Data Processing Addendum

Version: 1.0

Last updated: 26 Jan 2026

Contact: [email protected]

This DPA forms part of the Terms or your Order. It applies where Arrowdot processes Customer Personal Data on your behalf.

1. Roles

You are the Controller and Arrowdot is the Processor.

For End-User Data collected by apps you publish, you are Controller and Arrowdot is your Processor.

For Customer-managed integrations you connect directly (for example, your own OpenAI key or your own S3 bucket), Arrowdot is not a sub-processor of that third-party service. Each of you has a direct relationship with that provider.

2. Processing instructions

We will process Customer Personal Data only:

  • to provide, secure, and support the service,
  • as documented in this DPA and the Terms, and
  • on your written instructions, including via product configuration and APIs.

We will promptly inform you if we believe an instruction violates law.

3. Confidentiality and personnel

We ensure personnel with access are bound by confidentiality and receive appropriate privacy/security training.

4. Security

We implement the technical and organisational measures described in Annex II and at Security & Vulnerability Disclosure, including encryption in transit, access control with MFA, logging, and backups.

5. Sub-processors

You authorise our use of sub-processors listed at Sub-processors. We will:

  • impose data protection terms no less protective than this DPA, and
  • provide advance notice of new sub-processors on that page and via email if you subscribe.

You may object on reasonable grounds; we will work in good faith to resolve or suggest alternatives.

6. International transfers

If we transfer Customer Personal Data outside the UK/EEA, we will use valid transfer safeguards (EU SCCs 2021/914, Module 2; UK IDTA/Addendum).

Details are in Annex I, Section C.

7. Assistance

Taking into account the nature of processing, we will assist you with:

  • data subject requests,
  • security and breach notifications,
  • DPIAs and consultation with regulators,
  • deletion or return on termination.

8. Breach notification

We will notify you without undue delay and within 72 hours of confirming a Personal Data Breach affecting Customer Personal Data, and provide updates with available details.

9. Audits

On reasonable prior notice, once per 12 months and in emergencies, you may audit our compliance via:

  • current third-party reports we provide (e.g., penetration test summaries), and where necessary,
  • a focused on-site or remote review. Audits must not unreasonably disrupt our business, and you will protect our confidentiality.

10. Return or deletion

Within 30 days after termination, on your request we will return Customer Personal Data and then delete or anonymise it from systems, subject to legal retention.

11. Duration

This DPA follows the Term and survives as required to complete deletion, legal retention, and audits.

12. Order of precedence

If this DPA conflicts with the Terms, this DPA controls for data protection matters.

Annex I – Description of processing

A. Controller

Customer named in the Order.

B. Processor

Arrowdot Ltd.

Subject matter

Hosting, execution, and operation of AI-assisted apps and data pipelines; platform telemetry and support.

Duration

Term of the service plus 30 days for export/deletion, unless law requires longer.

Nature and purpose

To provide the platform and related support; secure, monitor, and improve service performance; handle incidents.

Categories of data subjects

Your employees and contractors, end users of your published apps, and other individuals whose data you choose to process.

Categories of personal data

Determined by you. Typical examples: identifiers, contact data, usage events, business records, file contents. Special categories are not intended, but may be processed if you choose to.

Frequency of transfer

Continuous as needed to provide the service.

Location of processing

The Arrowdot platform operates in multiple regions, including the United Kingdom and the United States. Customer data may be processed or stored in any region where Arrowdot or its sub-processors operate. At this time, customer data is not isolated to a single region. International transfer safeguards are described in Annex I-C and the Sub-processors page.

Annex I-C – International transfers and safeguards

  • EEA to non-EEA: EU SCCs 2021/914, Module 2 (Controller→Processor).
  • UK to non-adequate: UK Addendum to the EU SCCs.
  • Transfers are limited to sub-processors identified in the Sub-processors list and our hosting region.

Annex II – Technical and organisational measures (summary)

  • Access control with SSO/MFA; least-privilege roles; quarterly access reviews.
  • Encryption in transit (TLS 1.2+) and at rest for platform-hosted data.
  • Secrets management and key rotation.
  • Network security, firewall rules, WAF/CDN as applicable.
  • Logging and audit trails; security event monitoring.
  • Backups with periodic restore testing.
  • Secure SDLC, code review, dependency scanning.
  • Vendor risk review for sub-processors.
  • Incident response runbook; 24x7 paging for critical incidents.
  • Staff training and confidentiality obligations.

Annex III – Sub-processors

See live list at Sub-processors.