This Data Processing Agreement ("DPA") supplements the Terms of Service entered into between the Customer and ARKKHE Corp and governs the processing of personal data under applicable data protection law. In case of conflict between the Terms and this DPA, this DPA prevails on data protection matters.
1. Parties & definitions
- Controller: the Customer (the natural or legal person who subscribes to ARKKHE VPlayer).
- Processor: ARKKHE Corp.
- Data subject: the natural person to whom personal data refers — generally, viewers of the videos hosted by the Customer.
- Subprocessor: third-party engaged by the Processor to assist with processing.
2. Scope & purpose
The Processor processes personal data on behalf of and at the direction of the Controller, exclusively for the provision of the ARKKHE VPlayer Service: video player hosting, retention metrics collection, and conversion analytics.
The Processor does not use Controller data for its own purposes (e.g. model training, marketing, profiling).
3. Nature, duration & categories of data
3.1. Types of personal data
- Technical identifiers: IP address, user-agent, anonymous device fingerprint;
- Behavioral data: play / pause / seek events, timestamps, retention, A/B variants displayed;
- Optional metadata that the Controller chooses to send.
3.2. Categories of data subjects
End viewers of the VSLs hosted by the Controller.
3.3. Duration
For the term of the contract between the parties, with residual confidentiality and security obligations surviving termination.
4. Authorized subprocessors
The Controller authorizes the Processor to engage the following subprocessors, all bound by obligations consistent with this DPA:
- Vercel (Vercel, Inc., USA) — landing page and app hosting;
- Cloudflare (Cloudflare, Inc., USA) — CDN and R2 storage in the Controller's account;
- Supabase (Supabase, Inc., Singapore/USA) — database and authentication in the Controller's account;
- Stripe (Stripe, Inc., USA — PCI-DSS Level 1) — payment gateway and subscription management;
- Google Workspace (Google LLC, USA) — email communication.
Changes to this list will be communicated to the Controller at least 30 days in advance. The Controller may object based on reasonable grounds; if the objection persists, the contract may be terminated without penalty, with proportional refund.
5. Processor obligations
The Processor commits to:
- Process personal data solely on documented instructions from the Controller;
- Ensure confidentiality among its staff, contractually bound to equivalent duties;
- Implement appropriate technical and organizational measures: encryption in transit (TLS 1.2+), role-based access control, audit logs, periodic credential review;
- Assist the Controller in handling data subject requests, conducting data protection impact assessments (DPIAs), and communicating with supervisory authorities;
- Not transfer data outside authorized subprocessors without prior approval;
- Maintain records of processing activities, available to the Controller upon request.
6. Data subject rights
Requests received directly by the Processor will be forwarded to the Controller within 5 business days. The Processor will provide reasonable assistance so that the Controller can comply within legal timeframes.
7. Audit
The Controller may request, with 30 days' notice and at most once per year, documentary evidence of the security measures applied by the Processor. On-site audits may be required in justified cases, subject to NDA and reimbursement of reasonable costs incurred.
8. Security incidents
In case of a security incident affecting the Controller's personal data, the Processor will notify the Controller within 48 hours of becoming aware, providing:
- Description of the nature of the incident;
- Categories and approximate number of data subjects affected;
- Likely consequences;
- Mitigation measures taken or proposed.
9. Return & deletion
Because the Controller's videos reside in their own Cloudflare R2 account and data lives in their own Supabase account, upon termination the Processor does not retain copies of the Controller's personal data. Any operational logs are deleted in accordance with the retention policy described in the Privacy Policy.
10. Term, governing law & jurisdiction
This DPA is in force for the duration of the underlying agreement. Disputes follow the jurisdiction set out in the Terms of Service.
Signed DPA on request: Customers needing a signed PDF version can request one by emailing arkkhecorp@gmail.com identifying the legal entity name and registration number.