Arrows Up, LLC - Data Processing Agreement

Last Updated: December, 2025

This Data Processing Agreement ("DPA") is made between Arrows Up, LLC ("Arrows Up" or "Processor") and the client ("Client") identified on an Arrows Up Service Agreement ("Agreement").

1. Scope and Applicability

  • 1.1 Application: This DPA applies solely to the processing of personal information where Arrows Up acts as a Processor or Sub-processor on behalf of the Client specifically through the use of Arrows Up Technology (proprietary software owned and operated by Arrows Up).
  • 1.2 Exclusions - Third-Party Tools This DPA does not apply to the installation, configuration, or management of third-party trackers, pixels, or scripts (e.g., Google Analytics, Meta Pixel). Client acknowledges that such third-party tools are governed by the respective terms between the Client and the third-party provider. Arrows Up acts merely as a service provider performing technical implementation at Client's direction and does not "process" this data.
  • 1.3 Exclusions - Custom Development: Where Arrows Up builds custom software or data processing systems for the Client that are hosted on Client's infrastructure (e.g., Client's AWS/Azure account), Arrows Up is a "Service Provider" for development purposes only. This DPA does not apply to the ongoing data processing within those custom systems once delivered.
  • 1.4 Exclusions - Non-Data Services: The parties agree that this DPA does not apply to services provided by Arrows Up that do not involve the automated processing of Client's end-user data through Arrows Up Technology, including but not limited to video production, SEO strategy consulting, website design and development, and creative design.
  • 1.5 Relationship: For the purposes of this DPA, Client acts as a Controller and Arrows Up acts as a Processor.

2. Processing Instructions

Arrows Up shall process Personal Information only on documented instructions from the Client. Client warrants that its instructions comply with Applicable Data Protection Laws ("ADPL") and that it has obtained all necessary consents for such processing.

Arrows Up may also process personal information as required by ADPL to which Arrows Up is subject.

3. Sub-processors

Client provides general authorization for Arrows Up to engage sub-processors.

  • 3.1 Notification: Arrows Up shall maintain its sub-processor list, available here.
  • 3.2 Objection: Client may object to a new sub-processor on reasonable grounds within 14 days of a list update. If an objection is made, the parties will discuss in good faith. If no resolution is reached, Client may terminate the affected service with 30 days' written notice to legal@goarrowsup.com.
  • 3.3 Liability: Arrows Up remains liable for the acts of its sub-processors.

4. Security and Confidentiality

Arrows Up shall implement the Technical and Organizational Measures ("TOMs") set forth in Annex II to ensure a level of security appropriate to the risk. All personnel processing data are subject to strict confidentiality obligations.

5. Personal Data Breach

Arrows Up shall notify Client without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. Arrows Up shall provide reasonable information to assist Client in its notification obligations but does not admit fault or liability by providing such notice.

6. Assistance and Cooperation

  • 6.1 Data Subject Rights: Arrows Up shall provide reasonable assistance to Client in responding to data subject requests.
  • 6.2 DPIAs: Arrows Up shall assist Client with Data Protection Impact Assessments where required.
  • 6.3 Costs: Unless a request for assistance arises from a breach by Arrows Up, Client shall reimburse Arrows Up for time and materials at Arrows Up's then-current professional services rates for providing such assistance.

7. Audit Rights

To demonstrate compliance, Arrows Up shall allow for and contribute to audits conducted by Client or an independent auditor:

  • 7.1 Frequency: No more than once per calendar year.
  • 7.2 Notice: Client must provide at least 30 days' prior written notice.
  • 7.3 Method: Client shall first review Arrows Up's existing security certifications or third-party audit reports. A physical inspection shall only occur if such reports are insufficient.
  • 7.4 Expense: Any audit shall be at Client's sole expense.

8. International Data Transfers

Where Personal Information is transferred from the EEA, Switzerland, or the UK to a country not recognized as providing adequate protection:

  • 8.1 EU/EEA: The Parties agree to abide by the EU Standard Contractual Clauses (SCCs) (Module 2: Controller-to-Processor), which are hereby incorporated by reference.
  • 8.2 UK: The Parties agree to the UK International Data Transfer Addendum to the EU SCCs.
  • 8.3 Location: For the purposes of Annex I of the SCCs, Arrows Up, LLC is the Data Importer located in the United States.

9. Term and Termination

This DPA remains in effect for as long as Arrows Up processes Personal Information through Arrows Up Technology on behalf of the Client. Upon termination, Arrows Up shall delete or return Personal Information within 90 days, unless required by law to retain it.

10. Limitation of Liability

The total aggregate liability of Arrows Up arising out of or related to this DPA (whether in contract, tort, or otherwise) shall be subject to the limitation of liability provisions set forth in the Agreement. All claims under this DPA shall be counted toward the liability cap defined in the Agreement.

11. Severability

If any provision of this DPA is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it enforceable, or if modification is not possible, it shall be severed from this DPA. The remaining provisions of this DPA shall remain in full force and effect.

12. Communication

Arrows Up's Data Protection personnel may be contacted at privacy@goarrowsup.com.

Annex II: Technical and Organizational Measures (TOMs)

Arrows Up maintains the following baseline security measures:

  • Access Control: Multi-factor authentication (MFA) required for employees to access any system containing personal data.
  • Encryption: Data encrypted at rest and in transit.
  • Personnel: Annual privacy and security awareness training for all employees.
  • Vulnerability Management: Periodic software updates and patch management.
  • Backups: Regular automated backups with tested restoration procedures.