Data Processing Agreement

Last updated: March 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ArchVizs Inc. ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR (EU Regulation 2016/679). "Services" means the ArchVizs platform as described in the Terms of Service.

2. Scope and Purpose

The Processor processes Personal Data only on documented instructions from the Controller, including with respect to transfers of personal data to a third country, unless required to do so by applicable law.

3. Categories of Data

Account data: names, email addresses, job titles of team members
Usage data: IP addresses, browser data, interaction logs
Content data: images, project files, and metadata uploaded by team members
Client data: viewer access logs, names and emails if shared links require identification

4. Data Subject Categories

Controller's employees and contractors
Controller's end clients who access shared viewer links

5. Processor Obligations

Process Personal Data only on the Controller's documented instructions
Ensure that persons authorized to process Personal Data are under confidentiality obligations
Implement appropriate technical and organizational security measures
Engage sub-processors only with prior written consent of the Controller
Assist the Controller in responding to Data Subject requests
Delete or return all Personal Data upon termination of Services
Make available all information necessary to demonstrate compliance

6. Sub-Processors

Current authorized sub-processors:

Supabase Inc. (database and authentication) - US, EU
Vercel Inc. (hosting and CDN) - Global
Stripe Inc. (payment processing) - US, EU
PostHog Inc. (analytics) - US, EU
Novu Ltd. (notifications) - US

The Controller will be notified at least 30 days before any new sub-processor is engaged and may object in writing within that period.

7. Security Measures

Encryption in transit (TLS 1.3) and at rest (AES-256)
Access controls with role-based permissions
Regular security assessments and penetration testing
Incident response procedures with 72-hour breach notification
Data backup and disaster recovery procedures

8. International Transfers

Where Personal Data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) as approved by the European Commission.

9. Data Breach Notification

The Processor will notify the Controller without undue delay (and within 72 hours) after becoming aware of a personal data breach, providing sufficient information to enable the Controller to meet its obligations under the GDPR.

10. Term and Termination

This DPA remains in effect for the duration of the Services. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by applicable law.

11. Contact

For DPA-related inquiries: dpo@archvizs.com

5. Processor Obligations

Process Personal Data only on the Controller's documented instructions

Ensure that persons authorized to process Personal Data are under confidentiality obligations

Implement appropriate technical and organizational security measures

Engage sub-processors only with prior written consent of the Controller

Assist the Controller in responding to Data Subject requests

Delete or return all Personal Data upon termination of Services

Make available all information necessary to demonstrate compliance

6. Sub-Processors

Current authorized sub-processors:

Supabase Inc. (database and authentication) - US, EU

Vercel Inc. (hosting and CDN) - Global

Stripe Inc. (payment processing) - US, EU

PostHog Inc. (analytics) - US, EU

Novu Ltd. (notifications) - US

The Controller will be notified at least 30 days before any new sub-processor is engaged and may object in writing within that period.