Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the agreement for services ("Principal Agreement") between Arnio ("Processor," "we," "us") and the entity or person agreeing to these terms ("Controller," "Company," "you"). This DPA governs the processing of personal data by Arnio on behalf of the Company in connection with the Arnio platform and related services.

This DPA is designed to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws. By using Arnio's services, you agree to the terms of this DPA.

1. Definitions and Interpretation

In this DPA, unless the context requires otherwise:

• "Company Personal Data" means any personal data processed by the Processor on behalf of the Company pursuant to or in connection with the Principal Agreement.
• "Data Protection Laws" means the GDPR, the UK GDPR, the EU ePrivacy Directive, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and any other applicable data protection legislation.
• "Sub-processor" means any third party appointed by the Processor to process Company Personal Data on behalf of the Company.
• "Data Subject" means the identified or identifiable natural person to whom Company Personal Data relates.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Company Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the European Commission for the transfer of personal data to processors established in third countries.

2. Processing of Company Personal Data

The Processor shall process Company Personal Data only on documented instructions from the Company, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law.

The Company instructs the Processor to process Company Personal Data for the following purposes:

• Provision of the Arnio platform and related services as described in the Principal Agreement
• Revenue gap analysis and campaign performance tracking
• Integration with Shopify, Klaviyo, and other connected third-party platforms
• AI-generated insights, recommendations, and reporting
• Platform security, fraud prevention, and technical support

3. Processor Personnel

The Processor shall ensure that all personnel authorised to process Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Company Personal Data is limited to those personnel who require such access for the performance of the services under the Principal Agreement.

4. Security

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include but are not limited to:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Pseudonymisation of personal data where feasible
• Role-based access controls and multi-factor authentication
• Regular security assessments, penetration testing, and vulnerability scanning
• Business continuity and disaster recovery procedures

5. Sub-processing

The Company provides a general authorisation to the Processor to engage Sub-processors to process Company Personal Data. The Processor shall notify the Company of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Company the opportunity to object.

Where the Processor engages a Sub-processor, the Processor shall impose data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Company for the performance of each Sub-processor's obligations.

6. Data Subject Rights

The Processor shall assist the Company for the fulfilment of the Company's obligation to respond to requests from Data Subjects exercising their rights under applicable law, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

7. Personal Data Breach

The Processor shall notify the Company without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Company Personal Data. The notification shall describe the nature of the breach, the likely consequences, and the measures taken to address it.

8. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with supervisory authorities that the Company reasonably considers to be required under applicable Data Protection Laws, solely in relation to the processing of Company Personal Data.

9. Deletion or Return of Company Personal Data

Upon termination or expiry of the Principal Agreement, the Processor shall, at the Company's election, delete or return all Company Personal Data to the Company within 30 days of such request, and delete existing copies unless applicable law requires storage of the personal data. The Processor shall provide written certification of deletion upon request.

10. Audit Rights

The Processor shall make available to the Company all information necessary to demonstrate compliance with the obligations laid down in this DPA, and shall allow for and contribute to audits conducted by the Company or an auditor mandated by the Company. Audits shall be conducted with at least 30 days' prior notice during normal business hours.

11. International Data Transfers

The Processor shall not transfer Company Personal Data outside the EEA or the United Kingdom without the prior written consent of the Company, unless required by applicable law. Where such transfer is authorised, appropriate safeguards shall be in place, including Standard Contractual Clauses where required.

12. General Terms

Each party shall keep confidential all information received from the other party in connection with this DPA. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Company Personal Data. This DPA shall be governed by the same laws that govern the Principal Agreement.

13. Contact Information

For questions about this Data Processing Agreement, or to request a signed copy, please contact us: