Data Processing Agreement
Last updated March 1, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Arvexi, Inc. (“Processor”) and the entity identified in the applicable subscription agreement (“Controller”) for Arvexi's AI-powered lease accounting platform (the “Platform”).
This DPA applies where Arvexi processes Personal Data on behalf of the Controller in the course of providing the Platform services.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Arvexi on behalf of Controller through the Platform.
“Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, combination, erasure, and destruction.
“Sub-processor” means any third party engaged by Arvexi to process Personal Data on behalf of Controller.
“Data Protection Laws” means all applicable laws relating to data protection and privacy, including GDPR (EU 2016/679), UK GDPR, CCPA, and any other applicable data protection legislation.
2. Scope of Processing
2.1 Categories of Data Subjects
- Controller's employees and contractors (account users)
- External auditors granted Auditor Portal access
- Individuals referenced in lease documents (e.g., signatories, tenant contacts)
2.2 Types of Personal Data
- Contact information (names, email addresses, job titles)
- Account credentials and authentication data
- Personal data contained within lease documents (signatory names, contact details, addresses)
- Usage logs and IP addresses
2.3 Purpose of Processing
Arvexi processes Personal Data solely to provide the Platform services, including AI-powered document extraction, lease classification, journal entry generation, amortization scheduling, compliance reporting, and related lease accounting functions.
3. Obligations of the Processor
Arvexi shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Annex II
- Not engage Sub-processors without prior written authorization from the Controller (see Section 5)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller with data protection impact assessments and regulatory consultations where required
- Delete or return all Personal Data upon termination, at the Controller's choice, within 90 days
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits
4. Security Measures
Arvexi implements the following technical and organizational measures to protect Personal Data:
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption for all data in transit
- Logical data segregation between customer tenants
- Role-based access controls with principle of least privilege
- Multi-factor authentication for all Platform access
- Audit logging of all data access and modifications
- Regular penetration testing by independent third parties
- SOC 2 Type II and SOC 1 Type II certified controls
- ISO 27001 certified information security management system
- Business continuity and disaster recovery procedures
5. Sub-processors
5.1. Controller authorizes Arvexi to engage the Sub-processors listed in Annex III. Arvexi maintains an up-to-date list of Sub-processors available upon request.
5.2. Arvexi will notify Controller at least 30 days before engaging a new Sub-processor. Controller may object to the engagement within 14 days of notification. If Arvexi cannot reasonably accommodate the objection, Controller may terminate the affected services.
5.3. Arvexi imposes data protection obligations on Sub-processors that are no less protective than those in this DPA.
6. International Transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland, Arvexi relies on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor)
- UK International Data Transfer Agreement or UK Addendum to SCCs, as applicable
- Transfer Impact Assessments conducted for each receiving jurisdiction
7. Data Breach Notification
7.1. Arvexi will notify Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data breach.
7.2. Notification will include: the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.
8. Audit Rights
Controller may audit Arvexi's compliance with this DPA once per year upon 30 days written notice. Arvexi will cooperate with the audit and provide access to relevant facilities, systems, and personnel. Arvexi may satisfy audit requirements by providing copies of current SOC 2 Type II and ISO 27001 audit reports.
9. AI-Specific Provisions
9.1. No Model Training. Arvexi does not use Personal Data or Customer Data to train, retrain, or improve general-purpose AI or machine learning models.
9.2. AI Processing Scope. AI processing of lease documents is performed within Arvexi's secure infrastructure. No Customer Data is transmitted to third-party AI providers without Controller's explicit written consent.
10. Term and Termination
This DPA remains in effect for the duration of Arvexi's processing of Personal Data on behalf of Controller. Upon termination, Arvexi will delete or return all Personal Data within 90 days, and certify deletion in writing upon request.
Annex I: Details of Processing
Subject matter, duration, nature, and purpose of processing as described in Section 2 of this DPA and the applicable subscription agreement.
Annex II: Technical and Organizational Measures
Security measures as described in Section 4 of this DPA and Arvexi's Security Policy.
Annex III: Approved Sub-processors
Current list of approved Sub-processors is available upon request at privacy@arvexi.com.
Contact
For questions about this DPA, contact privacy@arvexi.com.