Arioon
Draft pending legal review. These pages reflect our current practices and the legal framework we're committing to. Final wording is being reviewed by counsel; expect minor changes before final adoption. Last review: 15 January 2026.

Data Processing Agreement

Effective 15 January 2026 · Version 2026-01-15

Who this applies to: Customers (Controllers) who use Arioon (Processor) to process personal data of their own end users. Available on all paid tiers. Enterprise customers may negotiate an executed version with bespoke terms; contact legal@arioon.com.

1. Definitions

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Sub-processor" have the meanings in the GDPR. "End User" means the natural person whose face image and skin assessment data is processed via your Arioon account.

2. Roles

With respect to your End Users' Personal Data submitted via the Arioon API or SDK, you are the Controller and Arioon is the Processor. With respect to your own account information, Arioon is the Controller (see Privacy Policy).

3. Subject matter and duration

Subject matter: provision of the Arioon skin analysis service. Duration: for the term of the principal agreement (Terms of Service) plus the retention periods set out below. Nature and purpose: automated skin analysis, generation of parameter scores, AI-generated recommendations, optional result delivery by email.

4. Categories of data and data subjects

  • Data subjects: Your End Users who submit face images for analysis.
  • Personal data categories: facial images (special category — biometric data under GDPR Article 9); skin parameter scores; tone classification (ITA); AI-generated recommendations; if provided, the End User's email address (for result delivery).

5. Processor obligations

  • Process Personal Data only on your documented instructions, including transfers to third countries, unless required by EU or member-state law (in which case we'll inform you, unless prohibited).
  • Ensure persons authorised to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see Section 8 below).
  • Assist you in fulfilling your obligations to respond to Data Subject rights requests.
  • Assist you with data protection impact assessments and prior consultations with supervisory authorities.
  • Delete or return all Personal Data after the end of the service term, unless EU/member-state law requires storage.
  • Make available all information necessary to demonstrate compliance and allow for audits (see Section 11).

6. Sub-processors

We use the sub-processors listed at /legal/sub-processors. You grant general authorisation for these and any future sub-processors we engage. We will inform you of intended changes (additions or replacements), giving you the opportunity to object on reasonable grounds. If you object and we cannot accommodate you, you may terminate the affected services.

We impose on each sub-processor the same data protection obligations as those set out in this DPA.

7. International transfers

Where Personal Data is transferred outside the European Economic Area, United Kingdom, or South Africa, we ensure adequate protection via Standard Contractual Clauses (SCCs) or equivalent mechanisms. The specific transfer mechanisms for each sub-processor are documented on the sub-processors page.

8. Security measures

Technical and organisational measures include:

  • TLS 1.2+ for all data in transit; private network isolation between services
  • Encryption at rest for the database and object storage
  • Principle of least privilege; role-based access control; separate authentication boundaries for client- and admin-facing systems
  • Hashed credentials (bcrypt cost 12); separate JWT signing secrets per audience
  • Backup, restore, and disaster-recovery procedures
  • Logged, audited access to production data; logging retained for security incident analysis
  • Vulnerability management, dependency scanning, and timely security patching

9. Data subject rights

We assist you in responding to End User requests to access, correct, delete, restrict, or port their Personal Data. For deletion requests, we will purge the relevant records within 14 days (some immutable backups may take up to 60 days to age out).

10. Breach notification

We notify you without undue delay (within 72 hours of becoming aware) of any Personal Data breach affecting your End Users' data, providing sufficient information to enable you to fulfil your own notification obligations.

11. Audits

You may audit our compliance with this DPA up to once per year on at least 30 days' notice. We will make available evidence of compliance (SOC reports, ISO certifications, where applicable) in preference to on-site audits. On-site audits may be subject to reasonable cost-recovery.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

13. Term and termination

This DPA is effective on the date of acceptance and remains in force for the term of the Terms of Service. On termination, we will, at your election, delete or return all Personal Data within 30 days, unless legal retention obligations apply.

14. Order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails on matters of data protection.