← Back to home

Data Processing Agreement

Last Updated: March 8, 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between Arvo AI Ltd. ("Processor") and the customer ("Controller") for the provision of the Aurora platform.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
  • "Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).
  • "Controller" means the customer who determines the purposes and means of processing Personal Data.
  • "Processor" means Arvo AI Ltd., which processes Personal Data on behalf of the Controller.
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data.

2. Scope and Roles

For self-hosted Aurora deployments, the customer is the Data Controller and Arvo AI acts as Data Processor. Arvo AI processes Personal Data only on documented instructions from the Controller, as described in the service agreement.

3. Processing Details

  • Subject Matter: Provision of AI-powered root cause analysis for infrastructure incidents
  • Duration: For the term of the service agreement
  • Nature and Purpose: Processing user account data for authentication, processing investigation queries, querying infrastructure telemetry from customer cloud providers
  • Types of Personal Data: User identity data (name, email, role), investigation queries, infrastructure logs (which may incidentally contain PII)
  • Categories of Data Subjects: Customer employees (SRE engineers, DevOps staff, IT operations)

4. Obligations of the Processor

Arvo AI shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Not engage Sub-Processors without prior written authorization from the Controller
  • Assist the Controller in responding to data subject rights requests
  • Notify the Controller without undue delay upon becoming aware of a Personal Data breach
  • Delete or return all Personal Data upon termination of the service agreement
  • Make available all information necessary to demonstrate compliance with GDPR obligations

5. Security Measures

Arvo AI implements the following technical and organizational measures:

  • HashiCorp Vault for credential encryption and storage, separate from the application database
  • Authentication and role-based access controls
  • Self-hosted deployment model ensuring all data remains on customer infrastructure
  • No telemetry or analytics collected by Arvo AI
  • Open-source codebase (Apache 2.0) enabling security audit
  • TLS encryption for data in transit
  • Support for GCP Cloud KMS auto-unseal in production deployments

6. Sub-Processors

The Controller authorizes the use of the Sub-Processors listed on our Sub-Processors page. Arvo AI will notify the Controller before adding or replacing Sub-Processors, giving the Controller the opportunity to object.

7. International Transfers

Arvo AI is based in Canada, which benefits from an EU adequacy decision under PIPEDA. Where Sub-Processors are located in the United States, transfers are governed by Standard Contractual Clauses (SCCs) incorporated into the agreements with those Sub-Processors.

8. Data Breach Notification

Arvo AI will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to mitigate the breach.

9. Audits

Arvo AI will make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or an authorized auditor. Aurora's open-source codebase provides transparency into all data processing operations.

10. Term and Termination

This DPA is effective for the duration of the service agreement. Upon termination, Arvo AI will delete or return all Personal Data processed on behalf of the Controller, unless retention is required by applicable law.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Province of Quebec, Canada, without regard to its conflict of law provisions.

12. Contact

For questions about this DPA, contact: info@arvoai.ca

© 2026 Arvo A.I. Ltd. All rights reserved.

Privacy PolicyCookie PolicySub-Processors