Data Processing Agreement
Data Processing Agreement
Last Updated: 24th April 2026
Last Updated: 24th April 2026
ABOUT THIS ADDENDUM. This Data Processing Addendum ("DPA") forms part of the End User Licence Agreement between Arcamus Enterprise Limited and the Customer (the "EULA") and applies where, and to the extent that, Provider processes Personal Data as Processor on behalf of Customer in connection with the Platform. It reflects the requirements of the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR. Capitalised terms not defined in this DPA have the meanings given in the EULA.
Between
Between
(1) Arcamus Enterprise Limited, a company incorporated in England and Wales with registered number 16824786 and registered office at 14 Bank Chambers, 25 Jermyn Street, London SW1Y 6HR ("Provider", acting as Processor); and
(2) The Customer (as defined in the EULA) ("Customer", acting as Controller).
(each a "Party" and together the "Parties").
1. Definitions And Interpretation
1. Definitions And Interpretation
1.1 In this DPA, unless the context requires otherwise:
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and its cognates), "Personal Data Breach", and "Special Category Data" have the meanings given in the UK GDPR;
- "Data Protection Laws" means (a) the UK GDPR and the Data Protection Act 2018; (b) where applicable to the processing under this DPA, the EU GDPR (Regulation (EU) 2016/679) and the data protection laws of any EU Member State; and (c) all other applicable laws and regulations relating to the processing of Personal Data and privacy;
- "EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, replaced or superseded from time to time;
- "Restricted Transfer" means a transfer of Personal Data from the UK or the EEA to a country not subject to an adequacy decision, where such transfer would be prohibited without an appropriate transfer mechanism;
- "Sub-processor" means a third party engaged by Provider to Process Personal Data on behalf of Customer in connection with the Platform;
- "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, version B1.0, as amended, replaced or superseded from time to time;
- "UK GDPR" has the meaning given in section 3(10) of the Data Protection Act 2018; and
- "UK IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner, as amended, replaced or superseded from time to time.
1.2 References to statutes include any modifications, amendments, consolidations or re-enactments.
1.3 In the event of any conflict between this DPA and the EULA in relation to the processing of Personal Data, this DPA prevails.
2. Scope And Roles Of The Parties
2. Scope And Roles Of The Parties
2.1 Scope. This DPA applies where, and only to the extent that, Provider Processes Personal Data as Processor on behalf of Customer in connection with the Platform.
2.2 Controller and Processor. For the purposes of this DPA and the processing contemplated by it, Customer is the Controller and Provider is the Processor. Where Customer is itself a processor acting on behalf of a third party controller, Provider shall be a sub-processor and Customer warrants it has authority to engage Provider on the terms of this DPA.
2.3 Provider as independent Controller. Provider Processes certain Personal Data as an independent Controller, including (a) Personal Data contained in public sector and publicly available sources that Provider aggregates and enriches to produce the Content (such as names of public sector officials, company directors and officers); (b) account administration data of Customer's authorised Users; (c) Derived Data (as defined in the EULA); and (d) telemetry, security and usage data of the Platform. This DPA does not apply to such processing, which is governed by Provider's Privacy Notice, available at arcamus.com/privacy.
2.4 Details of processing. The subject matter, duration, nature and purpose of the processing, the types of Personal Data and categories of Data Subjects are set out in Annex 1 (Details of Processing).
3. Customer Obligations And Instructions
3. Customer Obligations And Instructions
3.1 Lawful basis and instructions. Customer is responsible for (a) establishing and maintaining a valid lawful basis for the processing of Personal Data under this DPA; (b) ensuring its instructions to Provider comply with Data Protection Laws; and (c) providing all notices and obtaining all consents, authorisations and rights required to enable Provider to process Personal Data as contemplated by this DPA and the EULA.
3.2 Documented instructions. Provider shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by UK or EU law to which Provider is subject. In that case, Provider shall inform Customer of that legal requirement before processing, unless prohibited by law on important grounds of public interest.
3.3 Standing instructions. Customer's documented instructions to Provider at the date of this DPA are: (a) to process Personal Data as necessary to provide, operate, secure, maintain and support the Platform in accordance with the EULA; (b) to process Personal Data as described in Annex 1; and (c) to comply with any further written instructions issued by Customer through the Platform or in writing to Provider, provided such instructions are consistent with the EULA.
3.4 Additional instructions. Where Customer issues instructions beyond those contemplated by the EULA or this DPA, Provider may (a) charge Customer a reasonable fee for complying; or (b) decline to comply where compliance would materially increase Provider's obligations, risks or costs, or require changes to the Platform.
3.5 Prohibition on unlawful instructions. If Provider considers that an instruction from Customer infringes Data Protection Laws, Provider shall inform Customer promptly and may suspend performance of the relevant instruction pending resolution.
3.6 Prohibited data. Customer shall not submit to the Platform any Special Category Data, Personal Data relating to criminal convictions and offences, children's data, or any Personal Data subject to heightened legal, regulatory or contractual restriction, without Provider's prior written agreement and, where relevant, an executed addendum to this DPA.
4. Confidentiality
4. Confidentiality
4.1 Provider shall ensure that any person authorised to process Personal Data on its behalf is (a) subject to a duty of confidence, whether contractual or statutory; and (b) processes Personal Data only on instructions from Provider consistent with this DPA, unless required by law to do otherwise.
4.2 Provider shall ensure that access to Personal Data is limited to those personnel who need access for the purposes of providing the Platform or performing Provider's obligations under the EULA and this DPA.
5. Security
5. Security
5.1 Provider shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks to Data Subjects.
5.2 Provider's technical and organisational measures are described in Annex 2 (Technical and Organisational Measures). Provider may update Annex 2 from time to time, provided it does not materially reduce the overall level of protection afforded to Personal Data.
5.3 Customer acknowledges that the measures in Annex 2 are appropriate for the types of Personal Data and risks contemplated by this DPA, and that Customer is responsible for evaluating the measures and determining whether they meet Customer's own requirements.
6. Sub-processors
6. Sub-processors
6.1 General authorisation. Customer grants Provider general written authorisation to engage Sub-processors to Process Personal Data, subject to this Clause 6. The Sub-processors engaged by Provider at the date of this DPA are listed in Annex 3 (Sub-processors).
6.2 Notification of changes. Provider shall notify Customer of any intended addition or replacement of Sub-processors at least 14 days before engaging the new Sub-processor (or such shorter period as may be reasonable in the case of an emergency replacement required to maintain service continuity or security). Notification may be by email to Customer's designated contact or by update to a list published at a URL notified to Customer from time to time.
6.3 Objection. Customer may object on reasonable data protection grounds to any new Sub-processor within 14 days of notification, by giving Provider written notice specifying the grounds. The Parties shall discuss the objection in good faith. If the Parties cannot resolve the objection within 30 days, Customer may terminate the affected portion of the subscription on written notice, and Provider shall refund any prepaid Fees for the unused portion of the Subscription Term pro rata. Absent a timely objection, the new Sub-processor is deemed accepted.
6.4 Flow-down obligations. Provider shall impose on each Sub-processor, by written contract, data protection obligations materially equivalent to those in this DPA, including the obligations in Clauses 4 (Confidentiality) and 5 (Security).
6.5 Liability for Sub-processors. Provider remains liable to Customer for the acts and omissions of its Sub-processors in respect of the obligations owed by Provider under this DPA, subject to the limitations in Clause 13 and the liability provisions of the EULA.
7. Data Subject Rights
7. Data Subject Rights
7.1 Provider shall, taking into account the nature of the processing and insofar as possible, assist Customer by appropriate technical and organisational measures to enable Customer to fulfil its obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
7.2 If Provider receives a request from a Data Subject directly in relation to Personal Data processed on behalf of Customer, Provider shall, unless legally prohibited, (a) not respond to the request directly without Customer's prior authorisation, and (b) promptly notify Customer and provide reasonable information to enable Customer to respond.
7.3 Where Customer is unable to access, rectify, restrict, erase or port Personal Data through the Platform's self-service functionality, Provider shall provide reasonable assistance. Provider may charge a reasonable fee for assistance that is manifestly unfounded, excessive or outside the scope of the standard Platform functionality.
8. Personal Data Breach
8. Personal Data Breach
8.1 Provider shall notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Personal Data processed on behalf of Customer.
8.2 Provider's notification shall describe, to the extent known at the time and subject to subsequent update as further information becomes available: (a) the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of Provider's data protection contact; (c) the likely consequences of the Personal Data Breach; and (d) the measures taken or proposed to address the Personal Data Breach, including measures to mitigate possible adverse effects.
8.3 Provider shall provide reasonable cooperation and information to assist Customer in meeting its own obligations under Data Protection Laws, including in notifying supervisory authorities and affected Data Subjects where required.
8.4 Notification under this Clause 8 is not an acknowledgment by Provider of fault or liability in respect of the Personal Data Breach.
9. Data Protection Impact Assessments And Prior Consultation
9. Data Protection Impact Assessments And Prior Consultation
Provider shall, taking into account the nature of the processing and information available to it, provide reasonable assistance to Customer in fulfilling Customer's obligations under Articles 35 and 36 of the UK GDPR (Data Protection Impact Assessments and prior consultation with supervisory authorities). Provider may charge a reasonable fee for such assistance where it materially exceeds the routine information Provider makes available through Annex 2 and standard Platform documentation.
10. International Transfers
10. International Transfers
10.1 Provider shall not transfer or authorise a Sub-processor to transfer Personal Data to a country outside the UK (and, where applicable, outside the EEA) unless an appropriate transfer mechanism is in place.
10.2 UK transfers. For Restricted Transfers from the UK, the Parties agree that the UK IDTA shall apply, with Annex 4 (Transfer Mechanisms) completing the required tables. Alternatively, the Parties may rely on the EU SCCs as amended by the UK Addendum, with Annex 4 completing the required annexes and the UK Addendum tables.
10.3 EU transfers. Where Personal Data originates in the EEA and is subject to the EU GDPR, Restricted Transfers shall be governed by the EU SCCs, Module 2 (Controller to Processor) or Module 3 (Processor to Processor) as applicable, with Annex 4 completing the required annexes.
10.4 Precedence. Where a transfer mechanism in Clauses 10.2 or 10.3 applies, its terms prevail over this DPA to the extent of any conflict in relation to the relevant Restricted Transfer.
10.5 Transfer impact assessment. Each Party shall cooperate in good faith to complete any transfer impact assessment reasonably required to support a lawful Restricted Transfer.
11. Return And Deletion Of Personal Data
11. Return And Deletion Of Personal Data
11.1 On termination or expiry of the EULA, Provider shall, at Customer's option (to be exercised in writing within 30 days of termination or expiry), either (a) return to Customer all Personal Data processed on behalf of Customer, in a structured, commonly used format; or (b) delete all such Personal Data, save to the extent retention is required by applicable law.
11.2 If Customer does not exercise either option within the 30-day period, Provider may delete the Personal Data.
11.3 Provider may retain Personal Data contained in secure backup media pending scheduled overwriting or deletion in the ordinary course, subject to continuing confidentiality and security obligations under this DPA and the EULA.
11.4 On Customer's request, Provider shall certify in writing that it has complied with this Clause 11.
12. Information And Audit
12. Information And Audit
12.1 Information. Provider shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including by providing, on request, (a) its most recent independent third-party audit report (such as SOC 2 Type II or ISO 27001 certification), redacted as necessary to protect confidentiality or security; and (b) completed security questionnaires where reasonably requested.
12.2 Audit. Subject to this Clause 12, Customer (or a mandated independent third-party auditor bound by confidentiality obligations equivalent to those in this DPA and the EULA, and not being a competitor of Provider) may, on reasonable prior written notice of at least 30 days (or less in the case of a regulator-mandated or incident-driven audit), conduct an audit of Provider's processing of Personal Data under this DPA.
12.3 Audit conditions. Any audit shall (a) be limited to matters necessary to verify compliance with this DPA; (b) be conducted during normal business hours; (c) last no longer than 5 Business Days; (d) occur no more than once in any 12-month period, save where a regulator requires it or following a Personal Data Breach materially affecting Customer; (e) avoid disruption to Provider's operations and to other customers; and (f) not grant access to Personal Data of other customers, Confidential Information of third parties, or systems where access would create a security risk.
12.4 Audit costs. Customer shall bear its own costs of any audit and shall reimburse Provider's reasonable costs of supporting the audit, unless the audit reveals a material breach by Provider, in which case Provider shall bear the reasonable costs of the audit.
12.5 Regulator audits. Nothing in this Clause 12 limits the audit or inspection rights of a competent supervisory authority.
13. Liability
13. Liability
13.1 Subject to Clause 13.2, the liability of each Party under or in connection with this DPA (howsoever arising, whether in contract, tort (including negligence), breach of statutory duty or otherwise) shall be subject to the exclusions and limitations of liability set out in the EULA. For the avoidance of doubt, liability under this DPA counts towards, and does not increase or sit outside, the aggregate liability caps in the EULA, save as expressly provided in the EULA.
13.2 Nothing in this DPA or the EULA excludes or limits liability that cannot lawfully be excluded or limited, or excludes or limits the direct liability of either Party to Data Subjects or supervisory authorities under Data Protection Laws.
13.3 Where the Parties are jointly liable to a Data Subject for the same damage arising from a breach of Data Protection Laws, each Party's share of liability as between themselves shall reflect their respective responsibility for the damage.
14. Term And Termination
14. Term And Termination
14.1 This DPA takes effect on the Effective Date of the EULA and continues in force until the EULA terminates or expires, save that Clauses 4 (Confidentiality), 11 (Return and Deletion), 12 (Audit, to the extent relating to processing carried out during the term) and 13 (Liability) survive termination to the extent necessary to give effect to the Parties' rights and obligations.
14.2 Termination of this DPA does not relieve either Party of obligations under Data Protection Laws.
15. General
15. General
15.1 Contact. Each Party's data protection contact is as set out in Annex 1. Either Party may update its contact by written notice to the other.
15.2 Updates. Provider may update this DPA from time to time to reflect changes in Data Protection Laws, supervisory authority guidance, or the terms of standard contractual clauses or equivalent mechanisms. Material changes are subject to Clause 23 of the EULA (Changes to this EULA).
15.3 Order of precedence. In the event of conflict between this DPA, the EULA, and any Order Form in relation to the processing of Personal Data, the order of precedence is (a) this DPA, (b) the EULA, (c) the Order Form, unless the Order Form expressly states it prevails over this DPA in respect of a specific matter.
15.4 Governing law and jurisdiction. This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction, subject to any different jurisdiction specified in the UK IDTA or EU SCCs where they apply.
Annex 1 - Details Of Processing
Annex 1 - Details Of Processing
A. Parties and Contacts
| Category | Details |
|---|---|
| Controller (Customer) | The Customer as identified in the account registration or Order Form referencing the EULA. |
| Customer data protection contact | As notified by Customer in the Platform or Order Form. If none, the primary account administrator. |
| Processor (Provider) | Arcamus Enterprise Limited, 14 Bank Chambers, 25 Jermyn Street, London SW1Y 6HR. Registered in England and Wales no. 16824786. |
| Provider data protection contact | legal@arcamus.com |
B. Subject Matter and Duration
| Category | Details |
|---|---|
| Subject matter | Provision of the Platform and related services by Provider to Customer, in accordance with the EULA. |
| Duration | For the duration of the Subscription Term, plus any post-termination retention period permitted under Clause 11 of this DPA or required by law. |
C. Nature and Purpose of Processing. Provider processes Customer's Personal Data for the purpose of providing, operating, securing, maintaining and supporting the Platform, including:
- hosting, storing and transmitting Customer Data submitted to the Platform;
- enabling authorised User access to the Platform;
- providing technical support and resolving incidents;
- logging, monitoring and securing use of the Platform to detect and prevent misuse, abuse, fraud or security incidents;
- creating and maintaining backups for business continuity and disaster recovery;
- complying with legal obligations; and
- any other processing strictly necessary to perform Provider's obligations under the EULA.
D. Types of Personal Data. Personal Data processed by Provider on behalf of Customer may include:
- User account data: name, business email address, job title, business contact details, authentication credentials (in hashed form), access logs and session metadata of Customer's authorised Users;
- Customer-uploaded content: Personal Data contained within documents, notes, lists, records or other content submitted by Customer or its Users to the Platform (for example, in bid preparation workspaces, saved searches, shortlists or uploaded files);
- Support and communications data: names, contact details and the content of communications between Customer's Users and Provider's support personnel;
- Telemetry of User activity within the Platform, where such telemetry constitutes Personal Data.
Customer shall not submit Special Category Data, criminal convictions and offences data, or children's data to the Platform without Provider's prior written agreement (see Clause 3.6).
E. Categories of Data Subjects
- Customer's employees, contractors and authorised Users;
- Individuals whose Personal Data is contained in Customer-uploaded content (which may include Customer's own employees, contractors, prospects, suppliers, clients or other individuals);
- Other individuals whose Personal Data is incidentally included by Customer in communications with Provider.
For the avoidance of doubt, Personal Data relating to public sector officials, company directors, and other individuals whose data is contained in public or publicly available sources and processed by Provider as independent Controller (see Clause 2.3) is not within the scope of this Annex 1.
F. Frequency of Transfers. Continuous, on an as-needed basis, for the duration of the Subscription Term.
G. Retention Period. Personal Data is retained for the duration of the Subscription Term and in accordance with Clause 11 of this DPA. Logs and telemetry processed on behalf of Customer are retained for up to 12 months or such other period as is necessary to maintain the security and integrity of the Platform.
Annex 2 - Technical And Organisational Measures
Annex 2 - Technical And Organisational Measures
Provider implements and maintains the following technical and organisational measures. Specific implementations may evolve over time; Provider will not materially reduce the overall level of protection.
1. Information security governance
- Documented information security policies reviewed at least annually;
- Designated personnel responsible for information security and data protection;
- Security training for personnel on induction and at regular intervals;
- Background screening of personnel with access to production systems, to the extent permitted by law.
2. Access control
- Role-based access control with least-privilege principles;
- Unique user accounts for personnel - no shared accounts in production;
- Multi-factor authentication required for access to production systems and administrative interfaces;
- Strong password requirements and credential rotation on personnel changes;
- Prompt revocation of access on termination or role change;
- Periodic review of access rights.
3. Encryption
- Personal Data encrypted in transit using TLS 1.2 or higher;
- Personal Data encrypted at rest using industry-standard algorithms (e.g., AES-256);
- Key management using services provided by reputable cloud infrastructure providers.
4. Network and infrastructure security
- Hosting with reputable cloud infrastructure providers maintaining recognised certifications (e.g., ISO 27001, SOC 2);
- Network segmentation and firewalling between environments;
- Regular patching of operating systems and software;
- Protection against common web application vulnerabilities (including OWASP Top 10 risks);
- Logging and monitoring of production access and anomalous activity.
5. Application security
- Secure software development lifecycle including code review;
- Dependency and vulnerability scanning of application code and third-party libraries;
- Separation of development, test and production environments;
- No use of production Personal Data in non-production environments, save as permitted by policy and with appropriate safeguards.
6. Resilience, availability and backup
- Regular automated backups of production data;
- Backups stored with encryption and tested recovery procedures;
- Documented business continuity and disaster recovery arrangements;
- Monitoring and alerting for availability and performance issues.
7. Incident response
- Documented incident response procedure covering detection, triage, containment, investigation, remediation and notification;
- Defined escalation paths including to senior management;
- Post-incident review and root cause analysis.
8. Physical security
- Cloud infrastructure hosted in data centres maintained by reputable providers with physical access controls, environmental controls and 24/7 monitoring;
- Office access restricted to authorised personnel; visitor sign-in and escort procedures.
9. Sub-processor management
- Due diligence on Sub-processors before engagement;
- Written contracts with data protection obligations materially equivalent to those owed by Provider to Customer;
- Periodic review of Sub-processor performance and compliance.
10. Ongoing assurance
- Internal security reviews at regular intervals;
- Independent third-party testing (such as penetration testing) conducted periodically;
- Certification to recognised security standards Cyber Essentials Plus.
Annex 3 - Sub-processors
Annex 3 - Sub-processors
The current list of Sub-processors engaged by Provider are listed at arcamus.com/subprocessors (or such other URL as Provider notifies). Provider shall notify Customer of changes in accordance with Clause 6 of this DPA.
Annex 4 - Transfer Mechanisms For Restricted Transfers
Annex 4 - Transfer Mechanisms For Restricted Transfers
Part 1 - UK IDTA. Where the UK IDTA applies under Clause 10.2, the following tables complete the UK IDTA. Unless otherwise specified, the UK IDTA as published by the Information Commissioner applies in its standard form.
| Item | Position |
|---|---|
| Table 1: Parties | Exporter: Customer (Controller). Importer: Arcamus Enterprise Limited (Processor). Contact details as set out in Annex 1. |
| Table 2: Transferred Data | As set out in Annex 1 (Details of Processing). Special Category Data: none, unless expressly agreed under Clause 3.6. |
| Table 2: Purpose | As set out in Annex 1. |
| Table 2: Frequency | Continuous, for the duration of the Subscription Term. |
| Table 2: Retention | As set out in Annex 1 and Clause 11. |
| Table 3: Security Requirements | As set out in Annex 2 (Technical and Organisational Measures). |
| Table 4: Commercial Clauses | The EULA and this DPA, which include terms relating to compensation, audit, termination and dispute resolution, apply in addition to the UK IDTA. In the event of conflict, the UK IDTA prevails in respect of the Restricted Transfer to which it applies. |
| Extra Protection Clauses | None, unless agreed in writing between the Parties. |
| Extra Legal Bases | None, unless agreed in writing between the Parties. |
Part 2 - EU SCCs (where applicable). Where the EU SCCs apply under Clause 10.3, the following completes the required annexes. Module 2 (Controller to Processor) applies unless Customer is itself a processor, in which case Module 3 (Processor to Processor) applies.
| Item | Position |
|---|---|
| Clause 7 (Docking clause) | Not used. |
| Clause 9 (Sub-processors) | Option 2 (general written authorisation) applies. Notice period: 14 days, as set out in Clause 6.2 of this DPA. |
| Clause 11 (Redress) | Independent dispute resolution option is not selected. |
| Clause 17 (Governing law) | The laws of England and Wales (as the Parties have a substantial connection to the UK and are party to the UK IDTA in parallel). |
| Clause 18 (Jurisdiction) | Courts of England and Wales. |
| Annex I.A (Parties) | As set out in Annex 1 of this DPA. |
| Annex I.B (Description of Transfer) | As set out in Annex 1 of this DPA. |
| Annex I.C (Competent supervisory authority) | The UK Information Commissioner's Office, or, where the EU GDPR applies, the supervisory authority of the EU Member State indicated by Customer. |
| Annex II (Security measures) | As set out in Annex 2 of this DPA. |
| Annex III (Sub-processors) | As set out in Annex 3 of this DPA. |
Part 3 - UK Addendum. Where the Parties rely on the EU SCCs with the UK Addendum to effect a UK Restricted Transfer, the UK Addendum applies in its standard form with Table 2 selecting the EU SCCs referenced above, and with no additional provisions unless agreed in writing.