Data Processing Agreement
How we process personal data on behalf of clients under GDPR Article 28. Last updated May 16, 2026.
Overview
Where Arcitix processes personal data on behalf of a client (the controller) as part of a security engagement, that processing is governed by a Data Processing Agreement (DPA). The DPA forms part of, and is incorporated into, the signed services agreement.
Key Terms
- Roles: the client is the controller; Arcitix is the processor, acting only on documented instructions.
- Confidentiality & security: personnel are bound by confidentiality; we apply technical and organisational measures appropriate to the risk (GDPR Art. 32).
- Sub-processors: engaged only under equivalent obligations; see our Sub-processor list and change-notification commitment.
- International transfers: covered by Standard Contractual Clauses and the UK IDTA where applicable.
- Assistance & breach: we assist with data-subject requests and notify the controller of personal-data breaches without undue delay.
- Deletion: on termination, personal data is deleted or returned per the controller's instruction.
Request the DPA
To execute our DPA or review our standard template, email legal@arcitix.com.