Core Commitment
Client data belongs to the client. The DPA formalises that relationship in law — defining what ARRC Global holds, why, for how long, and under what conditions. It is not a formality. It is the document that makes the relationship auditable.
01What Is a DPA
The legal instrument explained
A Data Processing Agreement (DPA) is a legally binding contract between a data controller — the organisation that determines why and how personal data is processed — and a data processor — the organisation that processes that data on the controller's behalf.
When an enterprise client uses VIGIL, the client is the data controller. ARRC Global is the data processor. The DPA governs that relationship, specifying the nature, purpose, and duration of processing; the types of data involved; the technical and organisational security measures in place; and the rights and obligations of each party.
Why this matters beyond legal compliance. A signed DPA is the instrument that gives a client's legal and procurement team confidence that data handling has been formally agreed, not just stated in a policy. It is the difference between a trust signal and a legal commitment. Enterprise procurement cannot proceed without it in most regulated sectors.
02Who Needs One
When a DPA is required
A DPA is required — legally or practically — in the following circumstances:
- GDPR (EU/EEA/UK). Mandatory under Article 28 of the General Data Protection Regulation whenever a controller engages a processor to handle personal data. Failure to have a signed DPA is itself a GDPR compliance breach, regardless of how the underlying data is handled.
- India DPDP Act 2023. Required where a Data Fiduciary engages a Data Processor to process personal data of Indian residents. ARRC Global operates as a Data Processor in this relationship when processing data uploaded by client organisations.
- Enterprise procurement policy. Most enterprise organisations — regardless of jurisdiction — require a signed DPA from SaaS vendors as a standard procurement control, even where no specific law mandates it.
- Regulated sector clients. Financial services, critical national infrastructure, healthcare, and government-adjacent organisations universally require DPAs as a condition of vendor approval.
- Any client uploading personal data. If your use of VIGIL involves uploading or processing any data that identifies or could identify individuals — including personnel lists, site contact information, or workforce data — a DPA should be in place.
If you are uncertain whether your use of VIGIL requires a DPA, the answer is almost certainly yes. Contact us and we will confirm.
03What It Covers
Key provisions in the VIGIL DPA
◎
Subject matter & purpose
Defines exactly what data ARRC Global processes on the client's behalf and for what purpose — limited to delivery of the VIGIL platform service.
◈
Data categories
Specifies the types of personal data covered — account data, platform user data, and any personal data within client-uploaded intelligence materials.
△
Processing instructions
ARRC Global processes data only on documented instructions from the client. Processing outside those instructions requires explicit written authorisation.
▣
Security measures
Documents the technical and organisational measures in place — encryption, access controls, MFA, audit logging, VAPT programme, and incident response obligations.
◉
Sub-processors
Lists all sub-processors engaged by ARRC Global. Clients are notified of changes. No new sub-processor is engaged without client opportunity to object.
⊕
Data subject rights
Defines how ARRC Global assists the client in responding to data subject rights requests — access, correction, deletion, portability, and objection.
◐
International transfers
Documents the cross-border data transfer framework — including EU Standard Contractual Clauses where applicable — for data processed on Hetzner infrastructure in Germany.
◑
Retention & deletion
Specifies retention periods and the deletion process on subscription termination — default 30 days, with confirmation of deletion provided to the client on request.
◒
Breach notification
ARRC Global notifies the client without undue delay — and within 72 hours where feasible — of any confirmed breach affecting the client's personal data.
| Provision | VIGIL DPA Position |
|---|
| Data hosting location | Germany (EU) — Hetzner Online GmbH. Data does not leave EU infrastructure without explicit client instruction. |
| Third-party AI processing | None. All AI processing is in-house on ARRC Global infrastructure. Contractually confirmed in the DPA. |
| Sub-processor changes | 30 days' written notice. Client right to object before change takes effect. |
| Audit rights | Client may request audit of ARRC Global's data processing activities with reasonable notice. ARRC Global may satisfy audit requests by providing VAPT reports or relevant certification documentation. |
| Standard Contractual Clauses | EU SCCs (Module 2: Controller to Processor) incorporated by reference where applicable. |
| Governing law | Laws of India. Disputes resolved by SIAC arbitration, Singapore seat. |
04Download & Execute
Get the DPA template
ARRC Global's standard DPA template is available for download below. It is pre-populated with ARRC Global's standard terms and infrastructure details. Client-specific fields — organisation name, contact details, specific data categories, and retention periods — are marked for completion.
Standard Template · Version 1.0 · July 2026
VIGIL Data Processing Agreement
Microsoft Word format (.docx). Complete the highlighted fields, sign, and return both copies to contact@arrcglobal.com. ARRC Global will countersign and return the executed copy within 5 business days.
Using your own DPA template? Many enterprise organisations prefer to use their own standard vendor DPA. We will review your template and respond within 10 business days. Where your template is substantially consistent with our standard terms, we will execute it without material amendment. Where it diverges on points of substance, we will respond with tracked-change markup and a short explanation. Contact contact@arrcglobal.com to begin that process.
05Process
From request to executed agreement
01
Download or request the template
Download the standard DPA template from this page, or email contact@arrcglobal.com with subject line "DPA Request — VIGIL" if you prefer to submit your own template or have questions before proceeding.
02
Complete client-specific fields
Fill in your organisation name, registered address, data protection contact, the categories of personal data you will upload, and any specific retention requirements that differ from the standard 30-day post-termination default.
03
Sign and return two copies
Sign both copies (wet signature or qualified electronic signature accepted) and return to contact@arrcglobal.com. PDF or scanned original is acceptable for the initial exchange; originals may be requested for specific regulated sectors.
04
ARRC Global countersigns
We will countersign and return the fully executed copy within 5 business days. The effective date is the date of the later signature. We will confirm receipt of your documents within 2 business days of receiving them.
05
Archive and proceed
Both parties retain the executed copy. The DPA remains in force for the duration of the subscription and governs all personal data processing during that period. We recommend your DPA is stored with your other vendor compliance records.
06Bespoke DPAs
When our standard template is not sufficient
Some enterprise clients — particularly those in financial services, critical national infrastructure, or government-adjacent sectors — have procurement requirements that go beyond our standard DPA template. We accommodate these on a case-by-case basis.
- Sector-specific addenda. For clients operating under specific regulatory frameworks (MAS TRM, Saudi NCA, Australian Essential Eight), we can discuss addenda that address sector-specific data handling requirements.
- Extended audit rights. Clients requiring on-site audit rights or more detailed audit reporting can negotiate these provisions. We will be transparent about what we can accommodate and what we cannot, and why.
- Data residency requirements. Clients with documented data residency requirements — for example, requirements that data not leave a specific country or region — should raise this at the commercial discussion stage. We will confirm what can be accommodated technically.
- Extended retention terms. If your organisation's record-keeping obligations require data retention beyond the standard 30-day post-termination deletion period, this can be specified in the DPA.
All bespoke DPA negotiations begin with a review of your requirements. Contact us with a clear description of what your procurement team needs, and we will respond with our position within 10 business days.
07Contact
DPA enquiries & execution