LEGAL
Data Processing Agreement
Last updated: January 1, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Arkose Labs, Inc. (“Arkose Labs”, “we”, “us”) and the customer (“Customer”) for the provision of the Services. Capitalized terms used but not defined here have the meanings given in the customer agreement.
1. Subject Matter & Duration
The subject matter of the processing is the provision of the Arkose Labs Services. The duration of processing is the term of the customer agreement, unless otherwise required by law.
2. Roles & Responsibilities
For the Services, Customer is the Controller (or business) of Customer Personal Data, and Arkose Labs is the Processor (or service provider) acting only on documented instructions from Customer.
3. Nature & Purpose of Processing
Arkose Labs processes Customer Personal Data solely to provide, operate, support, and improve the Services as described in the customer agreement and the relevant product documentation, including bot, fraud, and AI agent detection, classification, and disruption.
4. Types of Personal Data
- End-user identifiers (e.g. pseudonymized device IDs, IP address, user agent).
- Authentication and session metadata.
- Behavioral and device signals used for risk decisioning.
- Customer-provided fields (e.g. email, account ID) where Customer elects to send them to the Services.
5. Categories of Data Subjects
Customer’s end users, including its customers, employees, contractors, or other individuals interacting with the systems Customer protects with the Services.
6. Security Measures
Arkose Labs implements and maintains appropriate technical and organizational measures including encryption in transit (TLS 1.3) and at rest (AES-256), least-privilege access controls, change-management, vulnerability management, secure development lifecycle, 24/7 SOC monitoring, and annual independent audits (SOC 2 Type II and ISO 27001).
7. Sub-Processors
Customer authorizes Arkose Labs to engage sub-processors as listed at arkoselabs.com/sub-processors. Arkose Labs will provide reasonable advance notice of additions or material changes. Customer may object on reasonable grounds within the notice period.
8. International Transfers
For transfers of Personal Data from the EEA, UK, or Switzerland to a country not deemed adequate, Arkose Labs incorporates the EU Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum, as applicable. Customer authorizes Arkose Labs to execute SCCs on its behalf with sub-processors.
9. Personal Data Breach Notification
Arkose Labs will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of a confirmed Personal Data breach affecting Customer Personal Data, including the nature, scope, likely consequences, and measures taken or proposed.
10. Data Subject Requests
Arkose Labs will, taking into account the nature of the processing, assist Customer through appropriate technical and organizational measures to respond to data subject requests directed to Customer.
11. Audits
Arkose Labs will make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits, including by providing copies of recent independent audit reports (e.g. SOC 2 Type II, ISO 27001) under NDA. Onsite audits may be conducted with reasonable notice and at Customer’s expense.
12. Return or Deletion
Upon termination, Arkose Labs will, at Customer’s choice, return or delete all Customer Personal Data, subject to retention required by applicable law or legitimate business records, in which case the data will remain protected by the obligations in this DPA.
13. Liability & Order of Precedence
The liability provisions of the customer agreement apply to this DPA. In the event of conflict between this DPA and the customer agreement, this DPA prevails with respect to data protection matters.
14. Signing the DPA
Active customers and prospective customers who require an executed DPA may request a counter-signed copy at privacy@arkoselabs.com. This page is provided for transparency; the DPA executed with your account governs.
