GDPR Article 28

Data Processing Agreement

How Arcus processes personal data on behalf of customers. Compliant with GDPR, UK GDPR, CCPA/CPRA, LGPD, PDPA, APPI, PIPA, PIPEDA, Australian Privacy Act, and NZ Privacy Act.

Last updated: March 12, 2026

Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Arcus Technologies Pty Ltd ("Processor") and the Customer ("Controller") for the processing of personal data in connection with the Arcus AI Governance Platform.

This DPA applies to all processing of personal data by the Processor on behalf of the Controller as part of providing the Services. The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by applicable law.

This DPA is designed to satisfy the requirements of all applicable data protection laws across the jurisdictions in which Arcus operates, including but not limited to the EU General Data Protection Regulation (GDPR), UK GDPR, Australian Privacy Act 1988, California Consumer Privacy Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil's Lei Geral de Proteção de Dados (LGPD), Singapore's Personal Data Protection Act (PDPA), Japan's Act on the Protection of Personal Information (APPI), South Korea's Personal Information Protection Act (PIPA), and New Zealand's Privacy Act 2020.

Definitions

For the purposes of this DPA, the following terms apply across all supported jurisdictions. Where local terminology differs, the equivalent concept under applicable law shall be used:

  • Personal Data / Personal Information: Any information relating to an identified or identifiable natural person (referred to as "personal information" under Australian Privacy Act, CCPA, PIPEDA, and NZ Privacy Act)
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion
  • Controller / Business: The entity that determines the purposes and means of processing personal data (referred to as "Business" under CCPA, "APP Entity" under Australian Privacy Act)
  • Processor / Service Provider: The entity that processes personal data on behalf of the Controller (referred to as "Service Provider" under CCPA)
  • Sub-processor / Sub-contractor: Any third party engaged by the Processor to process personal data
  • Data Subject / Consumer: An identified or identifiable natural person whose personal data is processed (referred to as "Consumer" under CCPA, "Individual" under Australian Privacy Act)
  • Supervisory Authority / Regulator: An independent public authority responsible for monitoring the application of data protection law (e.g., OAIC in Australia, ICO in UK, CNIL in France, PDPC in Singapore, PPC in Japan and South Korea, ANPD in Brazil, OPC in Canada, OPC NZ in New Zealand)

Data Processing Details

Categories of Data Subjects:

  • Employees and contractors of the Controller
  • End users of the Controller's AI systems
  • Individuals whose data is processed through the Controller's compliance activities

Types of Personal Data:

  • Contact information (name, email, phone number)
  • Professional information (job title, organisation, department)
  • AI system usage data and compliance assessment results
  • Authentication credentials and access logs
  • IP addresses and device identifiers

Purpose of Processing:

Personal data is processed solely for the purpose of providing the Arcus platform services, including AI governance assessments, compliance monitoring, risk assessment, and audit documentation generation. The Processor shall not sell, share, or use personal data for any purpose other than the specific business purpose of providing the Services, as required under CCPA Section 1798.140(ag) and equivalent provisions in other jurisdictions.

Processor Obligations

The Processor shall comply with all applicable data protection obligations across supported jurisdictions:

Under EU/UK GDPR:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process personal data have committed themselves to confidentiality
  • Take all measures required pursuant to Article 32 (Security of Processing)
  • Assist the Controller with obligations pursuant to Articles 32 to 36
  • Delete or return all personal data after the end of the provision of services
  • Make available all information necessary to demonstrate compliance

Under Australian Privacy Act 1988:

  • Comply with Australian Privacy Principles (APPs), particularly APP 6 (use and disclosure) and APP 11 (security)
  • Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access
  • Notify the OAIC and affected individuals of eligible data breaches under the Notifiable Data Breaches (NDB) scheme

Under CCPA/CPRA (California, USA):

  • Not sell or share personal information received from the Controller
  • Not retain, use, or disclose personal information outside the direct business relationship
  • Comply with consumer opt-out rights and data deletion requests
  • Certify understanding and compliance with CCPA restrictions

Under PIPEDA (Canada):

  • Process personal information only for identified purposes with appropriate consent
  • Maintain accuracy and safeguard personal information under Principle 7
  • Provide individuals with access to their personal information upon request

Under LGPD (Brazil):

  • Process personal data in compliance with LGPD's legal bases under Article 7
  • Maintain records of processing activities as required by Article 37
  • Appoint a Data Protection Officer (Encarregado) as required by Article 41
  • Cooperate with the ANPD (National Data Protection Authority)

Under PDPA (Singapore):

  • Comply with consent, purpose limitation, and protection obligations
  • Make reasonable security arrangements to protect personal data
  • Notify the PDPC and affected individuals of data breaches meeting the notification threshold
  • Comply with data portability obligations and access correction requirements

Under APPI (Japan):

  • Handle personal information in accordance with APPI requirements for handling personal information
  • Comply with cross-border transfer restrictions per Article 28
  • Maintain a record of provision of personal data to third parties
  • Report data breaches to the PPC (Personal Information Protection Commission)

Under PIPA (South Korea):

  • Comply with consent requirements and purpose limitation principles
  • Implement technical, administrative, and physical safeguards
  • Conduct privacy impact assessments where required
  • Notify the PIPC and affected data subjects of data breaches

Under NZ Privacy Act 2020 (New Zealand):

  • Comply with Information Privacy Principles (IPPs)
  • Report notifiable privacy breaches to the OPC and affected individuals
  • Ensure overseas disclosure of personal information meets IPP 12 requirements

Security Measures

The Processor implements appropriate technical and organisational measures that satisfy security requirements across all applicable jurisdictions, including GDPR Article 32, Australian APP 11, CCPA Section 1798.150, LGPD Article 46, PDPA Section 24, and APPI Article 23:

  • Encryption of personal data at rest (AES-256) and in transit (TLS 1.3)
  • Regular testing and evaluation of the effectiveness of security measures
  • Multi-factor authentication for all platform access
  • Role-based access control with principle of least privilege
  • Automated vulnerability scanning and penetration testing
  • Incident detection and response procedures
  • Business continuity and disaster recovery planning
  • Employee security awareness training
  • Data minimisation and pseudonymisation where applicable
  • Regular security audits and compliance assessments

Infrastructure:

  • Data hosted on Supabase (powered by AWS) in the Asia-Pacific (Sydney) region
  • IRAP assessment planned for Australian government customers

Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

Current Sub-processors:

  • Supabase Inc. — Database hosting and authentication (United States / Australia region)
  • Vercel Inc. — Application hosting and edge network (Global)
  • Anthropic PBC — AI model provider for compliance analysis (United States)
  • Resend Inc. — Transactional email delivery (United States)
  • Stripe Inc. — Payment processing (United States)

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. This includes ensuring sub-processors comply with equivalent protections under GDPR, UK GDPR, CCPA, LGPD, PDPA, APPI, PIPA, PIPEDA, and NZ Privacy Act as applicable.

The Processor maintains a register of all sub-processors, including the nature of processing, jurisdiction of operation, and applicable data protection safeguards. This register is available to Controllers upon request.

International Data Transfers

The Processor recognises that personal data may be subject to cross-border transfer restrictions under multiple jurisdictions. The Processor ensures compliance through the following mechanisms:

EU/EEA and UK:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914)
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
  • Supplementary measures as required by the Schrems II decision
  • Adequacy decisions where applicable

Australia:

  • Compliance with APP 8 (cross-border disclosure) requirements
  • Ensuring overseas recipients are bound by substantially similar protections

Japan:

  • APPI Article 28 cross-border transfer requirements
  • EU-Japan adequacy arrangement for transfers from the EU

South Korea:

  • PIPA cross-border transfer notification and consent requirements
  • Ensuring equivalent protections in the receiving country

Brazil:

  • LGPD Article 33 international transfer mechanisms
  • Standard contractual clauses or equivalent safeguards approved by ANPD

Singapore:

  • PDPA Transfer Limitation Obligation compliance
  • Ensuring recipient country provides comparable protection

Canada:

  • PIPEDA cross-border transfer requirements and transparency obligations

New Zealand:

  • IPP 12 (disclosure of personal information outside New Zealand) compliance

The Processor maintains a register of all international data transfers and the legal basis for each transfer under all applicable jurisdictions.

Data Breach Notification

The Processor maintains a breach notification process that satisfies the strictest applicable requirements across all supported jurisdictions:

  • Notify the Controller without undue delay after becoming aware of the breach, and in any event within 48 hours
  • This satisfies GDPR's 72-hour requirement, Australia's NDB scheme "as soon as practicable" requirement, LGPD's "reasonable time" requirement, and Singapore's 3-calendar-day requirement

The Processor shall provide sufficient information to allow the Controller to meet notification obligations under all applicable laws, including:

  • GDPR Article 33 (notification to supervisory authority) and Article 34 (notification to data subjects)
  • Australian NDB scheme notification to the OAIC
  • CCPA breach notification requirements under California Civil Code 1798.82
  • UK GDPR notification to the ICO
  • LGPD notification to the ANPD under Articles 48-49
  • PDPA notification to the PDPC under the 2021 amendments
  • APPI notification to the PPC under the 2022 amendments
  • PIPA notification to the PIPC
  • PIPEDA breach notification under PIPEDA's Digital Privacy Act amendments
  • NZ Privacy Act 2020 notification to the OPC

Notification shall include:

  • The nature of the personal data breach
  • The categories and approximate number of data subjects and records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach
  • Jurisdictions potentially affected by the breach

Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under all applicable data protection laws:

EU/UK GDPR Rights:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making (Article 22)

CCPA/CPRA Rights (California, USA):

  • Right to know / access
  • Right to delete
  • Right to opt-out of sale/sharing
  • Right to non-discrimination
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information

Australian Privacy Act Rights:

  • Right to access personal information (APP 12)
  • Right to request correction (APP 13)
  • Right to complain to the OAIC

LGPD Rights (Brazil):

  • Right to confirmation and access (Article 18)
  • Right to correction, anonymisation, blocking, or deletion
  • Right to data portability
  • Right to information about sharing with third parties

Other Jurisdictions:

  • PDPA (Singapore): Access and correction rights
  • APPI (Japan): Disclosure, correction, cessation of use, and deletion rights
  • PIPA (South Korea): Access, correction, suspension, and deletion rights
  • PIPEDA (Canada): Access and correction rights under Principles 9 and 10
  • NZ Privacy Act 2020: Access (IPP 6) and correction (IPP 7) rights

The Processor shall promptly notify the Controller if it receives a request from a data subject and shall not respond to such request directly unless authorised to do so by the Controller.

Audit Rights

The Controller shall have the right to audit the Processor's compliance with this DPA. The Processor shall:

  • Make available all information necessary to demonstrate compliance with obligations under GDPR Article 28(3)(h), CCPA, LGPD, and equivalent provisions in other applicable laws
  • Allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller
  • Provide reasonable access to facilities, equipment, and records
  • Cooperate with regulatory audits conducted by supervisory authorities including the OAIC, ICO, CNIL, PDPC, PPC, PIPC, ANPD, OPC (Canada), and OPC (New Zealand)

Audits shall be conducted with reasonable prior notice (minimum 30 days) and during normal business hours. The Controller shall bear its own costs of any audit unless the audit reveals a material breach of this DPA by the Processor.

Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Services.

Upon termination of the Services, the Processor shall, at the Controller's choice:

  • Return all personal data to the Controller in a commonly used, machine-readable format
  • Delete all personal data and existing copies, unless applicable law requires storage of the personal data

The Processor shall certify the deletion of personal data in writing upon the Controller's request. Data deletion shall be completed within 90 days of termination, unless otherwise agreed or required by applicable law.

Data retention following termination shall comply with the strictest applicable requirement across all relevant jurisdictions, unless specific legal retention obligations mandate otherwise.

Governing Law

This DPA shall be governed by the laws of the State of Victoria, Australia, without regard to its conflict of law provisions.

Notwithstanding the governing law, the Processor acknowledges that this DPA must comply with local data protection requirements in each jurisdiction where personal data is processed. Where a conflict arises between this DPA and mandatory local data protection law, the local law shall prevail to the extent of the inconsistency.

The following regulatory frameworks are incorporated by reference:

  • EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
  • UK General Data Protection Regulation (UK GDPR) — as retained by the European Union (Withdrawal) Act 2018
  • Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
  • California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
  • Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Brazil Lei Geral de Proteção de Dados (LGPD) — Law No. 13,709/2018
  • Singapore Personal Data Protection Act 2012 (PDPA)
  • Japan Act on the Protection of Personal Information (APPI) — 2022 amendments
  • South Korea Personal Information Protection Act (PIPA) — 2023 amendments
  • New Zealand Privacy Act 2020
  • EU Artificial Intelligence Act — Regulation (EU) 2024/1689

Contact Information

For questions about this Data Processing Agreement or to request a signed copy:

Data Protection Officer [email protected]

Legal Department [email protected]

Arcus Technologies Pty Ltd Melbourne, Victoria, Australia

Enterprise Ready

Need a customized DPA?

Our legal team can accommodate specific requirements for enterprise customers, including custom data residency and processing terms.

Contact Legal TeamTerms of Service