Data Processing Addendum (DPA)
For customers who need GDPR-compatible processing terms with Arc Labs, this page provides the canonical DPA template, the current sub-processor list, and a summary of technical and organizational measures.
Version 1.0 · Effective 2026-05-02
How to execute
- Download the DPA template (PDF): arc-labs-dpa-v1.0.pdf.
- Complete Annex A (your contact details and data categories) and Annex B (any additional technical measures specific to your deployment).
- Send the executed copy to trust@arc-labs.ai. We countersign within three business days.
For larger procurement processes, we accept your DPA template as a starting point — email trust@arc-labs.ai to begin redlines.
Sub-processors
Updated list of sub-processors. Customers receive 30 days' notice before adding new sub-processors that handle customer data.
| Provider | Purpose | Region |
|---|---|---|
| AWS | Compute, storage, networking (US, EU regions) | US-East, EU-West |
| GCP | Compute, storage (AP-South region) | AP-South |
| Cloudflare | CDN, DDoS mitigation | Global |
| Sentry | Error monitoring (PII-stripped) | US |
| Postmark | Transactional email | US |
Subscribe to changelog RSS — sub-processor updates are tagged infra.
Technical and organizational measures (Annex B summary)
- TLS 1.3 in transit; AES-256-GCM at rest.
- Per-tenant row-level security in Postgres; per-tenant data keys via envelope encryption.
- Role-based access; least-privilege defaults; quarterly access reviews.
- Vulnerability scanning weekly (cargo-audit, npm audit, pip-audit).
- Backups encrypted with separate keys; key rotation quarterly.
- Incident response runbook; customer notification within 24 hours of confirmed incident.
- Hard-delete on customer request; tombstones in audit log; no memory content retained.
Full TOMs are in Annex B of the executed DPA. The /security page has the public-facing version.
Procurement contact
For DPA execution, security questionnaires, SOC 2 status, or insurance certificates:
trust@arc-labs.ai →