Data Processing Agreement (DPA)
Data Processing Agreement (DPA)
Data Processing Agreement (DPA)
Data Processing Agreement (DPA)
Last updated on February 8th, 2024
Last updated on February 8th, 2024
Last updated on February 8th, 2024
Last updated on February 8th, 2024
1 - Introduction
This Data Processing Agreement (“Agreement”), is read in conjunction with our Terms of Service (https://tryarcane.com/legal/terms), and constitutes the entire agreement between us in respect of how personal data is handled and processed where Arcane is a data processor in respect of such processing as outlined in our Privacy and Cookies Policy (https://tryarcane.com/legal/privacy).
This Agreement sets out the additional terms, requirements and conditions on which Arcane will process Personal Data (as defined below) when providing its services under its Terms of Service. This Agreement is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this Agreement.
2. Personal Data Types and Processing Purposes
The Customer and Arcane agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) Arcane shall act as controller in respect of the personal data and processing activities set out in Table 1 of paragraph 2 of its Privacy and Cookies Policy (and this Agreement does not apply to such personal data and processing activities);
(b) Arcane shall act as processor in respect of the personal data and processing activities;
(c) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Arcane.
3. Arcane's Obligations
3.1 Arcane will only process Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions, such written instructions being provided by the Customer pursuant to its use of Arcane's service whereby it chooses what services and documents to integrate with such service in accordance with Arcane's Terms of Service. Arcane will not process Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. Arcane must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
3.2. Arcane must comply promptly with any Customer written instructions requiring Arcane to amend, transfer, delete or otherwise process Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3. Arcane will maintain the confidentiality of Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Arcane to process or disclose Personal Data to a third party, Arcane must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
4 - Security
4.1 Arcane must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
4.2 Arcane must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
5. Personal Data Breach
5.1 Arcane will, without undue delay and in any event within any time periods prescribed by law, notify the Customer if it becomes aware of:
(a) the loss of part or all of Personal Data.
(b) any accidental, unauthorised or unlawful processing of Personal Data; or
(c) any Personal Data Breach.
5.2 Where Arcane becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide the Customer with the following information:
(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6. Cross-Border Transfers of Personal Data
6.1 Arcane (and any subcontractor) may transfer or otherwise process Personal Data outside the UK provided that it complies with the terms of this Agreement in doing so.
6.2 Arcane may only process, or permit the processing, of Personal Data outside the UK under the following conditions:
(a) Arcane is processing Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
(b) Arcane participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Arcane (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR; or
(c) the transfer otherwise complies with the Data Protection Legislation.6.3 If any Personal Data transfer between the Customer and Arcane requires execution of SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to Arcane outside the EEA), the parties will complete all relevant details in, and execute, the SCCs, and take all other actions required to legitimise the transfer.
7 - Subcontractors (including Processors and Subprocessors)
7.1 Arcane may only authorise a third party (including any Processor and Subprocessor) (”subcontractor”) to process Personal Data if Arcane enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement or, where that is not practically possible, on that subcontractor’s standard terms of engagement.
7.2 Those subcontractors approved as at the commencement of this Agreement are as set out at the end of this Agreement.
7.3 The Parties agree that Arcane will be deemed to control legally any Personal Data controlled practically by or in the possession of its subcontractors.
7.4 Your marketing data (metadata, keywords, assets, parameters, and performance analytics) may be securely shared with select third-party AI models and data sub-contractors and -processors.
7.5 Arcane's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Sub-Processors (and link to privacy notices)
Infrastructure
Amazon Web Services (AWS) - Cloud hosted infrastructure and services used to operate the System (https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/)
Platform
OpenAI - Service provider for hosting large language models and embeddings (https://openai.com/policies)
Datadog - Security and application logging (https://www.datadoghq.com/security/)
Business Operations
Segment - Event logging for analytics (https://www.twilio.com/en-us/legal/privacy)
June.so - Event logging for analytics (https://help.june.so/en/collections/3766023-security-privacy-terms)
Snowflake - Data warehouse for analytics (https://www.snowflake.com/snowflakes-security-compliance-reports/)
Loops.so - Transactional, broadcast, and marketing messaging (https://loops.so/privacy)
8 - Term and Termination
8.1 This Agreement will remain in full force and effect so long as:(a) the Customer is still a party to the Terms of Service; or (b) Arcane retains any Personal Data related to the Terms of Service in its possession or control (Term).
9 - Data Return and Destruction
9.1 At the Customer's request, Arcane will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
9.2 On termination of the Terms of Service for any reason or expiry of its term, Arcane will (in accordance with the timelines set out in such Terms of Service securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Agreement in its possession or control.
9.3 If any law, regulation, or government or regulatory body requires Arcane to retain any documents or materials or Personal Data that Arcane would otherwise be required to return or destroy, then it shall be entitled to so retain such documents, materials and/or Personal Data as prescribed by such law, regulation, or government or regulatory body.
1 - Introduction
This Data Processing Agreement (“Agreement”), is read in conjunction with our Terms of Service (https://tryarcane.com/legal/terms), and constitutes the entire agreement between us in respect of how personal data is handled and processed where Arcane is a data processor in respect of such processing as outlined in our Privacy and Cookies Policy (https://tryarcane.com/legal/privacy).
This Agreement sets out the additional terms, requirements and conditions on which Arcane will process Personal Data (as defined below) when providing its services under its Terms of Service. This Agreement is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this Agreement.
2. Personal Data Types and Processing Purposes
The Customer and Arcane agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) Arcane shall act as controller in respect of the personal data and processing activities set out in Table 1 of paragraph 2 of its Privacy and Cookies Policy (and this Agreement does not apply to such personal data and processing activities);
(b) Arcane shall act as processor in respect of the personal data and processing activities;
(c) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Arcane.
3. Arcane's Obligations
3.1 Arcane will only process Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions, such written instructions being provided by the Customer pursuant to its use of Arcane's service whereby it chooses what services and documents to integrate with such service in accordance with Arcane's Terms of Service. Arcane will not process Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. Arcane must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
3.2. Arcane must comply promptly with any Customer written instructions requiring Arcane to amend, transfer, delete or otherwise process Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3. Arcane will maintain the confidentiality of Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Arcane to process or disclose Personal Data to a third party, Arcane must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
4 - Security
4.1 Arcane must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
4.2 Arcane must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
5. Personal Data Breach
5.1 Arcane will, without undue delay and in any event within any time periods prescribed by law, notify the Customer if it becomes aware of:
(a) the loss of part or all of Personal Data.
(b) any accidental, unauthorised or unlawful processing of Personal Data; or
(c) any Personal Data Breach.
5.2 Where Arcane becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide the Customer with the following information:
(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6. Cross-Border Transfers of Personal Data
6.1 Arcane (and any subcontractor) may transfer or otherwise process Personal Data outside the UK provided that it complies with the terms of this Agreement in doing so.
6.2 Arcane may only process, or permit the processing, of Personal Data outside the UK under the following conditions:
(a) Arcane is processing Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
(b) Arcane participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Arcane (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR; or
(c) the transfer otherwise complies with the Data Protection Legislation.6.3 If any Personal Data transfer between the Customer and Arcane requires execution of SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to Arcane outside the EEA), the parties will complete all relevant details in, and execute, the SCCs, and take all other actions required to legitimise the transfer.
7 - Subcontractors (including Processors and Subprocessors)
7.1 Arcane may only authorise a third party (including any Processor and Subprocessor) (”subcontractor”) to process Personal Data if Arcane enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement or, where that is not practically possible, on that subcontractor’s standard terms of engagement.
7.2 Those subcontractors approved as at the commencement of this Agreement are as set out at the end of this Agreement.
7.3 The Parties agree that Arcane will be deemed to control legally any Personal Data controlled practically by or in the possession of its subcontractors.
7.4 Your marketing data (metadata, keywords, assets, parameters, and performance analytics) may be securely shared with select third-party AI models and data sub-contractors and -processors.
7.5 Arcane's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Sub-Processors (and link to privacy notices)
Infrastructure
Amazon Web Services (AWS) - Cloud hosted infrastructure and services used to operate the System (https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/)
Platform
OpenAI - Service provider for hosting large language models and embeddings (https://openai.com/policies)
Datadog - Security and application logging (https://www.datadoghq.com/security/)
Business Operations
Segment - Event logging for analytics (https://www.twilio.com/en-us/legal/privacy)
June.so - Event logging for analytics (https://help.june.so/en/collections/3766023-security-privacy-terms)
Snowflake - Data warehouse for analytics (https://www.snowflake.com/snowflakes-security-compliance-reports/)
Loops.so - Transactional, broadcast, and marketing messaging (https://loops.so/privacy)
8 - Term and Termination
8.1 This Agreement will remain in full force and effect so long as:(a) the Customer is still a party to the Terms of Service; or (b) Arcane retains any Personal Data related to the Terms of Service in its possession or control (Term).
9 - Data Return and Destruction
9.1 At the Customer's request, Arcane will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
9.2 On termination of the Terms of Service for any reason or expiry of its term, Arcane will (in accordance with the timelines set out in such Terms of Service securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Agreement in its possession or control.
9.3 If any law, regulation, or government or regulatory body requires Arcane to retain any documents or materials or Personal Data that Arcane would otherwise be required to return or destroy, then it shall be entitled to so retain such documents, materials and/or Personal Data as prescribed by such law, regulation, or government or regulatory body.
1 - Introduction
This Data Processing Agreement (“Agreement”), is read in conjunction with our Terms of Service (https://tryarcane.com/legal/terms), and constitutes the entire agreement between us in respect of how personal data is handled and processed where Arcane is a data processor in respect of such processing as outlined in our Privacy and Cookies Policy (https://tryarcane.com/legal/privacy).
This Agreement sets out the additional terms, requirements and conditions on which Arcane will process Personal Data (as defined below) when providing its services under its Terms of Service. This Agreement is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this Agreement.
2. Personal Data Types and Processing Purposes
The Customer and Arcane agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) Arcane shall act as controller in respect of the personal data and processing activities set out in Table 1 of paragraph 2 of its Privacy and Cookies Policy (and this Agreement does not apply to such personal data and processing activities);
(b) Arcane shall act as processor in respect of the personal data and processing activities;
(c) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Arcane.
3. Arcane's Obligations
3.1 Arcane will only process Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions, such written instructions being provided by the Customer pursuant to its use of Arcane's service whereby it chooses what services and documents to integrate with such service in accordance with Arcane's Terms of Service. Arcane will not process Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. Arcane must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
3.2. Arcane must comply promptly with any Customer written instructions requiring Arcane to amend, transfer, delete or otherwise process Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3. Arcane will maintain the confidentiality of Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Arcane to process or disclose Personal Data to a third party, Arcane must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
4 - Security
4.1 Arcane must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
4.2 Arcane must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
5. Personal Data Breach
5.1 Arcane will, without undue delay and in any event within any time periods prescribed by law, notify the Customer if it becomes aware of:
(a) the loss of part or all of Personal Data.
(b) any accidental, unauthorised or unlawful processing of Personal Data; or
(c) any Personal Data Breach.
5.2 Where Arcane becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide the Customer with the following information:
(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6. Cross-Border Transfers of Personal Data
6.1 Arcane (and any subcontractor) may transfer or otherwise process Personal Data outside the UK provided that it complies with the terms of this Agreement in doing so.
6.2 Arcane may only process, or permit the processing, of Personal Data outside the UK under the following conditions:
(a) Arcane is processing Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
(b) Arcane participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Arcane (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR; or
(c) the transfer otherwise complies with the Data Protection Legislation.6.3 If any Personal Data transfer between the Customer and Arcane requires execution of SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to Arcane outside the EEA), the parties will complete all relevant details in, and execute, the SCCs, and take all other actions required to legitimise the transfer.
7 - Subcontractors (including Processors and Subprocessors)
7.1 Arcane may only authorise a third party (including any Processor and Subprocessor) (”subcontractor”) to process Personal Data if Arcane enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement or, where that is not practically possible, on that subcontractor’s standard terms of engagement.
7.2 Those subcontractors approved as at the commencement of this Agreement are as set out at the end of this Agreement.
7.3 The Parties agree that Arcane will be deemed to control legally any Personal Data controlled practically by or in the possession of its subcontractors.
7.4 Your marketing data (metadata, keywords, assets, parameters, and performance analytics) may be securely shared with select third-party AI models and data sub-contractors and -processors.
7.5 Arcane's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Sub-Processors (and link to privacy notices)
Infrastructure
Amazon Web Services (AWS) - Cloud hosted infrastructure and services used to operate the System (https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/)
Platform
OpenAI - Service provider for hosting large language models and embeddings (https://openai.com/policies)
Datadog - Security and application logging (https://www.datadoghq.com/security/)
Business Operations
Segment - Event logging for analytics (https://www.twilio.com/en-us/legal/privacy)
June.so - Event logging for analytics (https://help.june.so/en/collections/3766023-security-privacy-terms)
Snowflake - Data warehouse for analytics (https://www.snowflake.com/snowflakes-security-compliance-reports/)
Loops.so - Transactional, broadcast, and marketing messaging (https://loops.so/privacy)
8 - Term and Termination
8.1 This Agreement will remain in full force and effect so long as:(a) the Customer is still a party to the Terms of Service; or (b) Arcane retains any Personal Data related to the Terms of Service in its possession or control (Term).
9 - Data Return and Destruction
9.1 At the Customer's request, Arcane will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
9.2 On termination of the Terms of Service for any reason or expiry of its term, Arcane will (in accordance with the timelines set out in such Terms of Service securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Agreement in its possession or control.
9.3 If any law, regulation, or government or regulatory body requires Arcane to retain any documents or materials or Personal Data that Arcane would otherwise be required to return or destroy, then it shall be entitled to so retain such documents, materials and/or Personal Data as prescribed by such law, regulation, or government or regulatory body.
1 - Introduction
This Data Processing Agreement (“Agreement”), is read in conjunction with our Terms of Service (https://tryarcane.com/legal/terms), and constitutes the entire agreement between us in respect of how personal data is handled and processed where Arcane is a data processor in respect of such processing as outlined in our Privacy and Cookies Policy (https://tryarcane.com/legal/privacy).
This Agreement sets out the additional terms, requirements and conditions on which Arcane will process Personal Data (as defined below) when providing its services under its Terms of Service. This Agreement is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this Agreement.
2. Personal Data Types and Processing Purposes
The Customer and Arcane agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) Arcane shall act as controller in respect of the personal data and processing activities set out in Table 1 of paragraph 2 of its Privacy and Cookies Policy (and this Agreement does not apply to such personal data and processing activities);
(b) Arcane shall act as processor in respect of the personal data and processing activities;
(c) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Arcane.
3. Arcane's Obligations
3.1 Arcane will only process Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions, such written instructions being provided by the Customer pursuant to its use of Arcane's service whereby it chooses what services and documents to integrate with such service in accordance with Arcane's Terms of Service. Arcane will not process Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. Arcane must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
3.2. Arcane must comply promptly with any Customer written instructions requiring Arcane to amend, transfer, delete or otherwise process Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3. Arcane will maintain the confidentiality of Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Arcane to process or disclose Personal Data to a third party, Arcane must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
4 - Security
4.1 Arcane must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
4.2 Arcane must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
5. Personal Data Breach
5.1 Arcane will, without undue delay and in any event within any time periods prescribed by law, notify the Customer if it becomes aware of:
(a) the loss of part or all of Personal Data.
(b) any accidental, unauthorised or unlawful processing of Personal Data; or
(c) any Personal Data Breach.
5.2 Where Arcane becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide the Customer with the following information:
(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6. Cross-Border Transfers of Personal Data
6.1 Arcane (and any subcontractor) may transfer or otherwise process Personal Data outside the UK provided that it complies with the terms of this Agreement in doing so.
6.2 Arcane may only process, or permit the processing, of Personal Data outside the UK under the following conditions:
(a) Arcane is processing Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
(b) Arcane participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Arcane (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR; or
(c) the transfer otherwise complies with the Data Protection Legislation.6.3 If any Personal Data transfer between the Customer and Arcane requires execution of SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to Arcane outside the EEA), the parties will complete all relevant details in, and execute, the SCCs, and take all other actions required to legitimise the transfer.
7 - Subcontractors (including Processors and Subprocessors)
7.1 Arcane may only authorise a third party (including any Processor and Subprocessor) (”subcontractor”) to process Personal Data if Arcane enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement or, where that is not practically possible, on that subcontractor’s standard terms of engagement.
7.2 Those subcontractors approved as at the commencement of this Agreement are as set out at the end of this Agreement.
7.3 The Parties agree that Arcane will be deemed to control legally any Personal Data controlled practically by or in the possession of its subcontractors.
7.4 Your marketing data (metadata, keywords, assets, parameters, and performance analytics) may be securely shared with select third-party AI models and data sub-contractors and -processors.
7.5 Arcane's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Sub-Processors (and link to privacy notices)
Infrastructure
Amazon Web Services (AWS) - Cloud hosted infrastructure and services used to operate the System (https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/)
Platform
OpenAI - Service provider for hosting large language models and embeddings (https://openai.com/policies)
Datadog - Security and application logging (https://www.datadoghq.com/security/)
Business Operations
Segment - Event logging for analytics (https://www.twilio.com/en-us/legal/privacy)
June.so - Event logging for analytics (https://help.june.so/en/collections/3766023-security-privacy-terms)
Snowflake - Data warehouse for analytics (https://www.snowflake.com/snowflakes-security-compliance-reports/)
Loops.so - Transactional, broadcast, and marketing messaging (https://loops.so/privacy)
8 - Term and Termination
8.1 This Agreement will remain in full force and effect so long as:(a) the Customer is still a party to the Terms of Service; or (b) Arcane retains any Personal Data related to the Terms of Service in its possession or control (Term).
9 - Data Return and Destruction
9.1 At the Customer's request, Arcane will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
9.2 On termination of the Terms of Service for any reason or expiry of its term, Arcane will (in accordance with the timelines set out in such Terms of Service securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Agreement in its possession or control.
9.3 If any law, regulation, or government or regulatory body requires Arcane to retain any documents or materials or Personal Data that Arcane would otherwise be required to return or destroy, then it shall be entitled to so retain such documents, materials and/or Personal Data as prescribed by such law, regulation, or government or regulatory body.