Data Processing Agreement

This is a template for reference. To execute a Data Processing Agreement alongside your Master Service Agreement or Statement of Work, contact info@arcasya.ai with the subject line “Legal Notice — DPA.” Both parties should complete the bracketed fields and retain a signed copy. This document does not constitute legal advice — consult qualified counsel before execution if required by your organization.

Parties

This Data Processing Agreement is entered into between:

Data Controller (“Client”)

• Company Name: ____________________________
• Registered Address: ____________________________
• Contact Email: ____________________________
• Signatory Name and Title: ____________________________

Data Processor (“Arcasya”)

True Mark Consulting, LLC DBA ArcasyaAI
23200 Deming Road, Cicero, Indiana 46034, United States
Contact: info@arcasya.ai

Together referred to as the “Parties.”

Recitals

WHEREAS, Client has engaged Arcasya to provide AI agent orchestration, automation, and related services (the “Services”) pursuant to the Terms and Conditions or a separate Master Service Agreement between the Parties (the “Principal Agreement”);

WHEREAS, in the course of providing the Services, Arcasya may process Personal Data on behalf of the Client as a Data Processor;

WHEREAS, the Parties wish to set out the terms under which such processing shall occur, consistent with applicable data protection law including the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), and other applicable regulations;

NOW, THEREFORE, the Parties agree as follows:

1. Definitions

For the purposes of this DPA:

• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Arcasya on behalf of Client in connection with the Services.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, transmission, deletion, or any automated processing.
• “Data Controller” means the entity that determines the purposes and means of processing Personal Data. For this DPA, the Client is the Data Controller.
• “Data Processor” means the entity that processes Personal Data on behalf of the Data Controller. For this DPA, Arcasya is the Data Processor.
• “Sub-processor” means any third party engaged by Arcasya to process Personal Data in connection with the Services.
• “Data Subject” means the natural person whose Personal Data is being processed.
• “Applicable Data Protection Law” means any applicable privacy or data protection statute, regulation, or binding guidance, including without limitation CCPA/CPRA, GDPR, UK GDPR, and applicable U.S. state privacy laws.
• “Security Incident” means any confirmed unauthorized access to, disclosure of, or loss of Personal Data processed under this DPA.

2. Scope and Nature of Processing

2.1 Subject Matter

Arcasya processes Personal Data solely to provide the Services described in the Principal Agreement and as further specified in Schedule A (Processing Details) attached hereto.

2.2 Instructions

Arcasya shall process Personal Data only on documented instructions from Client, as set out in this DPA, the Principal Agreement, or as otherwise agreed in writing. If Arcasya believes an instruction violates Applicable Data Protection Law, it will promptly notify Client.

2.3 Processor Role

Arcasya processes Personal Data as a Data Processor acting on behalf of Client. Arcasya shall not process Personal Data for its own independent purposes, sell Personal Data, or use Personal Data to train AI models without Client’s explicit written authorization.

3. Client Obligations

Client represents and warrants that:

• It has a valid legal basis for processing Personal Data under Applicable Data Protection Law and for sharing that data with Arcasya.
• It has provided all required notices to and obtained all required consents from Data Subjects whose Personal Data is processed under this DPA.
• It will provide Arcasya with clear and lawful processing instructions and promptly update those instructions as needed.
• It is responsible for the accuracy, quality, and legality of Personal Data submitted to the Services.

4. Arcasya’s Obligations as Data Processor

4.1 Confidentiality

Arcasya shall ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and have received training on data protection requirements.

4.2 Security

Arcasya shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, consistent with the standards described in Arcasya’s Security Overview (incorporated by reference). At minimum, these measures include:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest, including AES-256-GCM encryption of integration tokens.
• Role-based access controls and multi-factor authentication for personnel accessing production systems.
• Regular security reviews and vulnerability management.
• Incident detection, response, and notification procedures.

4.3 Sub-processors

Client authorizes Arcasya to engage the sub-processors listed in Arcasya’s Subprocessor List (published at www.arcasya.ai/subprocessors), which is incorporated into this DPA by reference. Arcasya will:

• Notify Client at least 30 days in advance of adding or replacing a material sub-processor.
• Impose data protection obligations on sub-processors no less protective than those in this DPA.
• Remain liable to Client for the acts and omissions of sub-processors to the extent Arcasya would be liable if performing the processing directly.

If Client objects to a new sub-processor, it must notify Arcasya within 14 days of the notice. If the Parties cannot resolve the objection, Client may terminate the affected Services with 30 days written notice without penalty.

4.4 Data Subject Rights

Arcasya shall provide reasonable assistance to Client in fulfilling its obligations to respond to Data Subject requests (access, correction, deletion, portability, objection) under Applicable Data Protection Law. Arcasya will redirect any Data Subject requests received directly to Client within 5 business days.

4.5 Privacy Impact Assessments

Arcasya shall provide reasonable cooperation and information to assist Client in conducting data protection impact assessments (DPIAs) or privacy impact assessments where required by Applicable Data Protection Law.

4.6 Deletion and Return of Data

Upon termination or expiration of the Principal Agreement, or upon Client’s written request, Arcasya shall securely delete or return all Personal Data processed under this DPA within 30 days, except to the extent retention is required by applicable law. Arcasya will provide written confirmation of deletion upon request.

4.7 Audit Rights

Arcasya shall make available to Client all information reasonably necessary to demonstrate compliance with this DPA. Upon 30 days advance written notice, Arcasya will cooperate with audits or inspections conducted by Client or a qualified third-party auditor, subject to reasonable confidentiality protections. Audit costs are borne by Client unless the audit reveals a material breach by Arcasya.

5. Security Incident Notification

In the event of a confirmed Security Incident affecting Personal Data processed under this DPA, Arcasya shall:

• Notify Client without undue delay and no later than 72 hours after confirming the incident.
• Provide a written incident report including: nature of the incident, categories and approximate volume of Personal Data affected, likely consequences, and measures taken or proposed to address the incident.
• Cooperate with Client’s reasonable requests to assist in fulfilling Client’s notification obligations to Data Subjects and regulatory authorities.

Arcasya’s notification does not constitute an admission of fault or liability.

6. International Data Transfers

Arcasya is based in the United States. Where Personal Data originates from the European Economic Area (EEA), United Kingdom, or Switzerland and is transferred to Arcasya for processing, the Parties agree that such transfer is made pursuant to:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Module 2: Controller to Processor), incorporated into this DPA by reference and deemed executed upon signature of this DPA; or
• Such other lawful transfer mechanism as agreed by the Parties in writing.

For UK transfers, the UK International Data Transfer Addendum (IDTA) to the EU SCCs applies where required.

7. CCPA-Specific Provisions

To the extent Arcasya processes Personal Information (as defined under CCPA/CPRA) on behalf of Client:

• Arcasya is a “Service Provider” as defined under CCPA/CPRA.
• Arcasya shall not sell or share Personal Information, retain it outside the scope of the Services, or use it for any commercial purpose other than performing the Services.
• Arcasya certifies that it understands and will comply with the restrictions applicable to Service Providers under CCPA/CPRA.
• Client retains the right to take reasonable and appropriate steps to ensure Arcasya uses Personal Information consistently with Client’s obligations under CCPA/CPRA.

8. Limitation of Liability

Each Party’s liability under this DPA is subject to the limitations set forth in the Principal Agreement. Nothing in this DPA is intended to expand either Party’s liability beyond what is permitted under the Principal Agreement, except to the extent required by Applicable Data Protection Law.

9. Term and Termination

This DPA takes effect on the date both Parties sign it and remains in effect for the duration of the Principal Agreement. It automatically terminates upon expiration or termination of the Principal Agreement, subject to obligations that survive termination (including data deletion, confidentiality, and audit cooperation).

10. Order of Precedence

In the event of a conflict between this DPA and the Principal Agreement with respect to the processing of Personal Data, this DPA controls. In all other respects, the Principal Agreement controls.

11. Governing Law

This DPA is governed by the laws of the State of Indiana, consistent with the Principal Agreement, except to the extent superseded by Applicable Data Protection Law (including GDPR where applicable).

Signature Block

By signing below, each Party agrees to the terms of this Data Processing Agreement.

On behalf of Client (Data Controller)

• Signature: ____________________________
• Printed Name: ____________________________
• Title: ____________________________
• Date: ____________________________

On behalf of True Mark Consulting, LLC DBA ArcasyaAI (Data Processor)

• Signature: ____________________________
• Printed Name: ____________________________
• Title: ____________________________
• Date: ____________________________

Schedule A — Processing Details

Complete this schedule for each client engagement. Keep it specific — vague descriptions create compliance gaps.