Data Processing Agreement (DPA)

This Data Processing Addendum (“DPA”) applies when Archilas processes personal data on behalf of a customer in connection with the Services and the customer is a controller (or business) and Archilas is a processor (or service provider/processor) under applicable data protection laws.

This DPA forms part of the agreement between the customer and Archilas governing use of the Services. If there is a conflict between this DPA and the main agreement, this DPA controls for data protection and processing terms.

Terms such as “controller,” “processor,” “personal data,” and “processing” have the meanings given under applicable data protection laws (including GDPR and similar laws).

“Customer Data” means personal data processed by Archilas on behalf of the customer through the Services, including personal data contained in structured memory entries and processed via memory operations at the customer’s instruction.

“Subprocessor” means a third party authorized to process Customer Data on behalf of Archilas to help provide the Services.

The customer is responsible for determining the purposes and means of processing Customer Data and for ensuring it has a valid legal basis to process and share Customer Data with Archilas.

Archilas processes Customer Data only on documented instructions from the customer, including as needed to provide the Services and perform memory operations initiated by authorized users.

Each party will comply with its obligations under applicable data protection laws.

Subject matter: provision of the Services, including storage, retrieval, transformation, and management of information and structured memory entries.

Duration: for the term the customer uses the Services and any additional period necessary for deletion and backup cycles, subject to applicable law.

Nature and purpose: hosting, processing, securing, and supporting Customer Data; enabling customer-controlled integrations (including via the MCP protocol); and providing support and troubleshooting.

Categories of data subjects and personal data: determined by the customer and may include the customer’s end users and individuals referenced in Customer Data; personal data may include identifiers, contact information, account data, and other information included in Customer Data.

The customer’s documented instructions include the customer’s use of the Services and configuration choices, including which data sources are connected and which memory operations are performed.

The customer is responsible for ensuring that only authorized users have access and that user accounts are managed appropriately (including onboarding, role changes, and offboarding).

If Archilas believes an instruction violates applicable law, Archilas will inform the customer unless prohibited by law.

Archilas will ensure that persons authorized to process Customer Data are bound by confidentiality obligations (contractual or statutory) and receive appropriate training where relevant.

The customer is responsible for maintaining the confidentiality of its credentials and for ensuring users protect access to Customer Data.

Archilas will implement appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Security measures may include access controls, encryption in transit where supported, monitoring, logging, and measures intended to maintain confidentiality, integrity, availability, and resilience of systems.

The customer acknowledges that security is a shared responsibility and that its own configurations (including connected accounts, permissions, and user management) affect overall security.

The customer authorizes Archilas to use Subprocessors to help provide the Services. Archilas will impose appropriate contractual obligations on Subprocessors to protect Customer Data.

Subprocessors used to support the Services include:

• Supabase
• Vercel
• Render
• OpenRouter
• Google (OAuth only)
• GitHub (OAuth only)

Archilas may update Subprocessors from time to time. Where required by law, Archilas will provide notice and an opportunity to object.

Taking into account the nature of the processing, Archilas will provide reasonable assistance to help the customer respond to data subject requests (for example, access, deletion, correction, portability), to the extent the customer cannot fulfill the request through self-service features.

Archilas will also provide reasonable assistance with obligations relating to security, breach notifications, impact assessments, and prior consultations, taking into account the information available to Archilas and the Services provided.

The customer is responsible for responding to data subjects and for ensuring responses meet legal requirements.

Archilas will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably necessary to help the customer meet its breach notification obligations.

The customer acknowledges that breach notifications may be subject to reasonable delays to address security concerns, to avoid compromising investigations, or where prohibited by law.

Upon termination or expiration of the Services, Archilas will, at the customer’s choice and to the extent available through the Services, allow the customer to export Customer Data and will delete Customer Data within a reasonable time, subject to retention required by law or necessary for security, dispute resolution, or backups.

The customer understands that residual copies of Customer Data may remain in backups for a limited time as part of normal operations, and will be deleted according to backup retention schedules.

If you have questions about this DPA or need to submit a request, contact hello.archilas@gmail.com.