Data Processing Agreement
Last Updated: January 23, 2026
This Data Processing Agreement ("DPA") forms an integral part of the Archivis Terms of Service ("Terms") between the party named as "Customer" in the Terms ("Customer" or "Controller") and Archivis, Inc. ("Archivis," "Company," or "Processor") and sets out the parties' respective obligations when Customer personal data is processed by Archivis in relation to the Services performed by Archivis on Customer's behalf pursuant to the Terms. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose personal data is processed.
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between the Customer and:
Archivis, Inc.
(the "Data Processor")
(together as the "Parties")
WHEREAS
(A) The Customer (whether an individual or an organization) acts as a Data Controller and wishes to engage Archivis for professional biography writing, AI-assisted biography creation, digital preservation, and related services.
(B) The Customer wishes to subcontract certain Services, which may involve the processing of personal data and confidential biographical information, to Archivis.
(C) The Parties seek to implement comprehensive data protection, confidentiality, and intellectual property provisions that comply with applicable laws including GDPR, U.S. state privacy laws, and other relevant data protection regulations.
(D) The Parties wish to establish clear ownership rights regarding biographical content created during the service engagement.
IT IS AGREED AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing Agreement and all Schedules;
1.1.2 "Customer Personal Data" means any Personal Data Processed by Archivis on behalf of Customer pursuant to or in connection with the Principal Agreement;
1.1.3 "Customer Confidential Information" means all non-public, proprietary, or confidential information disclosed by Customer to Archivis, including but not limited to biographical content, personal stories, family information, photographs, questionnaire responses, and strategic plans;
1.1.4 "Data Protection Laws" means EU Data Protection Laws, U.S. Privacy Laws, and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 "U.S. Privacy Laws" means applicable U.S. federal and state privacy laws including but not limited to the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and any other applicable state privacy laws;
1.1.6 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.8 "Data Transfer" means:
- a transfer of Customer Personal Data from the Customer to Archivis; or
- an onward transfer of Customer Personal Data from Archivis to a Subprocessor, or between two establishments of Archivis, in each case, where such transfer would be prohibited by Data Protection Laws;
1.1.9 "Services" means the professional biography writing, AI-assisted biography creation, questionnaire management, photo processing, digital preservation, and publication services that Archivis provides;
1.1.10 "Biographical Content" means all personal stories, memories, narratives, photographs, documents, and other materials provided by Customer or created in the course of providing Services;
1.1.11 "Subprocessor" means any person appointed by or on behalf of Archivis to process Personal Data on behalf of the Customer in connection with the Agreement;
1.1.12 "Professional Writing Services" means the customized biography writing services provided by Archivis staff writers based on interviews and questionnaire responses.
1.2 GDPR Terms
The terms "Commission," "Controller," "Data Subject," "Member State," "Personal Data," "Personal Data Breach," "Processing," and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. CONFIDENTIALITY AND DATA PROTECTION
2.1 Comprehensive Confidentiality
2.1.1 Archivis acknowledges that it may receive Customer Confidential Information and Customer Personal Data in connection with the Services.
2.1.2 Archivis shall:
- Hold all Customer Confidential Information in strict confidence;
- Use Customer Confidential Information solely for the purpose of providing the Services;
- Not disclose Customer Confidential Information to any third party without Company's prior written consent;
- Implement and maintain appropriate safeguards to protect the confidentiality of such information.
2.1.3 The confidentiality obligations shall survive termination of this Agreement for a period of seven (7) years.
2.2 Processing Obligations
Archivis shall:
2.2.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data;
2.2.2 not Process Customer Personal Data other than on the Customer's documented instructions;
2.2.3 ensure all employees, contractors, and writers handling Personal Data or Confidential Information are bound by legally enforceable confidentiality agreements;
2.2.4 provide adequate training to all personnel handling Personal Data on data protection requirements and procedures;
2.2.5 be held liable for any processing activities conducted outside the scope of documented instructions.
2.3 Processing Instructions
The Customer instructs Archivis to process Customer Personal Data for the following purposes:
- Collection of biographical information through questionnaires and interviews
- Creation of written biographies using customer-provided information
- AI-assisted biography generation and drafting (where applicable)
- Photo processing, optimization, and storage
- Biography publication on archivis.org (when authorized)
- Customer communication and support
- Order fulfillment and service delivery
- Processing only as necessary to deliver the ordered service tier
3. ENTERPRISE SECURITY MEASURES
3.1 Technical and Organizational Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Archivis shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
3.2 Specific Security Measures
Archivis implements and maintains the following enterprise-grade security measures:
3.2.1 Encryption:
- End-to-end encryption for all data in transit using TLS 1.3
- Data at rest encrypted using AES-256 encryption via AWS KMS
- Database connections require SSL/TLS (no unencrypted access permitted)
- All S3 file storage encrypted with server-side encryption
3.2.2 Network Isolation:
- Database hosted in private VPC subnet with zero internet exposure (100% attack surface reduction)
- Application servers isolated in private subnets
- Security group controls limiting database access to application layer only
- NAT gateway for controlled external API access
3.2.3 Access Controls:
- Enterprise authentication through AWS Cognito with multi-factor authentication support
- JWT token signature verification (cryptographic validation)
- Role-based access control separating customer and admin privileges
- Session security with HTTPS-only, HttpOnly, and SameSite cookies
- Automatic session timeout (1 hour with renewal)
3.2.4 Data Minimization:
- Collection limited to information necessary for biography creation
- Questionnaire responses stored only for service delivery
- Unpublished drafts retained only until publication or account deletion
- Configurable retention policies for published biographies
3.2.5 Infrastructure Security:
- Automated daily database backups with 7-day retention
- Point-in-time recovery capability
- S3 versioning enabled for file recovery
- Regular security assessments and penetration testing
- Comprehensive incident response procedures
- Rate limiting on authentication endpoints (10 requests/60 seconds)
3.2.6 Application Security:
- Content Security Policy (CSP) headers preventing XSS attacks
- HTTP Strict Transport Security (HSTS) enforcing HTTPS
- Input validation and sanitization preventing SQL injection
- Parameterized database queries (SQLAlchemy ORM)
- Security event logging to AWS CloudWatch
3.2.7 Secrets Management:
- All credentials stored in AWS Systems Manager Parameter Store
- Secrets encrypted at rest with AWS KMS
- No credentials in code, configuration files, or environment variables
- IAM-based access control to secrets
- Comprehensive audit trail via AWS CloudTrail
3.2.8 Compliance Status:
- Enterprise-grade security infrastructure implemented
- SOC 2 Type I preparation underway (target: Q2 2026)
- Regular third-party security audits planned quarterly
3.3 Risk Assessment
In assessing the appropriate level of security, Archivis shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
4. U.S. PRIVACY LAW COMPLIANCE
4.1 U.S. Consumer Privacy Rights
Archivis shall assist Customer in fulfilling consumer rights requests under applicable U.S. Privacy Laws, including:
- Right to know/access personal information
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt-out of sale/sharing of personal information
- Right to data portability
4.2 CCPA/CPRA Compliance
4.2.1 Archivis warrants that it will not:
- Sell or share Customer Personal Data;
- Retain, use, or disclose Customer Personal Data for any purpose other than performing the Services;
- Use Customer Personal Data for advertising or commercial purposes outside the Services.
4.2.2 Archivis shall provide the same level of privacy protection as required by applicable U.S. Privacy Laws.
4.3 Cross-Border Data Transfers
For transfers of personal data from the U.S. to other jurisdictions, Archivis shall implement appropriate safeguards including standard contractual clauses or other legally recognized transfer mechanisms.
5. INTELLECTUAL PROPERTY AND CONTENT OWNERSHIP
5.1 Customer Ownership of Biographical Content
5.1.1 Upon full payment of applicable fees, Customer retains full ownership of:
- All biographical content provided to Archivis (stories, memories, information)
- All photographs and documents uploaded
- The completed biography in its final form
- All intellectual property rights in the finished biography
5.1.2 Archivis hereby assigns to Customer all right, title, and interest in the completed biography upon final delivery and payment.
5.2 Archivis Retained Rights
5.2.1 Archivis retains ownership of:
- Its core platform, software, and underlying technology
- General writing methodologies and processes
- AI models and prompt engineering techniques
- Aggregated and anonymized insights that cannot identify Customer
5.2.2 Archivis may use general knowledge, skills, and experience gained from providing Services, provided such use does not violate confidentiality obligations or disclose Customer Confidential Information.
5.3 License Grant
5.3.1 Customer grants Archivis a limited, non-exclusive license to:
- Use biographical content solely for creating Customer's biography
- Display published biographies on archivis.org (if Customer chooses publication)
- Use anonymized portions as samples for marketing (with Customer permission, revocable at any time)
5.3.2 Upon publication, Customer grants Archivis a perpetual, non-exclusive license to display the published biography on archivis.org unless Customer requests unpublication or deletion.
6. SUBPROCESSING
6.1 Authorized Subprocessors
Archivis is authorized to engage the following Subprocessors:
| Subprocessor |
Purpose |
Location |
| Amazon Web Services (AWS) |
Infrastructure, database, file storage |
United States (us-east-2) |
| OpenAI L.P. |
AI-assisted biography generation |
United States |
| Stripe, Inc. |
Payment processing |
United States |
| Affirm, Inc. (via Stripe) |
Financing services |
United States |
| Google Workspace |
Email communications (SMTP) |
United States |
6.2 Subprocessor Requirements
Archivis shall ensure that all Subprocessors:
- Are bound by data protection and confidentiality obligations substantially equivalent to those in this Agreement
- Maintain compliance with applicable Data Protection Laws
- Process Personal Data only for the specific purposes authorized by Customer
- Implement appropriate technical and organizational measures
6.3 Subprocessor Changes
Archivis shall inform Customer of any intended changes to Subprocessors with at least 30 days' prior written notice via email and website announcement. Customer may object to such changes within 14 days if the changes do not meet required data protection standards.
7. DATA SUBJECT RIGHTS
7.1 Assistance to Customer
Archivis shall assist Customer in fulfilling its obligations to respond to requests to exercise Data Subject rights under applicable Data Protection Laws, including both GDPR and U.S. Privacy Laws.
7.2 Data Subject Request Handling
Archivis shall:
7.2.1 Promptly notify Customer within 5 business days if it receives a request from a Data Subject;
7.2.2 Not respond to that request except on the documented instructions of Customer or as required by applicable laws;
7.2.3 Provide Customer with tools to export their complete data (biography text, photos, questionnaire responses) in machine-readable format (JSON + ZIP);
7.2.4 Process deletion requests within 30 days, with backup purging within 90 days.
8. DATA PROTECTION IMPACT ASSESSMENT
Archivis shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law.
9. PERSONAL DATA BREACH
9.1 Breach Notification
Archivis shall notify Customer at the email address associated with Customer's account without undue delay and in any event within 72 hours upon becoming aware of a Personal Data Breach affecting Customer Personal Data.
9.2 Breach Contents
Such notification shall contain:
- Description of the nature of the breach
- Categories and approximate number of affected data subjects
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact point for more information
9.3 Breach Response
Archivis shall cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
10. DATA RETENTION AND DELETION
10.1 Retention Periods
| Data Type |
Retention Period |
Reason |
| Active Account Data |
While account active |
Service provision |
| Published Biographies |
Indefinite (unless deleted by customer) |
Public archival purpose |
| Unpublished Drafts |
Until published or account deleted |
Work in progress |
| Questionnaire Responses |
Until biography completed or account deleted |
Service delivery |
| Payment Records |
7 years after transaction |
Tax and legal compliance |
| Security Logs |
90 days |
Security investigation |
| Inactive Accounts |
5 years without login → archived with notice |
Storage optimization |
| Database Backups |
7 days (automated), manual snapshots available |
Disaster recovery |
10.2 Data Deletion
Archivis shall delete Customer Personal Data and Confidential Information within 30 days of:
- Customer account deletion request
- Service termination
- Completion of service for unpublished biographies (if deletion requested)
Exceptions:
- Data required to be retained by law (payment records - 7 years)
- Published biographies (customer must unpublish before deletion)
- Aggregated, anonymized data that cannot identify Customer
- Backups (purged within 90 days after deletion from active systems)
10.3 Deletion Certification
Archivis shall provide written certification to Customer that it has fully complied with deletion obligations within 30 days of the deletion request.
10.4 Right to Data Export Before Deletion
Before deleting data, Archivis shall provide Customer with opportunity to export complete data package within 7 business days.
11. AUDIT RIGHTS
12. DATA TRANSFER AND CROSS-BORDER PROCESSING
13. NO-TRAINING AND AI ETHICS
14. LIABILITY AND INDEMNIFICATION
15. TERM AND TERMINATION
16. GOVERNING LAW AND DISPUTE RESOLUTION
17. GENERAL PROVISIONS
SIGNATURE
By using Archivis Services, Customer agrees to the terms of this Data Processing Agreement.
For questions about this DPA:
Email: privacy@archivis.org
Website: archivis.org/data-processing
Last Updated: January 23, 2026
Version: 1.0
SCHEDULE A - STANDARD CONTRACTUAL CLAUSES
Note: Full EU Standard Contractual Clauses would be included here for customers requiring EU data transfer compliance. These clauses follow the European Commission's approved templates for controller-to-processor transfers.
APPENDIX - ANNEXES
ANNEX I - PARTIES AND TRANSFER
A. LIST OF PARTIES
Data exporter(s):
- Name: The party named as "Customer" in the Terms
- Address: Address associated with Archivis account
- Contact: Email address associated with customer account
- Role: Controller
Data importer(s):
- Name: Archivis, Inc.
- Contact: privacy@archivis.org
- Role: Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects: Biography subjects, family members, account holders
Categories of personal data: Biographical information, personal details, photographs, account information, questionnaire responses
Nature of processing: Collection, writing, editing, AI-assisted drafting, photo processing, publication
Purpose: Biography creation, digital preservation, publication (when authorized)
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES
Archivis implements comprehensive technical and organizational measures as detailed in Section 3 of this Agreement, including:
- Encryption (TLS 1.3, AES-256)
- Network isolation (private VPC subnet)
- Access controls (Cognito, JWT verification, MFA)
- Rate limiting and monitoring
- Automated backups and disaster recovery
- Security event logging
ANNEX III - LIST OF SUB-PROCESSORS
| Name |
Purpose |
Location |
Website |
| AWS |
Cloud infrastructure and hosting |
United States |
aws.amazon.com |
| OpenAI |
AI language model services |
United States |
openai.com |
| Stripe |
Payment processing |
United States |
stripe.com |
| Affirm |
Financing services |
United States |
affirm.com |
| Google Workspace |
Email communications |
United States |
workspace.google.com |
