This page summarizes the Data Processing Addendum ("DPA") that Arcstack, Inc. enters into with enterprise customers. A countersigned DPA is available on request.
Roles
Grafty runs on customer infrastructure. The customer is the controller (and, where applicable, processor) of personal data processed inside their Grafty instance. Arcstack is not a processor of that data.
Scope of Arcstack processing
Arcstack processes limited personal data submitted directly to Arcstack — for example, contact form entries, license registrations, and support requests. The DPA covers that scope.
Security measures
TLS in transit, encryption of secrets at rest, least-privilege access, change management, vulnerability response, and audit logging on Arcstack-operated systems.
Subprocessors
Available on request. Updates are communicated to customers with the option to object.
Data subject requests
Arcstack will assist customers in responding to data subject requests directed at Arcstack-held data.
International transfers
Standard Contractual Clauses are available where required.
Contact
Request a copy: info@grafty.ai (subject "[DPA Request]").