Data Processing Agreement
Aria Customer Data Processing Agreement (DPA)
Effective Date: [Date]
This Data Processing Agreement ("DPA") forms part of the Aria Terms of Use (the "Agreement") between Aria Coda LLC, a Texas limited liability company ("Aria", "Processor", or "we") and the user or entity accessing the Platform ("Customer", "Controller", or "you").
By accepting the Terms of Use and using the Platform, Customer agrees to be bound by this DPA.
1. Scope and Roles
This DPA applies to the extent Aria processes any Personal Data on behalf of the Customer in the course of providing the Aria AI contract negotiation platform (the "Services"). For the purposes of European (GDPR), UK, and applicable US state privacy laws, the Customer is the Data Controller and Aria is the Data Processor.
2. Processing Instructions
2.1 Permitted Purpose: Aria will only process Personal Data in accordance with Customer's documented instructions, which are strictly limited to providing, maintaining, and supporting the Services as outlined in the Agreement and the Privacy Policy. 2.2 AI and Machine Learning Limitation: Aria explicitly agrees that it will not use Customer's Personal Data, including the contents of uploaded or negotiated contracts, to train, retrain, or improve its own or any third-party foundational Large Language Models (LLMs).
3. Sub-Processors
3.1 Authorization: Customer grants Aria general authorization to engage third-party sub-processors to fulfill its obligations. 3.2 Current Sub-Processors: Our current authorized sub-processors include: * Infrastructure & Operations: DigitalOcean, LLC (Hosting), SignWell, Inc. (E-signatures), and AC PM, LLC (Transactional email). * Payment Processing: Stripe, Inc. * AI Model Providers: Anthropic PBC / Anthropic Ireland Limited, OpenAI OpCo, LLC, and Google LLC (processing for contract negotiation; subject to limited provider-side retention for abuse monitoring, security, and legal compliance, as set out in each provider's data processing terms). 3.3 Flow-Down Obligations: Aria shall enter into written agreements with all sub-processors imposing data protection terms that require the sub-processor to protect the Personal Data to the same standard provided in this DPA (including strict prohibitions on using Customer data to train foundational AI models).
4. Security and Confidentiality
Aria shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, destruction, loss, or alteration. Aria ensures that its personnel authorized to process Personal Data are subject to strict obligations of confidentiality.
5. Data Subject Requests
If Aria receives a request directly from a data subject (such as a request to access, correct, or delete data) regarding Personal Data processed on behalf of Customer, Aria will promptly notify Customer. Aria will provide reasonable assistance to enable Customer to respond to such requests in accordance with applicable data protection laws.
6. Personal Data Breach
Upon becoming aware of a confirmed Personal Data breach affecting Customer's data, Aria will notify Customer without undue delay. Aria will provide sufficient information to allow Customer to meet any obligations to report the breach to competent authorities or affected individuals.
7. Deletion or Return of Data
Upon termination of the Customer's account or upon Customer's written request, Aria shall securely delete or anonymize all Personal Data processed on behalf of the Customer, unless applicable laws (such as tax or commercial liability limitation periods) mandate the retention of specific records, as outlined in our Privacy Policy.
8. International Data Transfers
To the extent Aria processes Personal Data originating from the European Economic Area (EEA), the UK, or Switzerland in a country that has not been designated as providing an adequate level of protection, the parties agree that such transfers shall be governed by the applicable Standard Contractual Clauses (SCCs) as approved by the European Commission or the UK Information Commissioner's Office, which are hereby incorporated by reference.