Skip to content

Data Processing Agreement

Effective Date: [Date — to be set before launch]

This Data Processing Agreement ("DPA") supplements the Terms of Service and applies to Enterprise customers who require a formal agreement governing the processing of personal data.

This DPA is a working draft and has not yet been reviewed by legal counsel. It will be finalized before launch. To request a signed DPA, contact privacy@arocut.com.

1. Definitions

  • "Controller" — the Aro Cut customer (operator) who determines the purposes and means of processing guest personal data
  • "Processor" — Aro Cut, which processes guest personal data on behalf of the Controller
  • "Data Subject" — the guest whose personal data is processed (phone number, email address, captured media)
  • "Personal Data" — any information relating to an identified or identifiable natural person
  • "Subprocessor" — a third party engaged by Aro Cut to process Personal Data on behalf of the Controller

2. Scope and Roles

The operator (Controller) collects guest phone numbers, email addresses, and consent at the event booth. The operator decides what data to collect and for what purpose.

Aro Cut (Processor) processes this data solely to deliver the services described in the Terms of Service: video processing, content hosting, SMS/email delivery, and tokenized landing page generation. We do not use guest data for our own marketing or analytics purposes.

3. Subject Matter and Duration

Data Processed

  • Guest phone numbers (for SMS delivery via Twilio)
  • Guest email addresses (for email delivery via Resend)
  • Captured media (video/photo content stored in Cloudflare R2)
  • Delivery metadata (timestamps, delivery status, landing page access logs)

Duration

Processing continues for the duration of the operator's subscription. Upon cancellation or termination, data is retained for a reasonable wind-down period to allow export, after which it is deleted. Exact timelines will be confirmed in the signed DPA.

4. Obligations of the Processor

Aro Cut shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 6)
  • Assist the Controller in responding to data subject requests (access, deletion, portability)
  • Notify the Controller without undue delay upon becoming aware of a personal data breach
  • Delete or return all Personal Data upon termination, at the Controller's choice
  • Make available information necessary to demonstrate compliance with these obligations

5. Subprocessors

Aro Cut uses the following subprocessors to deliver the Service. Each processes data only as needed for its specific function:

  • Cloudflare (San Francisco, CA) — hosting, CDN, cloud storage (R2), serverless compute (Workers, Durable Objects)
  • Twilio (San Francisco, CA) — SMS delivery for guest content links
  • Resend (San Francisco, CA) — email delivery for guest content links
  • Apple (Cupertino, CA) — app distribution and subscription billing (does not process guest data)

Changes to Subprocessors

We will notify Enterprise DPA customers at least 30 days before engaging a new subprocessor that processes Personal Data. If you object to a new subprocessor, you may terminate the affected services without penalty.

6. Security Measures

Aro Cut implements the following technical and organizational measures:

  • Encryption in transit: all data transmitted between devices, clients, and servers uses TLS
  • Encryption at rest: cloud storage (Cloudflare R2) uses encryption at rest
  • Access control: production system access is restricted to authorized personnel with role-based permissions
  • Tokenized URLs: guest landing pages use unique tokens with 50-use caps and can be revoked
  • Idempotent delivery: nonce-based replay protection prevents duplicate message delivery
  • Minimal data collection: we process only the data necessary to deliver the requested service

7. Data Subject Requests

If a guest (Data Subject) contacts Aro Cut directly with a request to access, correct, or delete their data, we will:

  • Notify the relevant Controller (operator) of the request
  • Assist the Controller in fulfilling the request as required by applicable law
  • Process the request ourselves if the Controller cannot be identified or reached, within a reasonable timeframe

Operators can request guest-data deletion through the product flows available at the time or by contacting support. The exact deletion workflow will be documented in the signed DPA and supporting product documentation.

8. Incident Notification

In the event of a personal data breach, Aro Cut will:

  • Notify affected Controllers without undue delay (and in any event within 72 hours of becoming aware of the breach)
  • Provide details of the nature of the breach, categories of data affected, approximate number of records, and measures taken or proposed to address the breach
  • Cooperate with the Controller's own notification obligations to supervisory authorities and data subjects

9. Data Deletion and Return

Upon termination of the subscription or upon written request:

  • Aro Cut will work with the Controller to provide a reasonable export path for Personal Data covered by the Service, using the formats and product capabilities available at that time
  • After any agreed export window, Personal Data will be deleted from active systems in accordance with the signed DPA and the documented retention schedule then in effect
  • Residual copies in backups will age out through the normal backup or storage rotation cycle

10. Audits

Enterprise customers may request documentation demonstrating compliance with this DPA. Aro Cut will make relevant security documentation, certifications, and audit summaries available upon reasonable request. On-site audits may be arranged at the customer's expense with reasonable advance notice.

11. Governing Law

This DPA is governed by the same law as the Terms of Service. Where a specific regulation applies (such as GDPR for EU/EEA data subjects), the DPA is interpreted in accordance with the requirements of that regulation.

12. Contact

For DPA requests, questions, or data subject inquiries:
privacy@arocut.com