ArchwayAI
Blog

Data Processing Agreement

Last updated: March 31, 2026

Privacy PolicyTerms of ServiceDPACookie Policy

Plain English summary: This DPA covers how we process your merchant data as a data processor. We follow standard contractual clauses for international transfers. Your data stays in US/EU regions.

This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween ArchwayAI LLC ("Processor" or "ArchwayAI") and the subscribing entity ("Controller" or "Merchant") and governs the processing of personal data by ArchwayAI on behalf of the Merchant.

1. Definitions

Capitalized terms not defined herein have the meanings given in the Terms of Service or applicable data protection law. For the purposes of this DPA:

  • "Controller" means the Merchant, who determines the purposes and means of processing personal data.
  • "Processor" means ArchwayAI, who processes personal data on behalf of the Controller.
  • "Sub-Processor" means a third party engaged by ArchwayAI to process personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law (including GDPR, CCPA, and UK GDPR).
  • "Processing" means any operation performed on personal data, including collection, storage, modification, retrieval, use, disclosure, or deletion.
  • "Data Protection Laws" means all applicable legislation relating to data protection, including GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and the Swiss Federal Act on Data Protection.

2. Scope and Roles

The Controller is the Data Controller for all personal data processed through the ArchwayAI Platform on its behalf, including:

  • End consumer data collected via the ArchwayAI Pixel SDK on the Controller's storefront.
  • Customer and order data imported from the Controller's Shopify store.
  • Ad campaign data imported from the Controller's Meta, Google Ads, and Klaviyo accounts.

ArchwayAI is the Data Processor and processes this data solely on the Controller's behalf and in accordance with the Controller's documented instructions.

3. Processing Instructions

  • ArchwayAI shall process personal data only in accordance with the Controller's documented instructions, unless required to do so by applicable law. If ArchwayAI is required by law to process personal data for another purpose, it shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
  • The Controller's instructions are documented in the Terms of Service, this DPA, and the configuration of the Controller's account within the Platform.
  • ArchwayAI shall promptly inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

4. Sub-Processors

The Controller authorizes ArchwayAI to engage the following Sub-Processors:

Sub-ProcessorPurposeLocation
TinybirdReal-time analytics data warehouseUS / EU
InngestDurable workflow executionUS
ResendTransactional email deliveryUS
OpenAIAI analysis (aggregated data only)US
AnthropicAI analysis (aggregated data only)US
VercelHosting and deploymentUS
NeonPostgreSQL database hostingUS
SentryError monitoring and diagnosticsUS
  • ArchwayAI will notify the Controller at least 30 days before engaging a new Sub-Processor or replacing an existing one. The Controller may object in writing within that 30-day period.
  • If the Controller objects and ArchwayAI cannot reasonably accommodate the objection, either party may terminate the agreement with respect to the affected Services.
  • ArchwayAI shall impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA.
  • ArchwayAI remains fully liable to the Controller for the performance of each Sub-Processor's obligations.

5. Technical and Organizational Security Measures

ArchwayAI implements the following technical and organizational measures to protect personal data:

  • Encryption in transit: All data transmitted between the Controller and ArchwayAI is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All databases are encrypted at rest.
  • Access control:Role-based access control (RBAC) is enforced via Better Auth organizations (self-hosted). Only authorized users within the Controller's organization can access that organization's data. Authentication is processed entirely on our own infrastructure.
  • Credential security: Integration access tokens (Meta, Google Ads, Shopify, Klaviyo) are encrypted before storage. API keys are cryptographically hashed; only the hash is retained.
  • Tenant isolation: All data is logically isolated by organization ID. No cross-tenant data access is possible through the Platform.
  • Monitoring: Error monitoring and alerting via Sentry. Security events are logged and reviewed.
  • Personnel: ArchwayAI personnel with access to personal data are bound by confidentiality obligations.

6. Data Subject Requests

  • ArchwayAI shall promptly notify the Controller if it receives a request from a data subject to exercise rights under Data Protection Laws (access, rectification, erasure, restriction, portability, or objection).
  • ArchwayAI shall not respond to such requests directly unless authorized by the Controller or required by applicable law.
  • ArchwayAI shall provide the Controller with reasonable assistance to fulfill data subject requests, including by providing technical tools to export or delete data.

7. Personal Data Breach Notification

  • ArchwayAI shall notify the Controller without undue delay and in any event within 72 hoursof becoming aware of a personal data breach affecting the Controller's data.
  • The notification shall include: (a) the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its effects; (d) the contact point for further information.
  • ArchwayAI shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8. Data Return and Deletion

  • Upon termination of the agreement, or upon the Controller's written request, ArchwayAI shall: (a) return all personal data to the Controller in a structured, commonly used, machine-readable format; or (b) permanently delete all personal data from ArchwayAI's systems and all Sub-Processor systems, at the Controller's election.
  • Data return or deletion shall be completed within 30 days of the request or termination.
  • ArchwayAI shall provide written confirmation of deletion upon request.
  • ArchwayAI may retain personal data to the extent required by applicable law, provided that ArchwayAI ensures the confidentiality of such data and processes it only for the purpose required by law.

9. Audit Rights

  • ArchwayAI shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Data Protection Laws.
  • The Controller may conduct an audit of ArchwayAI's data processing practices, or appoint a qualified third-party auditor to do so, subject to: (a) reasonable advance notice of at least 30 days; (b) a maximum of one audit per 12-month period; (c) the auditor entering into appropriate confidentiality obligations.
  • ArchwayAI shall cooperate with audits and provide reasonable access to relevant facilities, personnel, and documentation.

10. International Data Transfers

  • ArchwayAI primarily processes data in the United States. To the extent that personal data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, ArchwayAI relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), as supplemented by additional safeguards where required.
  • For transfers from the UK, the International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) applies.
  • ArchwayAI shall ensure that any Sub-Processor to which personal data is transferred provides at least the same level of data protection as required by this DPA and applicable transfer mechanisms.

Annex A: Details of Processing

Subject Matter and Duration

Processing of personal data for the purpose of providing the ArchwayAI e-commerce analytics and attribution platform. Processing continues for the duration of the agreement between the Controller and ArchwayAI.

Categories of Data Subjects

  • End consumers who visit or purchase from the Controller's storefront.
  • The Controller's authorized users (employees, contractors) who access the Platform.

Types of Personal Data

  • End consumer data: pseudonymous identifiers (arch_uid, session_id), page URLs, referrers, UTM parameters, ad click identifiers (gclid, fbclid, fbp, fbc), device type, browser locale, IP address, user agent, consent scope, event names, currency, monetary values, email (SHA-256 hashed), order history, customer attributes.
  • Ad campaign data: campaign IDs, campaign names, ad spend, impressions, clicks, conversions, ad account metadata.
  • Authorized user data: name, email address, organization role.

Special Categories of Data

ArchwayAI does not process special categories of personal data (Article 9 GDPR) or sensitive personal information as defined under CCPA/CPRA, unless inadvertently included by the Controller in violation of the Terms of Service.

Contact

For questions about this DPA, contact us at gdpr@archwayai.com.

ArchwayAI LLC