Data Processing Agreement.
How this works. This Data Processing Agreement (“DPA”) is incorporated by reference into Aria Trove’s Terms of Service. By using the Aria Trove service to process personal data of your clients, prospects, recipients, or other data subjects (the “Customer Data”), you (the “Customer”) agree to this DPA. Aria Trove (“we”, “us”, “Processor”) signs it on your behalf via this published, version-controlled form. If your organisation requires a counter-signed copy or additional terms (e.g. lead-supervisory-authority designation, additional sub-processor restrictions, public-sector contractual flow-downs), email privacy@ariatrove.com.
1. Parties and roles
For the purposes of GDPR Article 28 and equivalent provisions of the UK GDPR, Swiss FADP, California CCPA / CPRA, and other applicable data protection laws (“Data Protection Laws”):
- Customer — the entity that has accepted Aria Trove’s Terms of Service — is the Controller for any personal data the Customer uploads to, processes through, or stores in the service.
- Aria Trove — operated by DK Productions IKE, Athens, Greece — is the Processor acting on the Customer’s documented instructions.
For Customer’s own account-holder data (the user’s name, email, billing details, login credentials), Aria Trove is the Controller and that processing is governed by our Privacy Policy, not this DPA.
2. Subject matter and duration
The subject matter of the processing is the operation of the Aria Trove proposal-software service for the Customer. The duration of the processing is the term of the underlying Terms of Service plus the deletion-window described in Section 9 below.
3. Nature and purpose of processing
Aria Trove processes Customer Data to:
- store proposals, templates, packages, services, and uploaded media in the Customer’s workspace;
- render proposals on public URLs the Customer chooses to share, including engagement tracking;
- send transactional email notifications (proposal sent, viewed, accepted) on the Customer’s behalf;
- compute pricing, taxes, and deposits per the Customer’s configuration;
- provide customer support when requested;
- keep encrypted backups for service continuity.
4. Categories of data subjects
The data subjects whose personal data may be processed include:
- the Customer’s clients, prospects, and lead recipients of proposals;
- signatories who accept proposals (name, email, optional company, signature timestamp + IP);
- commenters and reviewers who interact with shared proposals;
- any further data subjects whose personal data the Customer chooses to upload (for example, photographs of a wedding couple, names listed in a deliverables block).
5. Categories of personal data
The categories of personal data processed under this DPA include:
- contact details (name, email, optional phone);
- company affiliation (where included by the Customer);
- proposal content uploaded by the Customer (which may include photographs, names, project descriptions);
- engagement data (page views, scroll depth, dwell time, signed acceptance, IP-derived approximate location, hashed IP);
- any further category the Customer chooses to upload.
Customer must not upload special categories of personal data (Article 9 GDPR — health, biometric, religious, etc.) without first contacting Aria Trove. Aria Trove’s service is not configured for special-category processing and additional safeguards may be required.
6. Customer’s instructions
Aria Trove will process Customer Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by Union or Member State law. The Customer’s acceptance of the Terms of Service plus its day-to-day use of the service constitutes documented instructions; specific written instructions issued via privacy@ariatrove.com override conflicting in-product behaviour where reasonably implementable.
7. Confidentiality
Aria Trove ensures that the personnel authorised to process Customer Data are bound by appropriate confidentiality obligations and that access is limited to those individuals who require it for the operation, support, or security of the service.
8. Security (Article 32)
Aria Trove implements appropriate technical and organisational measures to protect Customer Data, including:
- TLS 1.2+ for all data in transit;
- scram-sha-256 authentication on the database;
- encrypted off-host backups using
age+zstd; the decryption key is held only by the Customer-facing operator and never stored on production infrastructure; - per-process secret isolation; production secrets stored mode-600 on the host, excluded from build context;
- egress proxy enforcing an outbound denylist (cloud metadata IPs, RFC1918, bare-hostname targets, multi-tenant bucket patterns);
- rate limiting on authentication, application, and proposal-event endpoints;
- statement timeouts and idle-in-transaction timeouts on the database to bound runaway queries;
- row-level tenancy enforcement via a Prisma client extension that injects
workspaceIdon every read and write.
This list is illustrative, not exhaustive. The current state of the security programme is described publicly in the project’s Tier 2 record (operational security ledger).
9. Sub-processors
Customer authorises Aria Trove to engage the following sub-processors. Aria Trove will give at least 14 days’ notice before adding or replacing any sub-processor (by updating this list and emailing the Customer’s billing contact); the Customer may object on reasonable data-protection grounds and, if the issue cannot be resolved, terminate the affected service.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (application + database) | Germany / Finland (EU) |
| Cloudflare, Inc. | DNS, registrar, edge proxy (when enabled) | United States — EU SCCs |
| Stripe Payments Europe Ltd. | Subscription billing | Ireland (EU) |
| Resend, Inc. | Transactional email delivery | United States — EU SCCs |
| Backblaze, Inc. | Encrypted off-host database backups | United States — encrypted with key held only by us |
| MaxMind, Inc. | Offline IP→city/country lookup | United States — only an offline file is downloaded; no IPs leave our servers |
| Anthropic, PBC | AI-assisted document parsing for the optional “Stylize” doc-import feature; only invoked when the Customer explicitly uploads a document and chooses Stylize | United States — EU SCCs and the EU–US Data Privacy Framework |
Each sub-processor is bound by data-protection terms substantially equivalent to those in this DPA (their published DPA, executed by Aria Trove). Aria Trove remains liable to the Customer for the acts and omissions of its sub-processors as it is for its own.
10. Data subject rights assistance
Aria Trove will assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling Customer’s obligations to respond to data-subject requests under Articles 15–22 GDPR (and equivalent rights under other Data Protection Laws). Most requests can be fulfilled by the Customer directly: the in-product self-serve export, deletion, and rectification surfaces cover the standard cases. For requests Aria Trove must execute on the Customer’s behalf, email privacy@ariatrove.com.
11. Personal data breach notification
Aria Trove will notify the Customer of any personal data breach affecting Customer Data without undue delay and no later than 24 hours after becoming aware of it, with the information needed for the Customer to meet its 72-hour regulatory notification obligation under Article 33 GDPR. Notification is via email to the Customer’s billing-contact address on file.
12. International data transfers
Where Customer Data is transferred to a sub-processor located outside the European Economic Area, the United Kingdom, or Switzerland, Aria Trove relies on:
- the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) using the appropriate module, supplemented where required by the UK Information Commissioner’s International Data Transfer Addendum;
- where the recipient self-certifies, the EU–US Data Privacy Framework and its UK Extension;
- any successor mechanism designated by the European Commission, the UK ICO, or the Swiss FDPIC.
A copy of the executed SCCs in place with any sub-processor is available on written request.
13. Audit rights
Aria Trove will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR. The Customer may request, no more than once per twelve-month period and on reasonable advance notice, an audit of Aria Trove’s processing of Customer Data. Aria Trove may satisfy this obligation by sharing the results of relevant third-party audits or certifications when available; if those do not address the Customer’s specific concern, an on-site or remote audit will be scheduled at a mutually agreeable time, subject to confidentiality and reasonable cost-sharing.
14. Deletion or return on termination
On termination of the underlying Terms of Service, Aria Trove will delete or return all Customer Data in its production systems within 30 days at the Customer’s choice. Encrypted off-host backups containing Customer Data may persist for up to a further 30 days as part of the rolling retention cycle and will be overwritten on the standard rotation. Records that Aria Trove is required by law to retain (e.g. invoices for tax compliance) are retained for the legally required period and segregated from Customer Data.
15. Liability
The liability provisions of the underlying Terms of Service apply to this DPA. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Data Protection Laws.
16. Order of precedence
To the extent of any conflict between this DPA and the Terms of Service, this DPA prevails for matters concerning the protection of personal data. Nothing in this DPA affects the parties’ respective rights and obligations under the Data Protection Laws themselves, which prevail over both documents.
17. Changes
Aria Trove may update this DPA to reflect changes in Data Protection Laws, sub-processors, or its security programme. Material changes will be communicated to the Customer’s billing contact at least 14 days before they take effect. The Customer may terminate the service if it does not accept the change.
18. Contact
For privacy-related operational requests under this DPA: privacy@ariatrove.com. For security-related notifications: security@ariatrove.com. Postal: DK Productions IKE, Athens, Greece.
Signature. This DPA is pre-signed by Aria Trove. The Customer signs by accepting the Terms of Service that incorporate it. No further action is required for the agreement to be binding. If you require a counter-signed PDF for your records, request one at privacy@ariatrove.com.