Last updated 3/21/2024

This Data Protection Agreement (“DPA”) is entered into between Arctrieval, Inc. (“Arctrieval”) and the customer who purchased the Arctrieval Services (“Subscriber”) (Each a “Party” or collectively, the “Parties”) as set forth in one or more Orders. This DPA is incorporated into and forms part of the Parties’ Arctrieval Terms of Service and applicable Order (hereinafter, collectively the “Terms of Service”).

Subscriber enters into this DPA on behalf of itself and, to the extent required under applicable Privacy and Data Protection Requirements, in the name and on behalf of its Authorized Affiliates, if and to the extent Arctrieval processes Personal Information for which such Authorized Affiliates qualify as the Controller. For this DPA only, except where indicated otherwise, the term “Subscriber” shall include Subscriber and Authorized Affiliates. Capitalized terms not defined herein shall have the same meaning set forth in Arctrieval’s Terms of Service.

SECTION I: DEFINITIONS AND INTERPRETATION

1.1. Definitions.

“Authorized Affiliate” means any entity that directly or indirectly controls is controlled by, or is under common control with the subject entity (“Control” for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity) which is permitted to use the Services pursuant to the Terms of Services Agreement between Subscriber and Arctrieval, but has not signed its own Terms of Service Agreement with Arctrieval and is not “Subscriber” as defined under this DPA.

“Business Purpose” means the purpose of delivering the Arctrieval Services, as such term is defined in the Terms of Service (hereinafter the “Services”).

“Controller” means the entity that determines the purposes and means of Processing Personal Information.

“Data Subject” means an individual who is the subject of Personal Information.

“Employee” means any natural person in their capacity as a worker. It includes temporary employees, agents, executors, contractors, contingent workers, and other workers.

“Personal Information” means (a) any information Arctrieval processes for Subscriber that identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Arctrieval’s possession/control or that Arctrieval is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise defined as protected personal information.

“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, storing, or holding the data, or carrying out any operation or set of operations on the data, including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, transmitting, or destroying it. Processing also includes transferring Personal Information to third parties.

“Processor” means the Party that Processes Personal Information on behalf of the Controller, including, as applicable, any “Service Provider” as that term is defined by the CCPA.

“Privacy and Data Protection Requirements” means applicable laws and regulations to which Arctrieval is subject, relating to the processing, protection, or privacy of personal information, including, where applicable, the common law and the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. Depending on the scope of processing set forth elsewhere in this DPA, this may include the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder (“CCPA”).

“Security Breach” means a breach of Arctrieval’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information in Arctrieval’s possession, custody or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

“Standard Contractual Clauses” or “SCCs” refer to any standardized contractual clauses promulgated by a jurisdiction’s data protection regulator or authority to legitimize the flow of personal information to other jurisdictions.

“Sub-processor” means any Processor engaged by Arctrieval.

“Term” refers to the period of time during which this DPA is in full force and effect, as governed under Section 12 of this DPA.

1.2. Interpretation.

For the sake of readability, this DPA does not use initial capitalization of most defined terms. Any defined terms shall be construed as defined, regardless of their capitalization.

A reference to writing or written includes email.

Notwithstanding anything contrary in the Subscription Agreement, if there is a conflict between this DPA and the Subscription Agreement, this DPA will control. In case of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

SECTION II: PERSONAL INFORMATION TYPES AND PROCESSING PURPOSES

The parties acknowledge and agree that with regard to the Processing of Personal Information, Subscriber is the Controller and Arctrieval is the Processor, as applicable, and that Arctrieval will engage Sub-processors pursuant to the requirements set forth in Section 9 below.

Arctrieval shall process Personal Information for the purposes of providing the Services, as set forth in the Terms of Service, or this DPA. Arctrieval shall not determine the purposes or means of processing the Personal Information. Unless otherwise set forth herein or in the Terms of Service, Subscriber, either on its own behalf or on behalf of the Controller, shall ensure that it is lawful under the applicable Privacy and Data Protection Requirements for Arctrieval to process the personal data and that necessary notices have been or shall be provided to data subjects. Subscriber shall also be responsible for the processing instructions it gives Arctrieval.

SECTION III: ARCTRIEVAL’S OBLIGATIONS

Arctrieval will process the Personal Information to the extent, and in such a manner, as is necessary for the business purposes in accordance with Subscriber’s instructions for the following specific purposes: (i) Processing in accordance with the Terms of Service; (ii) Processing initiated by end users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Subscriber (e.g., via email or support ticket) where such instructions are consistent with the terms of the Terms of Service.

Arctrieval will reasonably comply with Subscriber’s written request or instruction requiring Arctrieval to amend, transfer, or delete Personal Information, or to stop, mitigate, or remedy unauthorized processing of this Personal Information.

Arctrieval will maintain the confidentiality of Personal Information and will not disclose it to third parties unless Subscriber or this DPA specifically authorizes the disclosure, or as required by law. If a law requires Arctrieval to process or disclose Personal Information, Arctrieval will first inform Subscriber of the legal requirement and give Subscriber an opportunity to object or challenge the requirement, unless the law prohibits such notice, and provided such opportunity for objection or challenge does not serve to prejudice Arctrieval or subject Arctrieval to liability for non-disclosure. Any disclosure of Personal Information shall be limited to the minimum necessary to accomplish the purpose of the disclosure.

Subscriber acknowledges that Arctrieval is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Subscriber instructions or personal information except when required under the Privacy and Data Protection Requirements.

Arctrieval acknowledges and agrees that it is a “service provider” as defined under CCPA and shall not (a) “sell” or “share” (as both terms are defined in the CCPA) Personal Information; or (b) retain, use, or disclose any Personal Information for any purpose other than for the specific purpose of providing the Services under the Terms of Services, including retaining, using, or disclosing Personal Information for a commercial purpose (as defined in CCPA) other than providing the Services under the Terms of Service.

Arctrieval shall notify Subscriber in the event Arctrieval makes a determination that it can no longer meet its obligations under Privacy and Data Protection Requirements.

To the extent Arctrieval receives deidentified data from Subscriber or the Services under the Subscription Agreement allow for the deidentification of Personal Information, Arctrieval represents and warrants to not reidentify, attempt to reidentify, or direct any other party to reidentify any data that has been deidentified.

SECTION IV: ARCTRIEVAL’S EMPLOYEES

Arctrieval will limit Personal Information access to:

• (a) those employees who require Personal Information access to meet Arctrieval’s obligations under this DPA and the Subscription Agreement; and
• (b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.

Arctrieval will ensure that its relevant employees:

• (a) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
• (b) are aware both of Arctrieval’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.

Arctrieval will take reasonable steps to ensure the reliability, integrity, and trustworthiness of, and conduct background checks to the extent permissible under applicable law, on Arctrieval’s employees with access to Personal Information.

SECTION V: SUBSCRIBER OBLIGATIONS

Subscriber is solely responsible for its use of the Services, including (a) obtaining any needed consents or authorizations for Arctrieval to process Personal Information; (b) without limitation of Arctrieval’s obligations under Section 6 (Security), making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Information; (c) securing the account authentication credentials, systems and devices Subscriber uses to access the Services; (d) securing Subscriber’s systems and devices that Arctrieval uses to provide the Services; and (e) backing up Personal Information (if not provided by the Services).

SECTION VI: SECURITY

Arctrieval will endeavor to maintain appropriate technical and organizational measures to safeguard Personal Information against unauthorized or unlawful processing and against accidental loss, destruction, disclosure, or damage. The appropriateness of such measures shall be judged against the risk of harm to Subscriber or to data subjects if the data were to be used, disclosed, altered, or deleted without proper authorization. Nevertheless, Arctrieval agrees to maintain a level of security appropriate to the risk. Arctrieval will take commercially reasonable steps to document those measures in writing and periodically review them, at least annually, to ensure they remain current, complete, and appropriate to the risk.

Arctrieval shall promptly remediate any non-public vulnerability that jeopardizes Personal Information if it becomes aware that an exploit of the vulnerability is available and known to persons or organizations other than Arctrieval, its employees, contractors, and other agents.

SECTION VII: SECURITY BREACHES AND DATA LOSS

Arctrieval will promptly notify Subscriber without undue delay after becoming aware of a Security Breach. Such notification shall, to the extent possible, describe the categories of Personal Information affected, the approximate number of data subjects involved, the steps taken to investigate and remedy the breach, and provide the contact information for a person that can respond to questions regarding the Security Breach. Such information may be provided in phases as it becomes available.

Following discovery of a Security Breach, Arctrieval shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.

Subject to Section 13, Arctrieval will cover reasonable expenses associated with the performance of the obligations described above in Section 7, unless the matter arose from Subscriber’s specific instructions, negligence, willful default, or breach of this DPA, in which case Subscriber will cover these expenses.

SECTION VIII: SUB-PROCESSORS

Subscriber acknowledges and agrees that Arctrieval may engage third-party Sub-processors in connection with the provision of the Services. Arctrieval has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Information to the extent applicable to the nature of the services provided by such Sub-processor.

Arctrieval shall be liable for the acts and omissions of its Sub-processors to the same extent Arctrieval would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Terms of Service. Arctrieval will refund Subscriber any prepaid fees covering the remainder of the term of such Terms of Service Agreement following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Subscriber.

SECTION IX: DATA SUBJECT REQUESTS AND COMPLAINTS/THIRD-PARTY INQUIRIES, REQUESTS, AND COMPLAINTS

Arctrieval will notify Subscriber promptly if it receives any complaint, notice, or communication directly or indirectly related to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements. This shall include requests or inquiries from data subjects about their Personal Information. Arctrieval will endeavor to include the complaint, notice, or communication in its notification to Subscriber. Subscriber shall be responsible with regard to any determinations related to a request or inquiry made by a data subject.

Arctrieval will give Subscriber its full cooperation and assistance in responding to any complaint, notice, inquiry, communication, or data subject request. Arctrieval shall also fully cooperate and assist Subscriber in complying with data subject rights in situations where Subscriber cannot reasonably comply without Arctrieval’s assistance. Such cooperation and assistance shall be provided without charge unless, in the aggregate, it exceeds two hours of effort in a single calendar month. Arctrieval may charge Subscriber to recover for the costs of labor incurred in excess of two hours.

Arctrieval must not disclose Personal Information to any data subject or to a third party unless the disclosure is at Subscriber’s request or instruction, permitted by the Terms of Service or this DPA, or required by law.

SECTION X: PRIVACY IMPACT ASSESSMENTS.

Upon request, Arctrieval shall provide reasonable cooperation and assistance to Subscriber in ensuring compliance with data security obligations, as well as in carrying out any data protection impact assessment or similar activity, including but not limited to, providing a description of processing operations, assisting with an assessment of the risks to the rights and freedoms of the data subjects to whom the Personal Information relates, and/or assisting with an assessment of the necessity and proportionality of the processing operations in relation to the underlying purpose. Arctrieval shall also cooperate and provide any assistance or information needed for Subscriber to engage in consultations with regulatory authorities or otherwise respond to requests for information from such authorities. Unless such request follows a Security Breach or is otherwise required by Privacy and Data Protection Requirements, Subscriber shall not make any such request more than once in any 12-month period.

SECTION XI: TERM AND TERMINATION.

This DPA will remain in full force and effect so long as the Terms of Service Agreement remains in effect. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms of Service Agreement in order to protect Personal Information will remain in full force and effect. If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Terms of Service Agreement obligations, the Parties will suspend the processing of Personal Information until that processing complies with the new requirements.

SECTION XII: DATA DESTRUCTION.

On termination of the Terms of Service Agreement for any reason or expiration of its term, Arctrieval will destroy any Personal Information, if directed in writing by Subscriber, in accordance with the relevant provisions of the Terms of Service Agreement.

If any law, regulation, or government or regulatory body requires Arctrieval to retain any data that Arctrieval would otherwise be required to destroy, Arctrieval will notify Subscriber in writing of that retention requirement, provide details of the documents or materials that it must retain, identify the legal basis for retention, and establish a specific timeline for destruction once the retention requirement ends.

Arctrieval will certify in writing that it has destroyed Personal Information within thirty (30) days of completing the destruction.

SECTION XIII: LIMITATION OF LIABILITY.

Each Party’s and all of its Authorized Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Arctrieval, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Terms and Condition Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that party and all of its Authorized Affiliates under the Terms and Condition Agreement and all DPAs together. For the avoidance of doubt, Arctrieval’s and its affiliates’ total liability for all claims from Subscriber and all of its Authorized Affiliates arising out of or related to the Terms of Service Agreement and all DPAs shall apply in the aggregate for all claims under both the Terms of Service Agreement and all DPAs established under the Terms of Service Agreement, including by Subscriber and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Subscriber and/or to any Authorized Affiliate that is a contractual party to any such DPA.

SECTION XIV: MISCELLANEOUS

14.1. Notices.

Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to:

• For Subscriber: Subscriber’s primary contact listed in the Order.
• For Arctrieval: Privacy@arctrieval.com.

This does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

14.2. Updates.

Notwithstanding anything to the contrary contained herein, and without prejudice to the ‘Security’ section of this DPA, and compliance with Subscriber’s instructions, Arctrieval reserves the right to make any updates and changes to this DPA. Updates and changes will be effective as of the time of posting or such later date as may be specified herein. Subscriber’s continued access or use of the Services after the modifications have become effective will be deemed Subscriber’s acceptance of the modified DPA.

14.3. HEADING HEADING.

The Parties acknowledge and agree that to the extent, the Services contemplate the processing of Personal Information subject to Privacy and Data Protection Requirements that require additional terms in this DPA, the Parties shall enter into an amendment to this DPA that addresses such additional terms.

14.4. Serverability.

If any part of this Agreement is determined to be invalid or unenforceable by applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of this Agreement will continue in effect.

14.5. Language.

This Agreement is in English, and all communications and proceedings must be conducted in English. If this Agreement is translated, the English language version will control.

14.6. Entire Agreement.

The DPA is the final, complete, and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous communications and understandings between the Parties.