Legal
Data Processing Agreement
How this DPA is used. This page is the canonical published text of Aryamind's standard DPA for CarveTrace deployments. It applies automatically whenever Aryamind processes personal data on a Customer's behalf in connection with a CarveTrace Order Form / MSA. A signed PDF version is available on request from legal@aryamind.com for procurement files. Where a Customer's procurement requires a bilaterally-signed copy, we sign without negotiation any version that matches this published text verbatim ; substantive changes go through legal review.
1. Definitions
Capitalized terms not defined here have the meanings given in Regulation (EU) 2016/679 ("GDPR") or in the parties' Master Subscription Agreement ("MSA"). "Customer" means the organization that has entered into an MSA with Aryamind for CarveTrace. "Customer Personal Data" means Personal Data that Aryamind processes on Customer's behalf under the MSA. "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914, Module Two (controller-to-processor).
2. Roles
With respect to Customer Personal Data, Customer is the Controller and Aryamind is the Processor. Each party will comply with the obligations applicable to its role under applicable Data Protection Law.
3. Scope and subject-matter of processing
CarveTrace commercial software is self-hosted on Customer's infrastructure. As a result, in the ordinary operation of the product Aryamind does not have access to Customer Personal Data — Customer alone determines where the data is stored, who can access it, and how long it is retained.
Aryamind processes Customer Personal Data only in the limited circumstances described below. Annex I details the nature, purpose, duration, categories of data subjects, and categories of personal data for each.
- Pre-sales and contracting. Customer's representatives' business contact details and the content of pre-sales communications, as described in the Privacy Policy.
- Support sessions. When Customer chooses to share screen, share log excerpts, or send sample evidence files to Aryamind support to troubleshoot a deployment issue. Aryamind processes only what Customer chooses to share, only for the duration of the session, and deletes after issue closure unless Customer asks otherwise in writing.
- Optional remote-managed deployments. Where Customer engages Aryamind under a separate Statement of Work to operate the CarveTrace deployment on Customer's behalf. Annex I describes this case.
4. Customer's instructions
Aryamind processes Customer Personal Data only on Customer's documented instructions, including with regard to transfers, unless required by EU or Member-State law. Where Aryamind is required to process for a legal reason, it informs Customer of that requirement before processing, unless prohibited from doing so. The MSA, this DPA, and any executed Statement of Work together constitute Customer's complete and final instructions.
5. Confidentiality
Aryamind ensures that any person authorized to process Customer Personal Data is bound by a confidentiality obligation of at least equivalent scope to this DPA. As a SARL, Aryamind's personnel are bound by both written confidentiality clauses and by French employment-law confidentiality obligations.
6. Security measures
Aryamind implements and maintains the technical and organizational measures described in Annex II. These measures meet Art. 32 GDPR and may be updated from time to time, provided that the level of protection is not materially reduced. Aryamind notifies Customer of material reductions at least 30 days in advance.
7. Sub-processors
Aryamind may engage the sub-processors listed in Annex III. Where Aryamind adds a sub-processor, it gives Customer at least 30 days' prior written notice. Customer may object on reasonable data-protection grounds during that period ; if a resolution cannot be reached, Customer may terminate the MSA for the affected Service with a pro-rata refund of pre-paid unused fees.
8. Data subject requests
Because CarveTrace is self-hosted, data subject requests are routed by Customer using its own data-management tooling — Aryamind has no role in fulfilment for ordinary product use. For the limited cases where Aryamind holds Customer Personal Data (Sections 3.1–3.3 above), Aryamind, taking into account the nature of the processing, assists Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests for exercise of data subject rights. Where a data subject contacts Aryamind directly, Aryamind forwards the request to Customer within 5 business days and does not respond substantively without Customer's instruction.
9. Personal data breach
Aryamind notifies Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 48 hours of becoming aware. The notice includes, to the extent known, the nature of the breach, categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.
10. Audit and information rights
On Customer's reasonable written request, Aryamind makes available the information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by Customer or another auditor mandated by Customer. To minimize disruption and protect other customers' confidentiality, Customer will, where possible, satisfy its audit right through Aryamind's most recent third-party assessment reports or by submitting a written audit questionnaire that Aryamind answers within 30 days. On-site audits are limited to once per 12-month period, conducted during business hours on no less than 30 days' prior written notice, at Customer's expense, and subject to reasonable confidentiality undertakings.
11. International transfers
Where Aryamind's processing of Customer Personal Data necessarily involves a transfer to a third country outside the EEA that does not benefit from an adequacy decision, the SCCs are incorporated into this DPA by reference and apply between the parties as if executed. The parties select Module Two (controller-to-processor), Option 1 / Option 2 docking clause unselected, Clause 9(a) Option 2 with 30 days' notice, Clause 11 redress option excluded, Clause 17 governed by the law of France, Clause 18 venue Paris, France. Annex I/II/III of the SCCs are populated by the corresponding annexes of this DPA. Aryamind has conducted, and on request will share with Customer, a Transfer Impact Assessment per the EDPB Schrems II guidance.
12. Deletion or return of personal data
On termination of the MSA, Aryamind deletes or returns, at Customer's choice, all Customer Personal Data it then holds within 30 days. Aryamind certifies deletion in writing on request. Aryamind retains a copy where required by applicable law (chiefly French accounting and tax law) ; such retained copies remain subject to this DPA's confidentiality and security obligations for the duration of retention.
13. Liability and changes
Each party's liability under this DPA is subject to the limitations in the MSA. Aryamind may update this DPA to reflect changes in law, regulator guidance, or Aryamind's processing arrangements. Material changes that reduce Customer protection require 30 days' notice and Customer's right to terminate the affected Service.
Annex I — Description of processing
| Aspect | Detail |
|---|---|
| Subject matter | Pre-sales and commercial relationship ; support of Customer's self-hosted CarveTrace deployment ; optional managed-deployment Statement of Work. |
| Duration | Term of the MSA plus retention periods required by law. |
| Nature and purpose | Pre-sales communication ; ad-hoc support triage ; managed-deployment operations where contracted. |
| Types of personal data | Customer representatives' business contact details ; content of communications ; in support triage, whatever Customer chooses to share — typically pseudonymized identifiers, log timestamps, hashes, configuration snippets. CarveTrace's wire format does not require Customer to share raw subject data. |
| Categories of data subjects | Customer representatives ; in support triage, indirectly, Customer's end users / employees / data subjects where Customer chooses to share their data. |
| Special categories | None expected. Customer must not share special-category data in support triage without prior written agreement. |
| Frequency | Ongoing for pre-sales / contract administration ; ad-hoc on demand for support triage. |
| Retention | Per Section 12 of this DPA and per the Privacy Policy's retention schedule. |
Annex II — Technical and organizational measures
- Encryption at rest (AES-256) for all systems holding Customer-correlated data.
- Encryption in transit (TLS 1.2+ minimum, TLS 1.3 preferred) for all external interfaces.
- Cryptographic key custody on FIPS-140-2-Level-3 HSMs or equivalent for the producer-signing keys used in product builds. Customer-side keys remain in Customer's custody at all times.
- Role-based access control with least-privilege defaults ; access reviews quarterly.
- Centralized identity provider with mandatory multi-factor authentication for all Aryamind personnel.
- Endpoint hardening (disk encryption, EDR, automated patching) on all Aryamind workstations.
- Separation of production / staging / development environments.
- Logging of all access to Customer-correlated data, retained for at least 12 months.
- Vulnerability management : continuous SCA, monthly dependency review, regression testing, third-party penetration test at least annually.
- Personal Data Breach response plan with 48-hour notification commitment (Section 9).
- Annual security training for all Aryamind personnel, with role-specific training for personnel handling Customer Personal Data.
- Documented incident response and business continuity procedures.
- Data-minimization design : the CarveTrace product itself is engineered to require neither raw subject data nor PII at the protocol layer — pseudonymized identifiers and hashes are sufficient. Support triage inherits this posture.
Annex III — Sub-processors
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Cloudflare, Inc. | Static hosting (carvetrace.com, verify.carvetrace.com). | Global edge ; EU-resident processing where supported. | EU-Customer DPA + SCCs Module 2. |
| OVHcloud SAS | Business email (contact@, privacy@, legal@, security@, licensing@ aryamind.com). | France. | DPA + EU residency. |
| GitHub, Inc. | Source-code hosting and CI for open-source verifier components. | US. | Microsoft Customer DPA + SCCs Module 2. |
Sub-processors used solely for Aryamind's internal operations (accounting, payroll, legal advisors) and not in the processing of Customer Personal Data are listed separately in the Privacy Policy and are not part of the Sub-processor list under Section 7 of this DPA.