Data Processing Agreement

Last updated: April 6, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AIARCO Inc ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "you") for the provision of the AIARVA platform ("Service").

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Applicable Data Protection Law" means the GDPR (EU 2016/679), CCPA (Cal. Civ. Code § 1798.100 et seq.), and any other applicable data protection legislation.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only on behalf of and in accordance with the Controller's documented instructions. The purpose of processing is to provide the AIARVA platform services, including:

  • AI-powered search and conversational AI
  • User account management and authentication
  • Billing and subscription management
  • Usage analytics and rate limit enforcement
  • AIARVA Life features (when enabled by the Controller's end users)

3. Categories of Data and Data Subjects

CategoryData Types
IdentityName, email, hashed password
UsageSearch queries, conversation history, generated images
FinancialStripe customer ID, subscription status (no card numbers stored)
TechnicalIP address, user agent, device tokens

Data Subjects include: end users of the Controller who access the AIARVA platform.

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law.
  • Ensure that persons authorized to process Personal Data have committed to confidentiality.
  • Implement appropriate technical and organizational security measures, including encryption at rest (AES-256) and in transit (TLS 1.2+), access controls, and audit logging.
  • Not engage another processor without prior written authorization of the Controller (see Section 6).
  • Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability).
  • Delete or return all Personal Data at the end of the service period, unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance.

5. Security Measures

The Processor maintains the following security measures:

  • Encryption — AES-256 at rest (RDS, S3), TLS 1.2+ in transit, Fernet encryption for stored credentials.
  • Access control — Role-based access, JWT authentication, MFA support, API key authentication.
  • Infrastructure — AWS VPC with private subnets, WAF (OWASP CRS, SQLi prevention, rate limiting), AWS Secrets Manager for sensitive keys.
  • Monitoring — CloudWatch alarms, Container Insights, Sentry error tracking, audit logging.
  • Data minimization — Configurable data retention policies with automated cleanup.

6. Sub-Processors

The Controller authorizes the use of the following Sub-Processors:

Sub-ProcessorPurposeLocation
Amazon Web ServicesCloud infrastructure (compute, storage, database)US (ap-southeast-2)
StripePayment processingUS
OpenRouter / OpenAIAI model inferenceUS
VercelFrontend hostingUS
SentryError trackingUS

The Processor shall notify the Controller of any intended changes to the list of Sub-Processors, giving the Controller the opportunity to object within 30 days.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification shall include:

  • Nature of the breach, including categories and approximate number of Data Subjects affected.
  • Contact details of the Processor's data protection point of contact.
  • Likely consequences of the breach.
  • Measures taken or proposed to address the breach.

8. Data Subject Rights

The Processor provides the following self-service capabilities for Data Subjects:

  • Data export GET /api/v1/users/me/data-export returns all personal data in JSON format.
  • Account deletion DELETE /api/v1/users/me permanently deletes the account and associated data.
  • Do not sell POST /api/v1/users/me/do-not-sell opts out of data sharing (CCPA).

9. International Transfers

Personal Data is processed and stored in AWS ap-southeast-2 (Sydney, Australia). Where data is transferred to Sub-Processors in other jurisdictions, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required under GDPR.

10. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination, the Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days, unless applicable law requires retention.

11. Governing Law

This DPA shall be governed by the laws of the State of Delaware, United States, without regard to conflict of laws principles. For Data Subjects in the European Economic Area, the provisions of the GDPR shall apply as mandatory law.

12. Contact

For questions about this DPA or to request a signed copy, contact:

AIARCO Inc

Email: legal@aiarva.com

Privacy Policy · Terms of Service · ← Back to AIARVA