Legal and data terms

This Data Processing Addendum is entered into by and between ArkNet Inc. and the customer entity that has entered into the applicable services agreement with ArkNet.

This Data Processing Addendum supplements the Terms of Service, master services agreement, order form, or other governing agreement between the parties. In the event of conflict with the governing agreement on matters relating specifically to processing of Customer Personal Data, this Data Processing Addendum controls to that extent.

Applicable Data Protection Law

Any law, regulation, or binding regulatory requirement applicable to the processing of Personal Data under this Data Processing Addendum.

Controller

The entity that determines the purposes and means of processing Personal Data, or an equivalent concept under Applicable Data Protection Law.

Processor

The entity that processes Personal Data on behalf of a Controller, or an equivalent concept under Applicable Data Protection Law.

Customer Personal Data

Personal Data processed by ArkNet on behalf of the customer in connection with the services.

Data Subject

An identified or identifiable natural person to whom Personal Data relates.

Personal Data Breach

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by ArkNet.

Subprocessor

A third party engaged by ArkNet to process Customer Personal Data on behalf of the customer in connection with the services.

As between the parties, the customer acts as Controller or as a Processor acting on behalf of another Controller, and ArkNet acts as a Processor with respect to Customer Personal Data processed on behalf of the customer in connection with the services.

The customer is responsible for determining whether the services are appropriate for its intended use and for its compliance obligations regarding lawfulness, transparency, rights handling, and lawful instructions.

ArkNet will process Customer Personal Data only to provide, secure, support, maintain, and improve the services, and as otherwise permitted by the governing agreement and this Data Processing Addendum.

Subject matter

Provision of the ArkNet services, including console access, registry operations, package publishing, provider-related workflows, usage tracking, billing support, and operational support.

Duration

For the term of the governing agreement and any authorized post-termination period needed to return or delete Customer Personal Data as described in this Data Processing Addendum.

Nature and purpose

Hosting, storing, transmitting, organizing, securing, retrieving, and otherwise processing Customer Personal Data as necessary to operate the services.

Categories of Data Subjects

Customer personnel, end users, operators, administrators, provider representatives, billing contacts, and other individuals whose Personal Data is submitted to or generated through the services by or for the customer.

Categories of Personal Data

Account identifiers, email addresses, organization information, authentication metadata, session metadata, support communications, billing and usage metadata, package and registry metadata, provider operational metadata, and other Personal Data submitted to or generated through the services.

ArkNet will process Customer Personal Data only on documented instructions from the customer, including instructions reflected in the customer’s use of the services, configuration choices, API calls, support requests, and the governing agreement.

ArkNet may process Customer Personal Data without separate customer instruction where required by applicable law, in which case ArkNet will inform the customer unless legally prohibited from doing so.

ArkNet may reject instructions that are unlawful, infeasible, outside the scope of the services, or that materially compromise the security or integrity of ArkNet or other customers.

ArkNet will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

ArkNet will implement and maintain reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

• access controls designed to limit data access to authorized personnel and systems
• authentication, session, and credential protection measures
• logging, monitoring, and security event handling appropriate to the services
• network, infrastructure, and application security measures designed for the ArkNet platform
• measures supporting resilience, service continuity, and operational recovery

The customer acknowledges that no security measure is infallible and that security obligations are evaluated in light of the nature of the services, current practices, available technology, and the risks involved.

The customer authorizes ArkNet to engage Subprocessors to process Customer Personal Data in connection with the services.

ArkNet will impose data protection obligations on Subprocessors that are no less protective than the obligations set out in this Data Processing Addendum, as appropriate to the nature of the processing.

ArkNet remains responsible for its Subprocessors’ performance of their relevant data protection obligations to the extent required by applicable law and the governing agreement.

Taking into account the nature of processing and the information available to ArkNet, ArkNet will provide reasonable assistance to the customer in responding to requests from Data Subjects and in meeting obligations relating to security, breach notification, privacy impact assessments, and prior consultation where required by Applicable Data Protection Law.

Assistance will be provided to the extent required by law and may be subject to reasonable technical limitations and reimbursement for substantial or extraordinary work where permitted by the governing agreement.

ArkNet will notify the customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

That notice may include, as reasonably available:

• the nature of the Personal Data Breach
• the categories of affected data and Data Subjects, where known
• the likely consequences of the Personal Data Breach, where known
• measures taken or proposed to address the Personal Data Breach

Notification of a Personal Data Breach is not an admission of fault or liability by ArkNet.

ArkNet will make available information reasonably necessary to demonstrate compliance with this Data Processing Addendum.

Where required by Applicable Data Protection Law, ArkNet will allow and contribute to reasonable audits or inspections conducted by the customer or an independent auditor mandated by the customer, subject to appropriate confidentiality, security, scope, timing, and frequency limitations.

Audits must not unreasonably interfere with ArkNet’s operations, compromise the security or confidentiality of other customers, or require access beyond what is reasonably necessary.

Customer Personal Data may be processed in countries outside the customer’s jurisdiction. Where required by Applicable Data Protection Law, ArkNet will implement an appropriate transfer mechanism for such transfers.

Where required, the parties will cooperate in implementing additional transfer terms, including standard contractual clauses or equivalent mechanisms recognized under Applicable Data Protection Law.

Upon termination or expiration of the governing agreement, ArkNet will delete or return Customer Personal Data in accordance with the governing agreement and ArkNet’s standard retention and deletion practices, unless applicable law requires continued retention.

ArkNet may retain Customer Personal Data where required for legal, regulatory, accounting, security, fraud prevention, dispute resolution, backup, archival, or other legitimate compliance and operational purposes, subject to continued protection obligations.

The customer is responsible for:

• providing all notices and obtaining all consents and rights necessary for ArkNet to process Customer Personal Data lawfully
• ensuring its use of the services complies with Applicable Data Protection Law
• using the services in a way consistent with the governing agreement and ArkNet documentation
• responding to Data Subject requests except to the extent ArkNet is required to assist
• determining whether the services are appropriate for the nature of the Personal Data it chooses to process

Each party’s liability under this Data Processing Addendum is subject to the liability limitations, exclusions, and allocation of risk set out in the governing agreement, unless Applicable Data Protection Law requires otherwise.

ArkNet may update this Data Processing Addendum from time to time to reflect changes in law, regulation, guidance, service delivery, operational practices, or the services themselves.

Material changes will be communicated through reasonable means, including posting an updated version with a revised effective date.

For questions regarding this Data Processing Addendum, privacy, or data protection matters, contact ArkNet through the legal or privacy contact methods published by ArkNet.