Artivex — Data Processing Agreement

01

Introduction

This Data Processing Agreement ("DPA") supplements and forms part of the Artivex Terms of Service between Corners Sverige AB ("Artivex", "Processor") and the Customer ("Controller").

This DPA applies when the Customer uses the Artivex Platform to process personal data on behalf of data subjects — for example, when building a CRM that stores client contact details, an HR tool storing employee records, or any System in which personal data of third parties is stored or processed.

This DPA is entered into to ensure that processing activities comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection laws.

When does this DPA apply? This DPA applies whenever you use Artivex to build or operate a System that stores or processes personal data belonging to your customers, employees, leads, or other individuals. If you are only using Artivex to build internal tools with no personal data, this DPA is not required but is available on request.

02

Definitions

Controller The Customer — the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor Artivex / Corners Sverige AB — the entity that processes personal data on behalf of the Controller under this DPA.
Personal Data Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
Processing Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
Sub-processor Any third party engaged by Artivex that processes personal data on behalf of the Controller as part of delivering the Platform services.
Data Subject The natural person to whom the personal data relates.
Supervisory Authority The public authority responsible for monitoring the application of the GDPR. For Artivex: the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten — IMY).
Standard Contractual Clauses (SCCs) The contractual clauses adopted by the European Commission to facilitate lawful transfers of personal data to third countries.

03

Scope and Purpose

Artivex processes personal data only as a data processor, acting on the documented instructions of the Customer (Controller). We do not determine the purposes or means of processing personal data within Customer Systems — that is the Customer's responsibility as Controller.

The subject matter of processing under this DPA is the operation of Customer-generated Systems on the Artivex Platform, including:

Storing and retrieving data entered into Customer System entities and fields
Executing Customer-configured workflows and automations
Processing data through AI steps as configured by the Customer
Serving Customer System interfaces to authorised end users
Providing API and MCP access to Customer System data as authorised by the Customer

The Customer is responsible for ensuring that any personal data they store in their Artivex Systems has a lawful basis for processing under GDPR, and that data subjects have been informed of the processing where required.

04

Categories of Data Subjects

The personal data processed under this DPA may relate to the following categories of data subjects, depending on the Customer's use case:

The Customer's employees and contractors
The Customer's clients and customers
The Customer's prospects and leads
The Customer's suppliers and partners
Any other individuals whose data the Customer chooses to store in their Artivex-generated Systems

The Customer, as Controller, is responsible for determining which categories of data subjects are involved in their specific use case and ensuring appropriate notices and consents are in place.

05

Types of Personal Data

The types of personal data processed under this DPA are determined by the Customer's System configuration. They may include:

Identity data: names, job titles, company names
Contact data: email addresses, phone numbers, postal addresses
Business data: purchase history, deal values, notes, correspondence
Operational data: task assignments, approval statuses, workflow records
Any other data the Customer elects to store in their System entities and fields

Special category data: Artivex does not knowingly facilitate the processing of special category personal data (GDPR Article 9) — including health data, biometric data, racial or ethnic origin, political opinions, or religious beliefs. If your use case involves special category data, please contact david@artivex.io before proceeding. Additional safeguards and explicit consent will be required.

06

Duration

This DPA is effective from the date the Customer first processes personal data through the Platform and remains in force for the duration of the service agreement between the parties.

Upon termination or expiry of the service agreement, the obligations of this DPA with respect to data security, confidentiality, and deletion continue until all personal data has been deleted or returned in accordance with Section 14.

07

Obligations of Artivex (Processor)

Artivex undertakes to:

Follow instructions: Process personal data only on the Customer's documented instructions. If Artivex is required by EU or Member State law to process personal data for other purposes, we will inform the Customer unless prohibited by law.
Confidentiality: Ensure that all personnel authorised to process personal data are bound by confidentiality obligations (whether contractual or statutory).
Security: Implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access — as detailed in Section 8.
Sub-processors: Only engage sub-processors under written agreements that impose equivalent data protection obligations. See Section 9.
Assist with GDPR obligations: Taking into account the nature of the processing, assist the Customer in fulfilling obligations to respond to data subject requests, conduct data protection impact assessments (DPIAs) where required, and comply with breach notification requirements.
Deletion or return: At the Customer's choice, delete or return all personal data on termination of services, and delete existing copies unless retention is required by applicable law — as detailed in Section 14.
Demonstrate compliance: Make available all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits as described in Section 13.
Notify of non-compliance: Immediately inform the Customer if, in Artivex's opinion, an instruction from the Customer would violate the GDPR or applicable data protection law.

08

Security Measures

Artivex implements the following technical and organisational security measures to protect personal data processed through the Platform:

Encryption at rest All data stored in the Platform database is encrypted at rest using database-level encryption via Supabase.

Encryption in transit All data transmitted between clients and the Platform, and between Platform components, is encrypted using TLS 1.2 or higher.

Tenant isolation Row-level security (RLS) is enforced at the database layer. No cross-tenant data access is architecturally possible.

Credential encryption Integration credentials and API keys stored by Customers are encrypted at rest and never exposed in plain text.

Access controls Role-based access control (RBAC) and per-entity permissions govern which users can read, write, or delete data within each System.

Audit logging All data access, modifications, and workflow executions are logged with timestamps and user identifiers.

MCP token scoping MCP tokens issued for AI agent access are scoped per-entity with configurable read/write permissions. Tokens can be revoked at any time.

Security assessments Regular security reviews of the Platform architecture and sub-processor security posture.

These measures are reviewed and updated as the Platform evolves and as new threats are identified.

09

Sub-processors

Artivex engages the following sub-processors to deliver the Platform. Each sub-processor is bound by a data processing agreement with Artivex that imposes equivalent data protection obligations.

Name	Purpose	Location
Supabase	Database hosting and storage — primary data store for all Build data, System data, and account data	EU (Ireland) EU
Stripe	Payment processing — handles all financial transactions and subscription management	US / EU SCC
Resend	Transactional email delivery — sends system notifications, password resets, and alerts	US SCC
Vercel	Application hosting and deployment — hosts Customer Systems and Platform frontend	Global (edge) SCC
Anthropic	AI step processing — processes data from AI workflow steps using Claude models, when configured by the Customer	US SCC
OpenAI	AI step processing — processes data from AI workflow steps using GPT models, when configured by the Customer	US SCC

EU — Data stored in EU. SCC — Transfer governed by Standard Contractual Clauses.

Artivex will notify the Customer of any intended changes to the sub-processor list, including additions or replacements, with at least 30 days notice by email. The Customer may object to a sub-processor change within 14 days of notification by contacting david@artivex.io. If an objection cannot be resolved, either party may terminate the affected services with 30 days written notice.

10

International Transfers

Artivex's primary data storage is in the EU (Supabase, EU-West-1, Ireland). All processing that occurs in the EU remains within the EU.

Where sub-processors are located outside the European Economic Area (EEA) — including Stripe, Resend, Vercel, Anthropic, and OpenAI — data transfers are governed by one of the following mechanisms:

Standard Contractual Clauses (SCCs): The European Commission's approved SCCs (2021 version) are incorporated into Artivex's agreements with US-based sub-processors where required.
Adequacy decisions: Where the European Commission has adopted an adequacy decision for the recipient country, that decision governs the transfer.

Customers who require copies of the specific SCCs in place with any sub-processor may request them by contacting david@artivex.io.

11

Data Breach Notification

In the event that Artivex becomes aware of a personal data breach (as defined in GDPR Article 4(12)) affecting Customer personal data, Artivex will:

Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach
Report the breach to the Swedish supervisory authority (IMY) within 72 hours as required under GDPR Article 33

The notification to the Customer will include, to the extent available at the time:

The nature of the personal data breach
The categories and approximate number of data subjects affected
The categories and approximate number of personal data records affected
The likely consequences of the breach
The measures taken or proposed by Artivex to address the breach and mitigate its possible adverse effects

The Customer, as Controller, is responsible for determining whether notification to individual data subjects is required under GDPR Article 34, and for making any such notifications.

12

Data Subject Requests

Artivex provides tools within the Platform to assist the Customer in responding to data subject requests, including:

Data export: ability to export all records in a System entity
Record deletion: ability to delete individual records from Customer Systems
Record correction: ability to update any field in any record

The Customer, as Controller, is responsible for:

Receiving and assessing data subject requests
Using the Platform tools to fulfil valid requests within the GDPR-mandated timeframe (30 days, extendable to 90 days for complex requests)
Communicating the outcome to the data subject

If a data subject contacts Artivex directly with a request relating to data stored in a Customer System, Artivex will redirect the request to the Customer within 5 business days without acting on it unilaterally.

13

Audit

The Customer may conduct audits of Artivex's compliance with this DPA, subject to the following conditions:

The Customer provides at least 30 days written notice prior to any audit
Audits are conducted during normal business hours and in a manner that does not unreasonably disrupt Artivex's operations
Audits are conducted no more than once per calendar year, unless a specific breach or compliance concern warrants an additional review
The Customer bears the reasonable costs of any audit conducted at Customer request

Artivex will provide reasonable cooperation with the audit, including access to relevant documentation, policies, and security assessment reports.

As an alternative to a direct audit, Artivex may provide the Customer with up-to-date third-party audit reports, certifications, or summaries of security assessments, where available.

14

Termination

On termination or expiry of the service agreement between the parties:

Artivex will, at the Customer's choice, either delete or return all personal data in the Customer's Systems within 30 days
Artivex will delete all existing copies of the personal data, unless retention is required by applicable EU or Swedish law
Artivex will provide a written confirmation of deletion to the Customer on request
The Customer may request a full data export before termination is effective to retain their own copy

If no instruction is received from the Customer within 30 days of termination, Artivex will delete all Customer data as its default course of action.

15

Liability

Liability under this DPA is subject to the limitations set out in the Artivex Terms of Service.

Each party is liable for damages caused by processing that infringes the GDPR to the extent they are responsible for such infringement under GDPR Article 82.

Artivex will not be liable for any claims arising from the Customer's failure to comply with their own obligations as Controller under the GDPR, including but not limited to failure to establish a lawful basis for processing, failure to notify data subjects, or failure to respond to valid data subject requests.

16

Governing Law

This DPA is governed by and construed in accordance with the laws of Sweden, consistent with the Terms of Service.

Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the Swedish courts, unless otherwise required by applicable data protection law.

17

Contact

To request a signed copy of this DPA, to exercise rights under this DPA, or for any data protection enquiries:

Processor: Corners Sverige AB (trading as Artivex)
Email: david@artivex.io
Website: artivex.io

Supervisory authority for complaints: Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten — IMY), imy.se.