Data Processing Agreement

1. Scope and Parties

This Data Processing Agreement (DPA) applies between Archotec AI LLC (Processor) and the organization using Archotec services (Controller). It governs the processing of personal data in connection with the services provided under the Terms of Service.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, transmission, and deletion.

Data Subject: The individual whose personal data is processed.

Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.

3. Processing Instructions

The Processor shall only process personal data on documented instructions from the Controller. Processing shall be limited to what is necessary for providing the agreed-upon services. The Processor shall not process personal data for any other purpose without prior written consent.

4. Security Measures

The Processor implements appropriate technical and organizational measures including: encryption of data in transit (TLS 1.3) and at rest (AES-256), access controls and authentication mechanisms, regular security assessments and penetration testing, incident response procedures, and employee confidentiality agreements.

5. Sub-processors

The Processor may engage sub-processors with prior written notice to the Controller. Current sub-processors are listed on our website. The Controller has 30 days to object to new sub-processors. The Processor ensures sub-processors are bound by equivalent data protection obligations.

6. Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests including: right of access, right to rectification, right to erasure, right to data portability, right to restriction of processing, and right to object. Response shall be provided within the legally required timeframe.

7. Data Breach Notification

The Processor shall notify the Controller of any personal data breach without undue delay and no later than 48 hours after becoming aware. Notification shall include: nature of the breach, categories and number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. International Transfers

Personal data may be transferred outside the EEA only with adequate safeguards in place, such as: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or binding corporate rules. The Processor shall inform the Controller of any transfer requirements.

9. Data Retention and Deletion

Upon termination of services or upon Controller's request, the Processor shall delete or return all personal data within 30 days, unless retention is required by applicable law. Certification of deletion shall be provided upon request.

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted annually with 30 days advance notice. The Processor shall provide reasonable assistance and access to relevant documentation.