This Data Processing Agreement ("DPA") forms part of the Terms of Service between ARC ("ARC", the "Processor") and the subscribing business (the "Customer", the "Controller"). It applies whenever the Customer stores personal data about identifiable people — its customers, suppliers, or staff — inside the ARC platform.
1. Roles
- The Customer is the Data Controller: it decides what personal data to store in ARC and why, and it is responsible for having a lawful basis for that data (e.g. its customers' consent or a business relationship).
- ARC is the Data Processor: it processes that data only to provide the Service, on the Customer's documented instructions, and never for its own purposes.
2. Scope of processing
- Subject matter: hosting and operating the Customer's ARC workspace.
- Duration: the subscription term plus the retention windows in the Data Retention Policy.
- Nature and purpose: storage, retrieval, display, computation (e.g. balances, statements), backup, messaging on the Customer's instruction (e.g. sending an invoice via WhatsApp), and AI-assisted answers when the Customer uses the AI Guide.
- Data subjects and categories: the Customer's clients, suppliers, and staff — typically names, phone numbers, email and physical addresses, purchase history, balances, and, where the Customer uses payroll, employment and salary data.
3. ARC's obligations
- Process personal data only on the Customer's instructions as expressed through the Service and the Agreement, unless Lebanese law requires otherwise (in which case ARC informs the Customer unless prohibited).
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement and maintain the technical and organisational measures in section 4.
- Assist the Customer, insofar as reasonably possible, in answering data-subject requests (access, correction, deletion) and in meeting its own obligations under Law No. 81/2018 — and, where the Customer is subject to it, the EU GDPR.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
4. Security measures
- Encryption in transit (TLS 1.2+) for all connections, and encryption at rest for databases, file storage, and backups.
- Tenant isolation: each workspace lives in its own database schema.
- Access control: role-based permissions inside the workspace; ARC operator access is limited, logged, and protected by multi-factor authentication.
- Passwords stored only as strong one-way hashes.
- Backups: automated daily encrypted backups retained on a 30-day rolling window, stored in the same region (Frankfurt, EU).
- Monitoring: error and security-event monitoring with audit logs of sensitive actions.
5. Sub-processors
The Customer authorises the sub-processors listed in section 7 of the Privacy Policy (hosting, payments, email, AI, WhatsApp transport, monitoring). ARC remains responsible for its sub-processors' performance. ARC will announce sub-processor changes with at least 15 days' notice; the Customer may object on reasonable data-protection grounds, in which case the parties will seek a solution and the Customer may terminate the affected feature or subscription if none is found.
6. Data location and transfers
Production data is stored in Frankfurt, Germany (EU). Where a sub-processor processes data outside the storage region (for example AI processing or WhatsApp message transport), ARC relies on that provider's contractual data-protection commitments and sends only what the feature requires.
7. Personal data breach
ARC will notify the Customer without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting the Customer's data, with the information reasonably available: nature of the breach, categories and approximate volume of data affected, likely consequences, and measures taken. ARC will cooperate with the Customer on any notification the Customer must make to authorities or data subjects.
8. Deletion and return
- During the subscription, the Customer can export its data at any time (CSV/Excel/PDF).
- Upon termination, data is soft-deleted for 30 days (recovery window) and then permanently erased within a further 30 days, except records ARC must retain under Lebanese law (e.g. invoices ARC issued to the Customer). Backups containing the data expire on the 30-day backup cycle.
9. Liability and order of precedence
Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms on data-protection matters, this DPA prevails.
10. Governing law
This DPA is governed by the laws of the Lebanese Republic, in particular Law No. 81 of 2018, and by the jurisdiction clause of the Terms of Service.
