Data
Processing

1. Definitions

In this DPA, unless the context requires otherwise:

• "Company Personal Data" means any personal data processed by Arnio on behalf of the Company pursuant to the Principal Agreement.
• "Data Protection Laws" means the GDPR, UK GDPR, CCPA, CPRA, and any other applicable data protection legislation.
• "Sub-processor" means any third party appointed by Arnio to process Company Personal Data on behalf of the Company.
• "Data Subject" means the identified or identifiable natural person to whom Company Personal Data relates.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised access to Company Personal Data.

2. Processing of Company Personal Data

Arnio shall process Company Personal Data only on documented instructions from the Company, including with regard to transfers to third countries, unless required by applicable law.

The Company instructs Arnio to process Company Personal Data for the following purposes:

• Provision of the Arnio platform and related services as described in the Principal Agreement.
• Revenue gap analysis and campaign performance tracking.
• Integration with Shopify, Klaviyo, and other connected third-party platforms.
• AI-generated insights, recommendations, and reporting.
• Platform security, fraud prevention, and technical support.

3. Personnel & Confidentiality

Arnio shall ensure that all personnel authorised to process Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Company Personal Data is limited to those who require it to perform the services under the Principal Agreement.

4. Security

Arnio shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
• Pseudonymisation of personal data where feasible.
• Role-based access controls and multi-factor authentication.
• Regular security assessments and vulnerability scanning.
• Business continuity and disaster recovery procedures.

5. Sub-processing

The Company provides general authorisation to Arnio to engage Sub-processors to process Company Personal Data. Arnio shall notify the Company of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance.

Where Arnio engages a Sub-processor, data protection obligations no less protective than those in this DPA shall be imposed. Arnio remains fully liable to the Company for each Sub-processor's obligations.

6. Data Subject Rights

Arnio shall assist the Company in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable law, including:

• Right of access.
• Right to rectification.
• Right to erasure.
• Right to restriction of processing.
• Right to data portability.
• Right to object.

7. Personal Data Breach

Arnio shall notify the Company without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Company Personal Data. The notification shall describe the nature of the breach, the likely consequences, and the measures taken to address it.

8. Deletion or Return of Data

Upon termination or expiry of the Principal Agreement, Arnio shall, at the Company's election, delete or return all Company Personal Data within 30 days of such request, and delete existing copies unless applicable law requires storage. Arnio shall provide written certification of deletion upon request.

9. Audit Rights

Arnio shall make available all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits conducted by the Company or a mandated auditor. Audits shall be conducted with at least 30 days' prior notice during normal business hours.

10. International Data Transfers

Arnio shall not transfer Company Personal Data outside the EEA or the United Kingdom without prior written consent of the Company, unless required by applicable law. Where such transfer is authorised, appropriate safeguards shall be in place, including Standard Contractual Clauses where required.

11. General Terms

Each party shall keep confidential all information received from the other party in connection with this DPA. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Company Personal Data.

12. Contact Us

Questions about this Data Processing Agreement or to request a signed copy?