Skip to main content
✨ Welcome to ArcNova Innovations | πŸ”₯ Special Offer: Get 20% off on Enterprise Cloud Solutions | πŸš€ Modernizing Businesses through Innovation

Data Processing Agreement (DPA)

Last updated: May 24, 2026 | GDPR Article 28 Compliant

This DPA applies to all customers who use our SaaS services where we process personal data on their behalf. By using our services, you agree to this DPA as part of our Terms & Conditions.

1. Definitions

  • "Controller" β€” You, the customer, who determines the purposes and means of processing personal data
  • "Processor" β€” ArcNova Innovations, who processes personal data on behalf of the Controller
  • "Data Subject" β€” An identified or identifiable natural person whose data is processed
  • "Personal Data" β€” Any information relating to a Data Subject
  • "Sub-processor" β€” A third party engaged by the Processor to process Personal Data
  • "Services" β€” The SaaS platform and related services provided by the Processor

2. Scope & Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Services as described in the Terms & Conditions. Processing includes:

  • Hosting and storing data within the deployed SaaS application
  • Database management and backups
  • Technical support when accessing customer systems (with authorization)
  • System monitoring for uptime and security

3. Types of Personal Data Processed

Depending on how the Controller uses the Services, the following categories of data may be processed:

  • Names, email addresses, phone numbers of end-users
  • Business/company information
  • Transaction and billing records
  • Any data the Controller inputs into the deployed application

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 7)
  • Not engage another processor (sub-processor) without prior written authorization of the Controller
  • Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability)
  • Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA)
  • Delete or return all Personal Data upon termination of services, at the Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits

5. Obligations of the Controller

The Controller shall:

  • Ensure that processing instructions comply with applicable data protection laws
  • Obtain all necessary consents from Data Subjects before inputting their data
  • Provide clear privacy notices to their end-users
  • Notify the Processor promptly of any Data Subject requests that require Processor assistance

6. Sub-processors

The Processor may engage sub-processors to assist in providing the Services. The current list of sub-processors is available upon request. Key categories include:

  • Cloud Infrastructure Provider β€” Web hosting, server management, and data storage (United States)
  • CDN & Security Provider β€” Content delivery, DDoS protection, and SSL certificates (Global)

The Processor will notify the Controller at least 14 days before adding or replacing a sub-processor. The Controller may object within that period. A detailed sub-processor list is available upon written request to our data protection contact.

7. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. These measures include but are not limited to:

  • Encryption: Data in transit and at rest is protected using industry-standard encryption protocols
  • Access Control: Role-based access with the principle of least privilege; unique credentials per authorized personnel
  • Data Isolation: Logical and physical separation of customer data to prevent unauthorized cross-access
  • Authentication: Strong password policies with protection against unauthorized access attempts
  • Monitoring: Continuous security monitoring, logging, and alerting for suspicious activities
  • Backups: Regular automated backups with defined retention policies and tested recovery procedures
  • Vulnerability Management: Regular security assessments and timely patching of identified vulnerabilities
  • Physical Security: Data center security managed by certified infrastructure providers

A detailed description of our security measures is available upon request under a non-disclosure agreement (NDA).

8. Data Breach Notification

  • The Processor shall notify the Controller without undue delay (and within 48 hours) after becoming aware of a Personal Data breach
  • Notification shall include: nature of the breach, categories of data affected, approximate number of Data Subjects, likely consequences, and measures taken
  • The Processor shall cooperate with the Controller in investigating and mitigating the breach

9. International Data Transfers

  • Personal Data may be transferred to the United States (hosting infrastructure)
  • Transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission
  • The Processor will implement supplementary measures where required by applicable law

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject requests including:

  • Right of access β€” providing copies of stored data
  • Right to rectification β€” correcting inaccurate data
  • Right to erasure β€” deleting data upon verified request
  • Right to data portability β€” exporting data in standard formats (CSV, JSON)
  • Right to restriction β€” limiting processing as requested

The Processor will respond to Controller assistance requests within 10 business days.

11. Audits

  • The Controller may audit the Processor's compliance with this DPA once per year
  • Audits require 30 days' advance written notice
  • Audits shall be conducted during business hours and shall not unreasonably disrupt operations
  • The Controller bears the cost of the audit unless a material breach is found

12. Term & Termination

  • This DPA remains in effect for the duration of the service agreement
  • Upon termination, the Processor shall delete all Personal Data within 30 days, unless retention is required by law
  • The Controller may request a data export before deletion
  • Obligations regarding confidentiality and data protection survive termination

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms & Conditions. The Processor shall be liable for damages caused by processing that does not comply with GDPR or this DPA.

14. Governing Law

This DPA is governed by the same law as the underlying Terms & Conditions. For EU Data Subjects, the provisions of GDPR shall take precedence where they conflict with local law.

15. Contact

For DPA-related inquiries or to request a signed copy:

  • Email: info@arcnovain.com
  • Address: ArcNova Innovations, Opposite Kachary Chowk near Gym Khana, Jhang
English English اردو Urdu Ψ§Ω„ΨΉΨ±Ψ¨ΩŠΨ© Arabic δΈ­ζ–‡ Chinese