Data Processing Agreement

Last updated: May 30, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and REQARCHITECT LTD, operating the Archiet platform ("Processor"), and reflects the parties' agreement on the processing of personal data in accordance with the EU GDPR, the UK GDPR, and the CCPA.

1. Roles and Scope

The Controller determines the purposes and means of processing personal data. The Processor processes personal data only on the documented instructions of the Controller, including with regard to transfers, unless required to do otherwise by applicable law.

2. Nature and Purpose of Processing

The Processor processes personal data to provide the Archiet architecture-to-code platform: account management, blueprint generation, compliance reporting, and related support. Categories of data subjects include the Controller's authorised users; data categories include account identifiers (name, email), workspace content, and usage metadata.

3. Sub-processors

The Controller authorises the Processor to engage sub-processors for hosting, payments, email delivery, and LLM inference. A current list of sub-processors is available on request to privacy@archiet.com. The Processor remains responsible for sub-processors' compliance with this DPA and will give notice of intended changes.

4. Security Measures

The Processor implements appropriate technical and organisational measures, including encryption in transit (TLS), encryption at rest, access controls, httpOnly session cookies, audit logging, and tenant isolation. See our Security page for details.

5. International Transfers

Where personal data is transferred outside the UK/EEA, the parties rely on the UK International Data Transfer Agreement and/or the EU Standard Contractual Clauses, which are incorporated by reference.

6. Data Subject Rights and Assistance

The Processor will assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling its obligations to respond to data subject requests and to ensure security, breach notification, and data protection impact assessments.

7. Breach Notification

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data.

8. Deletion and Return

On termination, the Processor will delete or return all personal data to the Controller, and delete existing copies unless retention is required by law.

9. Audits

The Processor will make available information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality and scheduling.

10. Contact

For a countersigned DPA or sub-processor list, contact privacy@archiet.com.

This document is provided for transparency. For an enterprise agreement, a countersigned copy is available on request.