Arcflux alpha launches June 29, 2026 — join the waitlist for early access.
← Legal
// legal

Data Processing Agreement

Last updated June 16, 2026 · Version 1

Data Processing Agreement

Effective date: June 15, 2026 Last updated: June 15, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between Arcflux, Inc., a Delaware corporation ("Arcflux," "we," "us," or "our"), and the customer agreeing to the Agreement ("Customer," "you," or "your"). It governs Arcflux's Processing of Customer Personal Data when you use the Arcflux platform and related services (the "Services"). Where this DPA conflicts with the rest of the Agreement on the subject of data protection, this DPA prevails.

1. Definitions

Terms such as Controller, Processor, Sub-processor, Personal Data, Processing, Data Subject, Personal Data Breach, and Supervisory Authority have the meanings given in applicable Data Protection Laws.

  • Data Protection Laws — all laws applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Swiss FADP, the California Consumer Privacy Act as amended (CCPA/CPRA), and other applicable U.S. state privacy laws and the New Zealand Privacy Act 2020.
  • Customer Personal Data — Personal Data contained within Customer Data that Arcflux Processes on Customer's behalf under the Agreement.
  • Standard Contractual Clauses (SCCs) — the clauses approved by the European Commission for transfers of Personal Data to third countries, and, for the UK, the UK International Data Transfer Addendum.

2. Roles and scope

For Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Arcflux is the Processor (or Sub-processor). Each party will comply with its obligations under Data Protection Laws.

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

3. Processing of Customer Personal Data

Arcflux will Process Customer Personal Data only:

  • on Customer's documented instructions, including as set out in the Agreement, this DPA, and Customer's configuration and use of the Services (which together constitute Customer's complete instructions); and
  • as necessary to provide, secure, and support the Services, and to comply with applicable law.

If Arcflux is required by law to Process Customer Personal Data otherwise, it will inform Customer before doing so unless that law prohibits it. Arcflux will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Customer responsibilities

Customer is responsible for the lawfulness of Customer Personal Data and of its instructions, including having an appropriate legal basis, providing required notices, and obtaining any necessary consents. Customer is responsible for the accuracy of the data it provides and for configuring its Workflows, including any guardrails and human-approval steps, appropriately for the data it Processes.

5. Confidentiality

Arcflux will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and Process the data only as instructed.

6. Security

Arcflux will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of Processing. A description of these measures is set out in Annex II.

7. Sub-processors

Customer provides a general authorization for Arcflux to engage Sub-processors to Process Customer Personal Data, including the third-party infrastructure providers and AI model providers needed to operate the Services. A current list of Sub-processors is available at Subprocessors.

Arcflux will: (a) impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA; (b) remain liable for its Sub-processors' performance; and (c) give Customer notice of new Sub-processors [via the Subprocessors page / by email to subscribed Customers] before they begin Processing, allowing Customer a reasonable period to object on reasonable data-protection grounds. If the parties cannot resolve a reasonable objection, Customer may terminate the affected Services as its exclusive remedy.

8. Data Subject rights

Taking into account the nature of the Processing, Arcflux will provide reasonable assistance, including through appropriate technical and organizational measures and the self-service features of the Services, to help Customer respond to requests from Data Subjects to exercise their rights. If Arcflux receives such a request directly relating to Customer Personal Data, it will, where lawful, direct the Data Subject to Customer rather than respond itself.

9. Assistance with compliance

Taking into account the nature of Processing and the information available to Arcflux, Arcflux will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with Supervisory Authorities, and Customer's obligations relating to the security of Processing and Personal Data Breaches.

10. Personal Data Breaches

Arcflux will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its breach-notification obligations. Arcflux's notification is not an acknowledgment of fault or liability.

11. International transfers

Where Arcflux Processes Customer Personal Data originating from the EEA, UK, or Switzerland in a country that has not been recognized as providing an adequate level of protection, the parties agree that the SCCs (and the UK Addendum and any Swiss amendments, as applicable) are incorporated into and form part of this DPA, with the modules and options selected as set out in Annex I. In case of conflict, the SCCs prevail over the rest of the Agreement.

12. Deletion and return

On termination or expiry of the Agreement, Arcflux will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, except to the extent that retention is required by law. Where deletion cannot be performed immediately (for example, data held in backups), Arcflux will isolate the data and protect it from further Processing until deletion is possible. [State your standard post-termination export window and deletion timeline, e.g., export available for N days, deletion within N days.]

13. Audits and compliance

Arcflux will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Customer's audit rights may be satisfied by Arcflux providing relevant third-party audit reports or certifications [e.g., SOC 2, where available]. Where an on-site audit is required by Data Protection Laws, it will be conducted on reasonable prior notice, no more than [once per year] except as required by a Supervisory Authority, during business hours, and subject to confidentiality, in a manner that minimizes disruption.

14. AI model providers and Customer Personal Data

To provide the Services, Customer Personal Data within a Workflow may be Processed by third-party AI model providers acting as Sub-processors, as needed to execute the model steps Customer configures. Arcflux does not use Customer Personal Data to train its own models, and contracts with model providers on terms intended to prevent the use of Customer Personal Data to train their models. Customer controls which data enters its Workflows and which model steps run, including through per-workflow scoping and approval gates.

15. U.S. state privacy laws

To the extent the CCPA/CPRA or another U.S. state privacy law applies, Arcflux acts as a "service provider" (or equivalent) and will: Process Customer Personal Data only for the business purposes specified in the Agreement; not "sell" or "share" it; not retain, use, or disclose it outside the direct business relationship or as otherwise prohibited; and not combine it with other data except as permitted. Arcflux certifies that it understands and will comply with these restrictions.

16. Liability and precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not increase those limits beyond what applicable law requires.

17. Term

This DPA takes effect when Customer accepts the Agreement (or when Customer begins using the Services) and continues until Arcflux has ceased all Processing of Customer Personal Data.

18. Contact

Questions about this DPA, or data-protection notices, can be sent to:

Arcflux, Inc. 2261 Market Street, STE 65143 San Francisco, CA 94114, United States Email: info@arcflux.ai


Annex I — Details of Processing

Roles. Customer: Controller (or Processor). Arcflux: Processor (or Sub-processor).

Subject matter. Arcflux's provision of the Services to Customer.

Duration. For the term of the Agreement and until deletion or return of Customer Personal Data under Section 12.

Nature and purpose. Hosting, storage, transmission, and Processing of Customer Personal Data as necessary to operate the Services, including running Customer's Workflows (triggers, AI model steps, tools, integrations, and real-time channels), providing knowledge-base features, and supporting and securing the Services.

Types of Personal Data. Determined by Customer through the data it submits to and Processes through the Services. May include [identifiers and contact details, account and profile data, content of messages and documents, and any other Personal Data Customer chooses to include in its Workflows or knowledge base]. Customer is responsible for not submitting special-category data except as intended and lawful.

Categories of Data Subjects. Determined by Customer. May include [Customer's personnel, end users, customers, and contacts whose data Customer Processes through the Services].

SCC module selection (where the SCCs apply). [Module Two (Controller-to-Processor) where Customer is a Controller; Module Three (Processor-to-Processor) where Customer is itself a Processor. Specify docking, optional clauses, governing-law and forum selections, and the supervisory authority — confirm with counsel.]

Annex II — Technical and Organizational Measures

The following describes Arcflux's security measures. Reconcile each item with actual practice before publishing.

  • Encryption. Encryption of Customer Personal Data in transit [and at rest — confirm].
  • Access control. Role-based access controls, least-privilege access for personnel, and authentication safeguards. [SSO/SAML available on enterprise plans — confirm status.]
  • Workflow isolation. Per-workflow scoping of data and credentials, and human-approval gates for sensitive actions.
  • Logging and monitoring. Run-level auditing and security logging to detect and investigate issues.
  • Network and infrastructure security. [Describe hosting, segmentation, and protections provided by your infrastructure providers.]
  • Resilience and backups. [Describe backup and recovery measures.]
  • Vulnerability and change management. [Describe patching, testing, and secure-development practices.]
  • Personnel. Confidentiality obligations and [security training].
  • Sub-processor management. Contractual data-protection obligations flowed down to Sub-processors.
  • Data isolation. [Dedicated data isolation available on enterprise plans / roadmap — confirm.]

Annex III — Sub-processors

A current list of Sub-processors, including the entity, the Processing it performs, and its location, is maintained at Subprocessors. At minimum it includes [Arcflux's infrastructure/hosting provider], [the payment processor], and the AI model providers used by the Services (including OpenAI, Anthropic, Google, xAI, and Groq). [Keep this annex and the online list consistent.]