the in-product export tools before the workspace is deleted.
Each party's liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, and any reference in the Terms to the liability of a party means the aggregate liability of that party under the Terms and this DPA combined. Nothing in this DPA limits any liability that cannot be limited under Data Protection Law.
This DPA supplements the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails; in the event of a conflict between this DPA and the SCCs, the SCCs prevail. This DPA is governed by the same law as the Terms, except where Data Protection Law requires otherwise (for example, the SCCs are governed by the law specified within them). This DPA remains in force for as long as Arpixa processes Customer Personal Data.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Google Cloud / Firebase (Google LLC) | Hosting, database, authentication, file storage | United States / EU |
| Google Cloud Vertex AI (Gemini) | AI-assisted features (primary model provider) | United States |
| Groq, Inc. | AI inference for certain features and failover | United States |
| Cerebras | AI inference for certain features and failover | United States |
| Razorpay Software Pvt. Ltd. | Subscription billing and payment processing | India |
| Stripe, Inc. | Payment processing (where used) | United States |
| Amazon Web Services (AWS S3) | File storage and uploads | United States / region-dependent |
| Resend | Transactional and notification email delivery | United States |
| Zoom Video Communications, Inc. | Meeting links (where the Customer enables it) | United States |
This list may change as described in Section 5. The current list is always available here; material additions are notified in advance.
Questions about this DPA, or requests for a signed copy, can be sent to hello@arpixa.io (Alokkumar Rajnish Barai, operating as Arpixa, Kalyan, Thane District, Maharashtra – 421306, India).