Skip to content
DATA PROCESSING AGREEMENT

ARCHETYPEID DATA PROCESSING AGREEMENT

  • Home
  • Legal
  • ARCHETYPEID DATA PROCESSING AGREEMENT
On This Page
Effective Date: April 9, 2026

Version: 26.1.0

This Data Processing Agreement (the “DPA”) constitutes an integral part of all agreements between Customer (as defined in the Master Subscription Agreement, Software as a Service Agreement, or otherwise identified on the signature block below) and Sparky AI, Inc. d/b/a ArchetypeID (the “Processor” or “ArchetypeID”), a Georgia corporation with offices at 235 Mitchell St. SW, Atlanta, GA 30303 (collectively the “Agreement”), and reflects the Parties’ agreement with respect to the Processing of Controller Data.

In providing the Services to Customer pursuant to the Agreement, ArchetypeID may Process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions, each acting reasonably and in good faith. This DPA supplements the Agreement and, in the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA prevail with regard to the specific subject matter herein.

1. DEFINITIONS

Any capitalized terms used but not defined in this DPA shall have the meaning provided in the Agreement.

  • “Applicable Data Protection Law” means (a) all data protection laws and regulations applicable to the European Economic Area and Switzerland, including the General Data Protection Regulation 2016/679 (“GDPR”) and the revised Swiss Federal Act on Data Protection (FADP); (b) the UK Data Protection Act of 2018 and the UK GDPR; (c) California Privacy Law; and (d) any other laws and regulations applicable to Processor’s Processing of Controller Data under the Agreement.
  • “California Privacy Law” means the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and any implementing regulations.
  • “Controller” means Customer.
  • “Controller Data” means any Personal Data Processed by Processor on behalf of Customer pursuant to or in connection with the Agreement.
  • “Personal Data” means any information relating to an identified or identifiable natural person that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular natural person or household.
  • “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means.
  • “Processor” means Sparky AI, Inc. d/b/a ArchetypeID and its Affiliates, which Processes Personal Data on behalf of the Customer, and to the extent applicable, includes a “Service Provider” as defined under California Privacy Law.
  • “Sub-processor” means any third-party data processor engaged by Processor, who receives Personal Data from Processor for processing on behalf of Controller in accordance with Controller’s instructions.

2. PURPOSE

Controller and Processor have entered into the Agreement pursuant to which Controller is granted a right to access and use the Services. The Parties are entering into this DPA to ensure that the Processing by Processor of Controller Data is done in a manner compliant with Applicable Data Protection Law.

3. AUTHORITY AND ROLES

  • 3.1 Roles of the Parties. Customer is the Controller and ArchetypeID is the Processor acting on behalf of Customer. For purposes of California Privacy Law, ArchetypeID will act as a Service Provider. ArchetypeID will only use Controller Data to provide the Services and will not collect, retain, use, sell, disclose, or otherwise process any Controller Data for any purpose other than providing the Services. Notwithstanding the foregoing, Controller acknowledges that Processor shall have a right to Process Personal Data in relation to the support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, and product development; provided, however, that any Controller Data utilized for product development, artificial intelligence (AI) model training, or algorithmic improvement must be strictly aggregated and de-identified so that it cannot be linked to any individual Data Subject or the Customer. Processor expressly shall not use Controller Data for its own third-party sales or marketing purposes.
  • 3.2 Controller’s Instructions. Customer represents and warrants that it has complied with Applicable Data Protection Law in respect of its Processing of Controller Data and has obtained all consents necessary for Processor to process Controller Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Controller Data.

4. OBLIGATIONS OF PROCESSOR

  • 4.1 Confidentiality. Processor will restrict access to Controller Data to its personnel who need access to meet Processor’s obligations. Processor shall take commercially reasonable steps to ensure the reliability and confidentiality of such personnel.
  • 4.2 Disclosure to Third Parties. Processor will not disclose Controller Data to third parties except as permitted by this DPA or the Agreement, or as required by a competent governmental authority (in which case Processor will provide Customer with prior written notice to the extent legally permissible).
  • 4.3 Retention. Processor will retain Controller Data only for as long as necessary for the Permitted Purpose or as required by law. Upon Customer’s written request or termination of the Agreement, Processor will either destroy or return the Controller Data to Customer.
  • 4.4 Data Subject Requests. Processor shall, to the extent legally permitted, promptly notify Controller in writing of any complaints, questions, or requests received from Data Subjects or Regulators. Processor will provide commercially reasonable assistance to Controller to facilitate the fulfillment of Data Subject rights requests (e.g., access, deletion, correction).
  • 4.5 Security. Processor will implement and maintain appropriate technical, physical, and administrative measures to protect Controller Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (a “Data Security Breach”), utilizing state-of-the-art encryption and zero-trust architectures where applicable.

5. DATA BREACH

If Processor becomes aware of any Data Security Breach impacting Controller Data, Processor will promptly notify Customer without undue delay, and in no event later than seventy-two (72) hours after confirmation. Processor will investigate the Data Breach, provide Customer with relevant information, and take reasonable steps to mitigate the effects.

6. AUDITS

Customer may audit Processor’s compliance with this DPA up to once per calendar year. Such an audit will be conducted by an independent third party reasonably acceptable to Processor. Customer must submit a detailed proposed audit plan at least thirty (30) business days in advance. The audit must be conducted during normal business hours and Customer shall bear the costs of such audit unless a material breach is discovered.

7. USE OF SUB-PROCESSORS

  • 7.1 General Consent. Customer acknowledges and agrees that Processor may appoint Sub-processors to assist it in providing the Services, provided that such Sub-processors are bound by written agreements requiring them to protect Controller Data to a standard consistent with this DPA.
  • 7.2 Sub-processor List. The current roster of approved Sub-processors is located at https://archetypeid.ai/legal/sub.
  • 7.3 Objection to New Sub-Processors. Processor will provide notice of any new Sub-processor via updates to the URL above. Customer may object to a new Sub-processor within ten (10) days based on reasonable data protection grounds. If the parties cannot resolve the objection within sixty (60) days, Customer may discontinue the use of the affected Services.

8. INTERNATIONAL TRANSFERS

To the extent Customer’s use of the Services involves a Restricted Transfer of Controller Data originating from the EEA, Switzerland, or the UK to a country not recognized as providing an adequate level of protection, the Parties agree that the applicable Standard Contractual Clauses (SCCs) approved by the European Commission, the Swiss FDPIC, and/or the UK Information Commissioner’s Office (ICO) shall be incorporated by reference and apply to such transfers, with Customer as the “Data Exporter” and ArchetypeID as the “Data Importer.”

9. LIMITATION OF LIABILITY

Each Party’s liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Master Services Agreement (MSA).

10. MISCELLANEOUS

This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement. This DPA may be executed in counterparts. If any provision is deemed invalid or unenforceable, the remaining provisions shall remain in full force and effect.

 

IN WITNESS WHEREOF, the Parties have executed this DPA as of the Effective Date of the Agreement.

 

PROCESSOR: Sparky AI, Inc. d/b/a ArchetypeID

 

By: __________________________________ 

Name: Theodore Tagalakis Title: 

Chief Executive Officer

 

CONTROLLER (CUSTOMER):

 

By: __________________________________ Name: Title:

 

SCHEDULE 1 – DETAILS OF PROCESSING

Categories of Data Subjects: The personal data transferred concern the following categories of Data Subjects: Authorized Users of the Customer’s account; employees, contractors, or agents of the Customer; and individuals whose data is explicitly uploaded by the Customer into the ArchetypeID platform for the purpose of generating Virtual Twins or Synthetic Focus Groups.

 

Types of Personal Data Transferred: Account registration data (name, business email, IP address, login credentials). If Customer explicitly uploads external datasets to utilize the Services, data may include demographic information, behavioral traits, survey responses, or other text/multimodal inputs determined solely by the Controller. (Note: Processor’s Acceptable Use Policy strictly prohibits Controller from uploading data to create unauthorized digital replicas of specific, identifiable living individuals).

 

Nature and Purpose of Processing: Processor will Process Controller Data solely to provide the behavioral simulation, analytics, and platform Services pursuant to the Agreement, and to provide technical support and account management. Any utilization of data for proprietary AI model training or optimization will be strictly aggregated and de-identified.

 

Duration of the Processing: The Term of the Agreement, plus the period from the expiry of such Term until the secure deletion of all Controller Data by the Processor in accordance with this DPA.

SOC 2 Type II Certified

GDPR Compliant

CCPA Compliant

ISO 27001 Foundation

Legal Documents

Privacy Policy

PDF • 2.4 MB

Terms of Service

PDF • 1.8 MB

DPA

PDF • 3.1 MB

Cookie Policy

PDF • 0.9 MB