← All legal documents

Data Processing Addendum

Version 2026-05-10 · Effective 2026-05-10

⚠ Draft — not yet reviewed by counsel

This document was generated by AI as a starting point tailored to the Arbor codebase and operating model. It has not been reviewed by a licensed attorney. Do not rely on it for binding legal effect until a qualified lawyer has reviewed and approved it. Acceptance recorded against this version will need to be re-collected when counsel-approved language replaces this draft.

This Data Processing Addendum ("DPA") forms part of the agreement between Customer ("Controller") and Raised Beef AI, LLC ("Processor") for use of the Arbor Service. It applies to any processing of Personal Data subject to GDPR, UK GDPR, the Swiss FADP, or the CCPA / CPRA.

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679). "Customer Data" means Personal Data submitted to the Service by Controller or its Authorized Users. "Subprocessor" means a third party engaged by Processor to process Customer Data.

2. Subject matter and details of processing

  • Subject matter:Provider's provision of the Service.
  • Duration: the term of the underlying agreement plus the data retention period set out in the Privacy Policy.
  • Nature and purpose:hosting, organizing, retrieving, and presenting training operations data (instructors, classes, training records, projects, tasks, allocations) so Controller's Authorized Users can manage their training programs.
  • Categories of data subjects:Controller's employees, contractors, trainees, and other individuals whose data Controller chooses to upload.
  • Categories of Personal Data: name, email address, role/title, department, training history, certifications, and any additional data Controller chooses to upload (e.g. notes, tags). For HIPAA-covered customers this may include Protected Health Information governed by the BAA.

3. Processor obligations

Processor will:

  • process Customer Data only on Controller's documented instructions, including transfers to a third country, unless required to do otherwise by applicable law;
  • ensure persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation;
  • implement and maintain the technical and organizational security measures set out in Annex A;
  • assist Controller, taking into account the nature of the processing, in fulfilling requests from data subjects exercising their rights;
  • notify Controller without undue delay (and in any case within 72 hours of awareness) after becoming aware of a Personal Data Breach affecting Customer Data;
  • make available to Controller all information necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 7.

4. Subprocessors

Controller authorizes Processor to engage the subprocessors listed at /legal/subprocessors. Processor will inform Controller of any intended changes to that list (additions or replacements) at least 30 days in advance via email to the Controller's designated billing or admin contact, giving Controller the opportunity to object on reasonable grounds related to data protection.

5. International transfers

Where Customer Data is transferred from the EEA, UK, or Switzerland to a country not deemed adequate by the European Commission (or equivalent UK/Swiss authority), the parties agree the EU Standard Contractual Clauses (Module 2: controller-to-processor) adopted by Commission Implementing Decision (EU) 2021/914 are incorporated into this DPA by reference, with Controller as data exporter and Processor as data importer. The UK International Data Transfer Addendum and Swiss equivalent provisions apply where relevant. Annex A of this DPA satisfies Annex II of the SCCs.

6. Return or deletion

On termination of the underlying agreement, Processor will, at Controller's choice, return or delete all Customer Data within 30 days, unless retention is required by law. Controller can self-serve the return via the in-app data export at /admin/data-export at any time during the term and for 30 days after.

7. Audits

Processor will make its most recent SOC 2 Type II report (or, until that report is issued, evidence of its in-progress SOC 2 program with Drata) available to Controller under reasonable confidentiality terms upon written request to legal@arbor.app. Controller may, no more than once per twelve-month period (and unless triggered by a confirmed breach), conduct an audit of Processor's compliance with this DPA on reasonable advance notice. The audit must be conducted during business hours, must not unreasonably interfere with Processor's operations, and is at Controller's expense.

Annex A — Technical and Organizational Measures

Processor implements and maintains the following measures:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest via managed Supabase and Vercel encryption.
  • Access control: role-based access at the application layer (manager / instructor / viewer / agency_admin / agency_member) and row-level security at the database layer; mandatory MFA for all human production access; quarterly access reviews.
  • Audit logging: append-only audit_log table records every mutating operation with org, actor, timestamp, and field-level diff; configurable retention with a minimum of 30 days.
  • Network security: Vercel edge network; HTTPS-only; HSTS; per-isolate domain-routing with verified custom domains only.
  • Vulnerability management: GitHub Dependabot weekly scans; documented SLA for high/critical CVEs; pre-commit lint + type checks.
  • Backup and recovery: Supabase point-in-time recovery (Pro plan); quarterly restore drills with documented RTO 4h / RPO 5min.
  • Incident response: documented runbook (see /trust); quarterly tabletop exercises; 72-hour breach notification commitment per Section 3.
  • Personnel: background screening for personnel with production access; confidentiality agreements; security awareness training annually.
  • Subprocessor management: all subprocessors bound by written contracts imposing data protection obligations no less protective than this DPA; inventory at /legal/subprocessors.