Data Processing Agreement

Last updated: June 12, 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Arpixa Terms of Service between you (the "Customer") and Alokkumar Rajnish Barai, operating as Arpixa ("Arpixa", "we", "us"). It applies where Arpixa processes Personal Data on the Customer's behalf as a processor. If you are a Customer in the EEA, the UK, or another jurisdiction with comparable data-protection law, this DPA applies automatically to your use of the Service — no signature is required, though a countersigned copy is available on request at hello@arpixa.io.

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service or in applicable Data Protection Law. "Data Protection Law" means all laws relating to data protection and privacy applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended ("CCPA/CPRA"), and India's Digital Personal Data Protection Act, 2023 ("DPDP Act"). "Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Personal Data Breach" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data that Arpixa processes on behalf of the Customer in providing the Service. "Sub-processor" means any processor engaged by Arpixa to process Customer Personal Data. "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914. "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.

2. Roles of the Parties

The parties acknowledge that, in respect of Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of a third-party controller) and Arpixa is the Processor. Where the Customer is itself a processor, the Customer warrants that its instructions to Arpixa reflect the instructions of the relevant controller. Arpixa acts as an independent Controller only for the limited account, billing, security, and operational data described in the Privacy Policy; that data is not governed by this DPA.

3. Scope and Processing Instructions

Arpixa will process Customer Personal Data only: (a) to provide, secure, and support the Service in accordance with the Terms; (b) as documented in this DPA and Annex I; and (c) in accordance with the Customer's further written instructions, provided they are consistent with the Service. Arpixa will inform the Customer if, in its opinion, an instruction infringes Data Protection Law (unless legally prohibited from doing so). Arpixa will not "sell" or "share" Customer Personal Data, and will not process it for its own advertising or for training generalised AI models (see the AI section of the Privacy Policy).

4. Arpixa's Obligations

  • Confidentiality: Arpixa ensures that persons authorised to process Customer Personal Data are bound by confidentiality obligations.
  • Security: Arpixa implements appropriate technical and organisational measures as set out in Annex II, taking into account the state of the art, costs, and the risk to Data Subjects.
  • Assistance: Taking into account the nature of processing, Arpixa assists the Customer, by appropriate measures, to fulfil its obligations to respond to Data Subject requests and to ensure security, breach notification, data protection impact assessments, and prior consultation under Articles 32–36 GDPR.
  • Records: Arpixa maintains records of processing carried out on behalf of the Customer as required by Article 30(2) GDPR.

5. Sub-processors

The Customer provides general authorisation for Arpixa to engage Sub-processors to process Customer Personal Data. The current Sub-processors are listed in Annex III. Arpixa imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for the acts and omissions of its Sub-processors. Arpixa will give the Customer notice (by email or in-product notice) before adding or replacing a Sub-processor; the Customer may object on reasonable data-protection grounds within 30 days, in which case the parties will work in good faith to resolve the concern, and if they cannot, the Customer may terminate the affected Service.

6. International Data Transfers

Customer Personal Data may be processed in the United States, the European Union, and India (see Annex III). Where Arpixa transfers Customer Personal Data originating in the EEA to a country without an adequacy decision, the SCCs (Module Two: Controller-to-Processor) are incorporated into this DPA by reference and apply to that transfer; where Arpixa onward-transfers to a Sub-processor, Module Three applies. For transfers subject to the UK GDPR, the UK Addendum applies. For Personal Data subject to the DPDP Act, transfers are made consistent with that Act. The parties agree the SCCs are completed as set out in Annex IV.

7. Data Subject Requests

Arpixa will, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise rights of access, rectification, erasure, restriction, portability, or objection in respect of Customer Personal Data. Arpixa will not respond to such a request itself except on the Customer's documented instructions or as required by law, and will provide the Customer with self-service tools and reasonable assistance to respond.

8. Personal Data Breach

Arpixa will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably required for the Customer to meet its own breach-notification obligations, together with the remediation steps taken.

9. Audit and Compliance

Arpixa will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. The Customer may, on reasonable prior notice and no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), request an audit, which may be satisfied by Arpixa providing existing documentation, security summaries, or responses to a reasonable security questionnaire, so as not to disrupt the Service or compromise the confidentiality of other customers.

10. Return and Deletion

On termination of the Service, Arpixa will, at the Customer's choice, delete or return Customer Personal Data, and delete existing copies, within a reasonable period, except to the extent retention is required by law. Backup and log copies are deleted on the rolling cycle described in the Privacy Policy (up to 90 days). The Customer can export workspace data using the in-product export tools before the workspace is deleted.

11. Liability

Each party's liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, and any reference in the Terms to the liability of a party means the aggregate liability of that party under the Terms and this DPA combined. Nothing in this DPA limits any liability that cannot be limited under Data Protection Law.

12. Order of Precedence, Governing Law, and Term

This DPA supplements the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails; in the event of a conflict between this DPA and the SCCs, the SCCs prevail. This DPA is governed by the same law as the Terms, except where Data Protection Law requires otherwise (for example, the SCCs are governed by the law specified within them). This DPA remains in force for as long as Arpixa processes Customer Personal Data.

Annex I — Details of Processing

  • Subject matter: provision of the Arpixa agency-management platform.
  • Duration: the term of the Customer's subscription, plus the deletion windows in Section 10.
  • Nature and purpose: hosting, storage, organisation, retrieval, transmission, AI-assisted drafting, and related operations needed to deliver the Service.
  • Categories of Data Subjects: the Customer's team members, the Customer's clients and their contacts, and other individuals whose data the Customer enters into the workspace.
  • Categories of Personal Data: identity and contact details, business and project records, proposals, contracts, invoices and payment references, messages, files, scheduling data, and usage/technical data. The Customer must not enter special-category data or restricted data (e.g., health data, full payment-card numbers) into the Service.
  • Frequency: continuous, for the duration of the subscription.

Annex II — Technical and Organisational Security Measures

  • Encryption of Personal Data in transit (TLS) and at rest.
  • Role-based access controls (five permission levels), least-privilege administration, and session controls.
  • Authentication via Firebase Authentication, optional two-factor authentication, and signed session cookies with CSRF protection.
  • Hardened HTTP security headers, Content-Security-Policy, and CORS restrictions.
  • Encrypted handling of integration tokens; payment card data handled only by PCI-DSS-compliant processors (Arpixa never stores full card numbers).
  • Encrypted, redundant backups and a documented restoration process.
  • Logging, monitoring, and abuse detection; breach response procedures.

Annex III — Approved Sub-processors

Sub-processorPurposeProcessing location
Google Cloud / Firebase (Google LLC)Hosting, database, authentication, file storageUnited States / EU
Google Cloud Vertex AI (Gemini)AI-assisted features (primary model provider)United States
Groq, Inc.AI inference for certain features and failoverUnited States
CerebrasAI inference for certain features and failoverUnited States
Razorpay Software Pvt. Ltd.Subscription billing and payment processingIndia
Stripe, Inc.Payment processing (where used)United States
Amazon Web Services (AWS S3)File storage and uploadsUnited States / region-dependent
ResendTransactional and notification email deliveryUnited States
Zoom Video Communications, Inc.Meeting links (where the Customer enables it)United States

This list may change as described in Section 5. The current list is always available here; material additions are notified in advance.

Annex IV — SCC Completion

  • Module: Module Two (Controller-to-Processor) for Customer-to-Arpixa transfers; Module Three (Processor-to-Processor) for Arpixa-to-Sub-processor transfers.
  • Clause 7 (docking): applies.
  • Clause 9 (sub-processors): Option 2 (general authorisation), with the notice period in Section 5.
  • Clause 11 (redress): the optional independent dispute-resolution language does not apply.
  • Clause 17 (governing law) & Clause 18 (forum): the law and courts of the EU Member State of the data exporter, or, where the exporter is not EEA-established, the Republic of Ireland and its courts.
  • Annexes: the parties, processing details, and security measures are those set out in this DPA (Annexes I–III).
  • UK transfers: the UK Addendum applies, with Tables 1–3 populated from this DPA and Table 4 "neither party".

Contact

Questions about this DPA, or requests for a signed copy, can be sent to hello@arpixa.io (Alokkumar Rajnish Barai, operating as Arpixa, Kalyan, Thane District, Maharashtra – 421306, India).