Data Processing Addendum
Last updated: 6 June 2026
This Data Processing Addendum (DPA) applies where, in using Arcalix, you act as a data controller and we process personal data on your behalf — for example end-user personal data contained in files you distribute. It forms part of, and is incorporated into, our Terms of Service.
1. When this applies
For your own account data (your name, email, billing details and similar), we act as a controller and our Privacy Policy applies. This DPA applies separately where you upload or distribute content that contains personal data of your end users — there, you are the controller and we act as your processor.
2. Roles & responsibilities
You determine the purposes and means of processing the end-user personal data you put into the Service, and you are responsible for having a lawful basis to do so and for the lawfulness of that data. We process it only on your documented instructions (which include your configuration and use of the Service and these terms), except where law requires otherwise.
3. Subject matter & nature
- Subject matter: provision of the Arcalix storage and content-delivery Service.
- Duration: for the term of your subscription, plus any wind-down/deletion period.
- Nature & purpose: storing, caching, transmitting and delivering the files you upload to your end users.
- Types of data & data subjects: as determined by you and the content you choose to distribute; the Service is not designed to process special-category data.
4. Our obligations
As your processor we will: process personal data only on your instructions; ensure people authorised to process it are under a duty of confidentiality; implement appropriate technical and organisational security measures; assist you (taking into account the nature of processing) with data-subject requests and with your security, breach-notification and impact-assessment obligations; and make available information reasonably necessary to demonstrate compliance.
5. Authorised sub-processors
You authorise us to engage the sub-processors listed below to help deliver the Service. Each is bound by data-protection obligations consistent with this DPA. We will give you reasonable notice of any intended change to this list so you can object on reasonable data-protection grounds.
| Sub-processor | Purpose | Location | Data processed |
|---|---|---|---|
| Paddle.com Market Ltd | Card payments, billing & tax (merchant of record) | United Kingdom / EU | Name, email, billing address, transaction data |
| Cloudflare, Inc. | CDN, R2 object storage, KV, Workers & DNS | United States / Global | Uploaded files; request IP address & user-agent at the edge |
| ATLOS | Cryptocurrency payment processing | Global | Studio identifier, amount, subscription metadata |
| [Email provider] | Transactional email delivery | [Region] | Recipient email, name, message content |
| Google LLC | OAuth sign-in (if used) | United States | Email, name, avatar URL |
| GitHub, Inc. | OAuth sign-in (if used) | United States | Email, name, avatar URL |
6. International transfers
Where a sub-processor transfers personal data outside the UK, we ensure an appropriate transfer mechanism is in place (such as the UK International Data Transfer Agreement / Addendum, the UK extension to the EU Standard Contractual Clauses, or an adequacy decision).
7. Security
We maintain technical and organisational measures appropriate to the risk, including encryption in transit, access controls, authentication protections and segregation between studios. You are responsible for the security of your own credentials and for configuring the Service appropriately.
8. Breach notification
We will notify you without undue delay after becoming aware of a personal-data breach affecting the data we process on your behalf, and will provide the information reasonably available to help you meet your own notification obligations.
9. Return & deletion
On termination of the Service, or on your request, we will delete or return the personal data we process on your behalf within a reasonable period, and delete existing copies unless we are required by law to retain them.
10. Audits
On reasonable prior written request, and subject to confidentiality, we will provide information reasonably necessary to demonstrate compliance with this DPA, and allow for audits in a manner that does not compromise the security or confidentiality of other customers' data.
11. Contact
To raise a data-processing matter or to request a countersigned copy of this DPA, contact support@arcalix.uk — Arcalix Limited, First Floor Office, 3 Hornton Place, London, United Kingdom, W8 4LZ.
Questions about this document? Contact us at support@arcalix.uk.