Archively.AIArchives Made Intelligent
Start free
Legal

Data Processing Agreement

Effective date: 22 May 2026 Version: 1.0

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between the customer ("Customer", "you", the controller) and Sharpian (샤피안), a sole proprietorship registered in the Republic of Korea ("Sharpian", "we", the processor). It applies where we process personal data contained in Your Content on your behalf. If you accept the Agreement, you accept this DPA. Where this DPA conflicts with the Agreement on data protection, this DPA controls.

This DPA is intended to satisfy the requirements of the EU GDPR, the UK GDPR, and the Republic of Korea's PIPA, as applicable.

1. Definitions

Terms such as controller, processor, personal data, data subject, processing, personal data breach, and sub-processor have the meanings given in applicable data protection law. "Your Content" has the meaning given in the Agreement.

2. Roles and scope

  • You are the controller of personal data within Your Content. We are the processor, acting only on your documented instructions.
  • For your own account and billing data, we act as an independent controller as described in our Privacy Policy; that is outside the scope of this DPA.
  • The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are set out in Annex A.

3. Our obligations as processor

We will:

  1. Process only on instructions. Process personal data only on your documented instructions (including those given through the Service), unless required by law, in which case we will inform you unless legally prohibited.
  2. Confidentiality. Ensure persons authorised to process the data are bound by confidentiality.
  3. Security. Implement appropriate technical and organisational measures, as described in Annex B.
  4. Sub-processors. Engage sub-processors only as permitted by Section 5.
  5. Assist with data subject requests. Taking into account the nature of processing, assist you by appropriate measures to respond to data subjects exercising their rights. If we receive a request directly, we will not respond except on your instruction, and will forward it to you without undue delay.
  6. Assist with compliance. Assist you, taking into account the nature of processing and the information available to us, with your obligations relating to security, breach notification, data protection impact assessments, and prior consultation.
  7. Breach notification. Notify you without undue delay after becoming aware of a personal data breach affecting Your Content, with the information reasonably available to enable you to meet your own notification obligations.
  8. Deletion or return. On termination of the Service, and at your choice, delete or return Your Content as described in the Agreement and Privacy Policy, and delete existing copies unless retention is required by law.
  9. Records and audits. Make available information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, subject to Section 7.

4. Your obligations as controller

You will:

  • have a valid legal basis to collect and process the personal data in Your Content and to have us process it;
  • issue instructions that are lawful;
  • be responsible for the accuracy, quality, and legality of Your Content; and
  • where Your Content includes special-category or sensitive data (which is common in archival material), ensure an appropriate lawful basis and conditions apply.

5. Sub-processors

  • You provide general authorisation for us to engage sub-processors to provide the Service. Our current sub-processors (including cloud hosting, email, analytics, Paddle for payments, and AI inference) are listed in Annex C / available on request.
  • We will inform you of intended additions or replacements of sub-processors with reasonable notice, giving you the opportunity to object on reasonable data-protection grounds. If you object and we cannot reasonably accommodate the objection, you may terminate the affected Service as your sole remedy.
  • We remain responsible for our sub-processors' performance of their data-protection obligations and will impose obligations on them no less protective than this DPA.

6. International transfers

Where processing involves transferring personal data across borders, we rely on a valid transfer mechanism, such as an adequacy decision (the Republic of Korea benefits from an EU adequacy decision), Standard Contractual Clauses, or an equivalent recognised safeguard. The relevant SCCs are incorporated by reference where required, with Annex A populating their appendices.

7. Audits

We will respond to your reasonable requests for information needed to confirm our compliance with this DPA, including summaries of relevant practices. Any on-site audit will be at your expense, on reasonable advance notice, no more than once per year (except where required by a supervisory authority or following a breach), during business hours, and conducted so as not to disrupt the Service or compromise other customers' confidentiality.

8. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, including the liability cap. This DPA does not increase a party's aggregate liability beyond what is stated in the Agreement, except where applicable law does not permit such a limit.

9. Republic of Korea — PIPA consignment

Where PIPA applies, this DPA constitutes the written agreement governing our consignment (위탁) of processing on your behalf. We will process consigned personal information only within the scope of the consigned work, maintain appropriate safety measures, and not re-consign without authorisation consistent with Section 5.

10. Term and termination

This DPA takes effect when you accept the Agreement and continues for as long as we process personal data on your behalf. Obligations that by their nature should survive (including confidentiality, deletion, and liability) survive termination.

Annex A — Details of processing

  • Subject matter: provision of the Archively service to the Customer.
  • Duration: the term of the Agreement plus any retention/deletion period described in the Privacy Policy.
  • Nature and purpose: hosting, storage, cataloguing, indexing, search, optional AI-assisted processing, and publication of Your Content as configured by the Customer.
  • Types of personal data: as contained in the Customer's collections — may include names, biographical details, images, correspondence, and other personal data within archival records; and authorised-user account data (name, email, role).
  • Special categories: archival material may contain special-category/sensitive data (e.g. relating to health, religion, political opinions, ethnicity). The Customer is responsible for ensuring a lawful basis.
  • Categories of data subjects: individuals referenced in the Customer's collections; the Customer's authorised users; portal end-users.
  • Frequency: continuous, for the duration of the Agreement.

Annex B — Technical and organisational measures

  • Encryption of personal data in transit and at rest.
  • Role-based access control and least-privilege access.
  • Logging of access to the Service.
  • Logical separation of tenant data in the multi-tenant environment.
  • Routine backups and a documented restore process.
  • Access to production systems limited to authorised personnel under confidentiality obligations.
  • Periodic review of security measures.

Annex C — Sub-processors

The current list of sub-processors (name, purpose, and location) is maintained by Sharpian and available on request at legal@archively.ai. It includes, at minimum, our cloud hosting provider, email delivery provider, analytics provider, Paddle (payment processing), and AI inference provider(s).