Legal

Data Processing Addendum

Last updated: June 7, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Controller”) and BMI Studios LLC (“Processor,” operator of Archon Agents) for the provision of the Services. It governs the processing of personal data the Processor performs on behalf of the Controller. Where this DPA conflicts with the main agreement on data-protection matters, this DPA controls.

1. Roles and scope

The Controller determines the purposes and means of processing personal data submitted to the Services. The Processor processes such data only on documented instructions from the Controller, including as set out in the agreement and this DPA, except where required by applicable law. With respect to U.S. state privacy laws, the Processor acts as a “service provider” / “processor.”

2. Nature and purpose of processing

The Processor processes personal data to provide, operate, secure, and support the Archon platform and related services, including agent workflow execution, orchestration, model routing, approvals, reporting, and support. Details are set out in Annex I.

3. Confidentiality

The Processor ensures that personnel authorized to process personal data are bound by confidentiality obligations and receive appropriate data-protection training.

4. Security measures

The Processor maintains the technical and organizational measures described in Annex II, appropriate to the risk. The Processor does not sell personal data and does not use Controller personal data to train third-party foundation models.

5. Subprocessors

The Controller authorizes the Processor to engage subprocessors (for example, cloud hosting, model providers configured under the Controller’s instructions, analytics, and communications) to support delivery of the Services. The Processor imposes data-protection obligations on subprocessors no less protective than those in this DPA and remains responsible for their performance. A current subprocessor list is available on request, and the Processor will give notice of intended changes with a reasonable opportunity to object.

6. Data subject requests

Taking into account the nature of the processing, the Processor will provide reasonable assistance to enable the Controller to respond to data-subject requests to exercise their rights under applicable law.

7. Personal data breach

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller personal data, and will provide information reasonably available to assist the Controller’s breach-notification obligations.

8. International transfers

Where processing involves transfers of personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the applicable EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) by reference, which prevail in the event of conflict.

9. U.S. state privacy laws

When acting as a service provider/processor under the CCPA and similar U.S. state laws, the Processor will not sell or share personal data, will not retain, use, or disclose it for any purpose other than providing the Services (or as permitted by law), and will not combine it with data from other sources except as permitted. The Controller may take reasonable steps to ensure the Processor’s use is consistent with these obligations.

10. Government and third-party access requests

If the Processor receives a legally binding request from a public authority or third party to disclose Controller personal data, it will, unless legally prohibited, notify the Controller and seek to redirect the request to the Controller.

11. Audits

The Processor will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, subject to reasonable confidentiality, security, and frequency conditions.

12. Return and deletion

Upon termination or expiry of the Services, the Processor will, at the Controller’s choice, delete or return Controller personal data, except where retention is required by law.

13. Liability and term

Each party’s liability under this DPA is subject to the limitations of liability in the main agreement. This DPA takes effect on the effective date of the agreement and remains in force for as long as the Processor processes Controller personal data.

Annex I — Details of processing

  • Categories of data subjects: the Controller’s personnel, customers, prospects, and other individuals whose data the Controller connects to the Services.
  • Categories of personal data: identifiers and contact data, professional/business data, communications content, and any other data the Controller chooses to process through the Services.
  • Special categories: not intended; processed only if the Controller chooses to include such data.
  • Purpose: provision, operation, security, and support of the Services as instructed by the Controller.
  • Duration: for the term of the agreement and until return/deletion under Section 12.

Annex II — Technical and organizational measures

  • Access controls and least-privilege permissions; credentials held outside prompts and scoped to authorized tools.
  • Encryption of data in transit; encryption at rest where supported by the underlying infrastructure.
  • Network controls, logging, and monitoring of agent actions with source, approver, and timestamp.
  • Human-in-the-loop approval for consequential outbound actions.
  • Personnel confidentiality obligations and security training; vendor due diligence on subprocessors.
  • Backup, change-management, and incident-response processes.

Contact

To execute a countersigned copy of this DPA or request the current subprocessor list, contact archon@bmistudios.com. See also our Privacy Policy, Terms of Service, Subprocessors, and Trust & Security.