Archilas

Data Processing Agreement (DPA)

Last updated: May 1, 2026

This DPA applies to enterprise customers where Archilas processes personal data on behalf of a customer controller. It supplements the master services agreement.

1. Subject Matter and Duration

Archilas processes personal data only as necessary to deliver contracted services. Processing duration corresponds to service term plus required retention periods.

2. Nature and Purpose of Processing

  • Account and tenant provisioning.
  • Agent execution telemetry and operational logging.
  • Security monitoring and incident response support.
  • Billing, support, and service reliability functions.

3. Types of Personal Data

  • Identifiers (names, emails, account IDs).
  • Technical data (IP, user agent, system logs).
  • Operational content and metadata provided by customer workflows.
  • Settlement metadata relevant to service accounting.

4. Categories of Data Subjects

  • Customer administrators and authorized users.
  • End users whose data is processed through customer-configured workflows.
  • Support and incident contacts.

5. Technical and Organizational Measures

  • Encryption in transit and at rest.
  • Access controls, least privilege, and authentication hardening.
  • Audit logging for critical operations.
  • Change management and incident response procedures.
  • Confidentiality commitments and operational security controls.

6. Subprocessors

Archilas may use subprocessors for hosting, authentication, payment processing, and monitoring. A current subprocessor list is available on request and updates are communicated through customer channels.

7. Data Subject Rights Assistance

Archilas provides reasonable assistance to customer controllers for data subject rights requests (access, correction, deletion, restriction, portability, objection), considering the nature of processing.

8. Breach Notification

Archilas will notify customer controllers without undue delay after becoming aware of a confirmed personal data breach affecting customer data and provide available details for regulatory notifications.

9. Audit Rights

Customers may request compliance information and, where justified, conduct audits through qualified auditors under confidentiality and reasonable operational safeguards.

10. Return or Deletion on Termination

Upon termination and customer instruction, Archilas will return or delete personal data unless retention is required by law. Backup data is handled according to secure retention lifecycle policies.

11. Standard Contractual Clauses and Transfers

For international transfers, EU Standard Contractual Clauses (and UK equivalent addenda where applicable) are incorporated by reference and apply where legally required.