Guidelines for Sub-processors

Arca ("Provider") engages certain third-party sub-processors to assist in providing services to customers. These guidelines describe the criteria, processes, and obligations that govern Arca's use of sub-processors who may process Customer Personal Data as defined in our Data Processing Agreement.

A sub-processor is any third-party entity engaged by Arca that processes Customer Personal Data on Arca's behalf in order to provide or support the Service. Sub-processors do not include Arca employees or contractors who are bound by Arca's internal confidentiality and data protection obligations.

Before engaging any sub-processor, Arca conducts a due diligence assessment that evaluates the following:

• Security posture. The sub-processor must demonstrate appropriate technical and organizational security measures, including encryption, access controls, and incident response capabilities.
• Data protection compliance. The sub-processor must comply with applicable data protection laws, including the GDPR and UK GDPR where relevant.
• Certifications and audits. Arca reviews available certifications (such as SOC 2 or ISO 27001) and audit reports to verify the sub-processor's security and compliance standards.
• Data minimization. The sub-processor must only process the minimum amount of Customer Personal Data necessary to fulfill its contractual obligations.
• Jurisdictional considerations. Arca evaluates where the sub-processor stores and processes data and ensures appropriate transfer mechanisms are in place for any cross-border data transfers.

Each sub-processor must enter into a written agreement with Arca that imposes data protection obligations no less protective than those set out in Arca's Data Processing Agreement. These obligations include:

• Processing Customer Personal Data only in accordance with documented instructions from Arca.
• Implementing appropriate technical and organizational measures to protect Customer Personal Data.
• Notifying Arca without undue delay of any security incident involving Customer Personal Data.
• Cooperating with audits and providing information necessary to demonstrate compliance.
• Returning or deleting Customer Personal Data upon termination of the sub-processing relationship.
• Not using Customer Personal Data to train, retrain, fine-tune, or otherwise improve any machine learning or AI models.

4.1. Prior Notice. Arca will notify customers at least 10 business days in advance and in writing before engaging a new sub-processor or replacing an existing one. The notification will include the identity of the sub-processor, its country of location, and the anticipated processing activities.

4.2. Right to Object. Customers have 30 days from the date of notification to raise an objection to a new or replacement sub-processor. If no objection is raised within that period, the customer will be deemed to have accepted the change.

4.3. Resolution. If a customer objects to a sub-processor change, Arca and the customer will cooperate in good faith to address the concern. This may include proposing an alternative sub-processor or implementing additional safeguards.

Arca does not treat sub-processor approval as a one-time event. Each sub-processor is subject to periodic review, which includes:

• Annual reassessment of the sub-processor's security posture and compliance status.
• Review of updated certifications, audit reports, or security questionnaire responses.
• Evaluation of any changes in the sub-processor's processing activities, data locations, or corporate structure.
• Prompt investigation and remediation if a sub-processor fails to meet its obligations.

Arca remains fully liable for the obligations of its sub-processors with respect to the processing of Customer Personal Data, including any acts or omissions of a sub-processor that result in a breach of Arca's data protection obligations. Arca will promptly notify customers of any failure by a sub-processor to fulfill a material obligation related to Customer Personal Data.

The following table lists Arca's current approved sub-processors as of the date above:

This list is updated as sub-processors are added, removed, or replaced. Customers with an active Data Processing Agreement will receive advance written notice of any changes.

For questions about Arca's sub-processors or to subscribe to notifications about sub-processor changes, contact us at contact@arca.inc.