Arrows Up, LLC - Data Processing Agreement

Last Updated: January, 2026

This Data Processing Agreement ("DPA") is made between Arrows Up, LLC ("Arrows Up" or "Processor") and the client ("Client") identified on an Arrows Up Service Agreement ("Agreement").

1. Scope and Applicability

  • 1.1 Application: This DPA applies solely to the processing of personal information where Arrows Up acts as a Processor or Sub-processor on behalf of the Client specifically through the use of Arrows Up Technology (proprietary software owned and operated by Arrows Up).

  • 1.2 Exclusions - Third-Party Tools This DPA does not apply to the installation, configuration, or management of third-party trackers, pixels, or scripts (e.g., Google Analytics, Meta Pixel). Client acknowledges that such third-party tools are governed by the respective terms between the Client and the third-party provider. Arrows Up acts merely as a service provider performing technical implementation at Client's direction and does not "process" this data.

  • 1.3 Exclusions - Custom Development: Where Arrows Up builds custom software or data processing systems for the Client that are hosted on Client's infrastructure (e.g., Client's AWS/Azure account), Arrows Up is a "Service Provider" for development purposes only. This DPA does not apply to the ongoing data processing within those custom systems once delivered.

  • 1.4 Exclusions - Non-Data Services: The parties agree that this DPA does not apply to services provided by Arrows Up that do not involve the automated processing of Client's end-user data through Arrows Up Technology, including but not limited to video production, SEO strategy consulting, website design and development, and creative design.

  • 1.5 Relationship: For the purposes of this DPA, Client acts as a Controller and Arrows Up acts as a Processor.

2. Processing Instructions

Arrows Up shall process personal information only on Client's documented instructions, including with respect to consent, opt-out, and Global Privacy Control (GPC) signals, except where required by law. If Arrows Up believes an instruction infringes with Applicable Data Protection Laws ("ADPL") or creates material legal or platform-policy risk, it will notify Client and may suspend the instruction pending resolution. Client warrants its instructions comply with ADPL and that it has obtained all necessary permissions/consents.

  • (a) Arrows Up shall not Sell or Share personal information and shall not use it for Targeted Advertising except to perform the Services for Client;

  • (b) Arrows Up shall not retain, use, or disclose personal information for any purpose other than the Business Purpose of performing the Services or as otherwise permitted by law;

  • (c) Arrows Up shall not combine personal information received from Client with Personal Information from other sources, except to perform the Services, to detect security incidents or fraud, or as otherwise permitted by law;

  • (d) Arrows Up shall honor Client-provided GPC and other universal opt-out signals and opt-out preferences for Targeted Advertising/"Sale/Share." These commitments flow down to Sub-processors.

Client is responsible for obtaining required notices/consents and for operating a compliant CMP where applicable. Arrows Up will implement reasonable technical means to receive and act on Client's consent status, IAB TCF v2.2 strings, Consent Mode parameters, Meta Limited Data Use flags, and GPC signals across Arrows Up Proprietary Tracking and any configurations managed by Arrows Up for Client. Arrows Up will not override Client's signals.

Client shall not instruct Arrows Up to collect or process, and Arrows Up shall not knowingly process: (i) GDPR special categories or sensitive personal information (e.g., health diagnosis, precise geolocation, government IDs, complete financial account numbers, biometrics) unless expressly agreed in writing and subject to additional terms (e.g., BAA); (ii) personal information of children under 13 (or under 16 where applicable) without prior written agreement and verified consent mechanisms; (iii) data from authenticated health portals or pages revealing specific medical conditions/treatments unless covered by a BAA; (iv) video viewing data tied to an identified person without VPPA-compliant disclosures/consent; (v) two-party call/communication recordings without required consents.

3. Sub-processors

Client provides general authorization for Arrows Up to engage sub-processors.

  • 3.1 Notification: Arrows Up shall maintain its sub-processor list, available here.

  • 3.2 Objection: Client may object to a new sub-processor on reasonable grounds within 14 days of a list update. If an objection is made, the parties will discuss in good faith. If no resolution is reached, Client may terminate the affected service with 30 days' written notice to legal@goarrowsup.com.

  • 3.3 Liability: Arrows Up remains liable for the acts of its sub-processors.

4. Security and Confidentiality

Arrows Up shall implement the Technical and Organizational Measures ("TOMs") set forth in Annex II to ensure a level of security appropriate to the risk. All personnel processing data are subject to strict confidentiality obligations.

5. Personal Data Breach

Arrows Up shall notify Client without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. Arrows Up shall provide reasonable information to assist Client in its notification obligations but does not admit fault or liability by providing such notice.

6. Assistance and Cooperation

  • 6.1 Data Subject Rights: Arrows Up shall provide reasonable assistance to Client in responding to data subject requests.

  • 6.2 DPIAs: Arrows Up shall assist Client with Data Protection Impact Assessments where required.

  • 6.3 Costs: Unless a request for assistance arises from a breach by Arrows Up, Client shall reimburse Arrows Up for time and materials at Arrows Up's then-current professional services rates for providing such assistance.

7. Audit Rights

To demonstrate compliance, Arrows Up shall allow for and contribute to audits conducted by Client or an independent auditor:

  • 7.1 Frequency: No more than once per calendar year.

  • 7.2 Notice: Client must provide at least 30 days' prior written notice.

  • 7.3 Method: Client shall first review Arrows Up's existing security certifications or third-party audit reports. A physical inspection shall only occur if such reports are insufficient.

  • 7.4 Expense: Any audit shall be at Client's sole expense.

8. International Data Transfers

Where personal information is transferred from the EEA, Switzerland, or the UK to a country not recognized as providing adequate protection:

  • 8.1 EU/EEA: The Parties agree to abide by the EU Standard Contractual Clauses (SCCs) (Module 2: Controller-to-Processor), which are hereby incorporated by reference.

  • 8.2 UK: The Parties agree to the UK International Data Transfer Addendum to the EU SCCs.

  • 8.3 Location: For the purposes of Annex I of the SCCs, Arrows Up, LLC is the Data Importer located in the United States.

9. Term and Termination

This DPA remains in effect for as long as Arrows Up processes personal information through Arrows Up Technology on behalf of the Client. Upon termination, Arrows Up shall delete or return Personal Information within 90 days, unless required by law to retain it.

10. Limitation of Liability

The total aggregate liability of Arrows Up arising out of or related to this DPA (whether in contract, tort, or otherwise) shall be subject to the limitation of liability provisions set forth in the Agreement. All claims under this DPA shall be counted toward the liability cap defined in the Agreement.

11. Severability

If any provision of this DPA is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it enforceable, or if modification is not possible, it shall be severed from this DPA. The remaining provisions of this DPA shall remain in full force and effect.

12. Communication

Arrows Up's Data Protection personnel may be contacted at privacy@goarrowsup.com.

Annex II: Technical and Organizational Measures (TOMs)

Arrows Up maintains the following baseline security measures:

  • Access Control: Multi-factor authentication (MFA) required for employees to access any system containing personal data.

  • Encryption: Data encrypted at rest and in transit.

  • Personnel: Annual privacy and security awareness training for all employees.

  • Vulnerability Management: Periodic software updates and patch management.

  • Backups: Regular automated backups with tested restoration procedures.