Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into between Kybernesis (“Processor”) and the Customer (“Controller”), and supplements the applicable Terms of Service.

This DPA applies when Kybernesis processes personal data on behalf of the Customer in the course of providing ARP Cloud. It does NOT apply to data where Kybernesis acts as an independent controller (e.g. its own billing records).

Customer is the Controller and determines the purposes and means of processing. Kybernesis is the Processor and processes personal data solely on documented instructions from Customer, unless required to do otherwise by applicable law.

Customer authorizes Kybernesis to engage the following subprocessors:

• Vercel Inc. — hosting + deployment.
• Neon Inc. — managed Postgres.
• Stripe, Inc. — billing.
• [TODO: counsel — additional subprocessors].

Kybernesis will notify Customer of changes to subprocessors at least 14 days before onboarding.

Kybernesis implements and maintains appropriate technical and organisational measures, including:

• End-to-end transport authentication + integrity checks.
• Hash-chained audit entries per tenant.
• Browser-held principal keys (Kybernesis never holds them).
• Tenant isolation invariants enforced at the DB layer.
• Access controls + audit logging on production systems.
• [TODO: counsel — formalise SOC 2 / ISO-compatible controls].

In the event of a personal data breach affecting Customer data, Kybernesis will notify Customer within 72 hours of awareness, per the incident runbook referenced in the operations documentation.

Kybernesis will, to the extent legally permitted, promptly notify Customer of any data subject request received directly by Kybernesis and provide reasonable assistance in responding.

Where personal data is transferred across jurisdictions, the parties rely on Standard Contractual Clauses (EU) or equivalent safeguards (UK IDTA, other jurisdictions per counsel's direction).

Customer may audit Kybernesis's compliance with this DPA subject to reasonable notice + confidentiality obligations. Audits are at Customer's expense and may be satisfied by third-party attestations where applicable.

Upon termination, Kybernesis will, at Customer's option, return or delete Customer personal data within 30 days, subject to legal retention requirements.

DPA questions + data protection officer correspondence: privacy@arp.run.