Weft
Sign in Start free trial

Data processing addendum (DPA)

Last updated: · Operator: Arlualo LLC, 30 North Gould Street, Sheridan WY 82801, USA · Contact: [email protected]

Plain-English working draft. This document is the v1 working text used by Arlualo LLC to operate Weft. It is intentionally plain-English so customers can read it. A formal review by counsel is in progress; substantive changes will be versioned with a new "Last updated" date.

This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Customer", acting as Controller) and Arlualo LLC ("Weft", acting as Processor). It applies whenever Weft processes personal data on Customer's behalf as part of the service. Capitalised terms used and not defined here have the meaning given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). Where Customer is established in the United Kingdom, references to the GDPR are to be read as references to the UK GDPR and the Data Protection Act 2018.

1. Subject matter, nature and purpose of processing

Weft processes personal data contained in the inbound emails, Slack messages and Shopify orders that Customer connects to the service, in order to:

  • ingest, store and display those messages in Customer's inbox;
  • classify each message (spam vs. customer enquiry, etc.);
  • look up linked Shopify orders to ground AI replies in real data;
  • generate, store and send Customer-approved AI-drafted replies;
  • maintain audit logs and security telemetry.

2. Categories of data subjects and personal data

  • Data subjects: Customer's end customers; senders of email or Slack messages addressed to Customer; Customer's employees and agents who use Weft.
  • Categories of personal data: name, email address, phone number, postal address, message content (which may contain any data the data subject volunteers), order numbers, tracking numbers, payment status, IP address, user-agent, language preference.
  • Special-category data: Customer should not deliberately route special-category data through Weft. To the extent it appears in inbound messages (e.g., a customer mentioning health information in a complaint), it is processed only as needed to display and respond to the message.

3. Duration

Weft processes personal data for the duration of the service agreement and for the retention periods set out below, after which it is deleted or returned to Customer at Customer's option.

  • Live ingest data: retained for the duration of the subscription and a 30-day soft-delete grace period after termination.
  • Off-site backups: 30 days, encrypted.
  • Audit logs: 1 year on Free and Growth, 2 years on Scale, configurable on Infinite.

4. Customer instructions

Weft processes personal data only on documented Customer instructions, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which Weft is subject. Customer's use of the service through configured account settings is itself a documented instruction.

5. Sub-processors

Customer authorises Weft to engage the sub-processors listed at /legal/subprocessors, which is the maintained register and forms part of this DPA. The list is split between sub-processors that are always engaged (used by every Weft account, e.g. Hetzner, Stripe, the AI providers) and only engaged when Customer opts in (e.g. Slack, Shopify, Google sign-in, Customer's chosen IMAP provider).

Weft will inform Customer at least 30 days before adding or changing a sub-processor (in-app banner + email to organisation owners + update to /legal/subprocessors). Customer may object on reasonable grounds; if the parties cannot agree on a remedy within 30 days, Customer may terminate the subscription and receive a pro-rata refund of prepaid fees for the unused period.

Weft has a written contract in place with each sub-processor that imposes data-protection obligations equivalent to those in this DPA. Weft remains liable for the acts and omissions of its sub-processors as if performed by Weft itself.

6. International transfers

Where personal data is transferred outside the EEA or the UK to a country that the European Commission has not deemed to provide an adequate level of protection, the transfer is governed by the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) of 4 June 2021 ("EU SCCs"), which are incorporated into this DPA by reference. The information required by Annex I.A and I.B of those SCCs is set out in section 2 of this DPA; Annex II is set out in section 7 (security measures); Annex III is the sub-processor list at /legal/subprocessors.

For transfers to a US-based sub-processor that is self-certified under the EU-US Data Privacy Framework (DPF) — currently Anthropic, Stripe, Cloudflare, Slack, Google — Weft additionally relies on the DPF as a transfer mechanism alongside the SCCs.

For transfers governed by UK data protection law, the UK International Data Transfer Addendum to the EU SCCs (the "UK IDTA"), issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018, is deemed entered into between the parties and applies to all such transfers.

Weft applies supplementary technical and organisational measures (encryption in transit and at rest, access logging, key separation, mailbox credential encryption) consistent with the EDPB recommendations following the Schrems II judgment.

7. Security measures (Article 32 GDPR)

  • HTTPS-only with TLS 1.2 or higher; HSTS in place; HTTP/3 supported.
  • Passwords stored as Argon2id hashes with per-password salts.
  • Optional TOTP multi-factor authentication.
  • API tokens stored as SHA-256 hashes; the token itself is shown only once at creation.
  • Per-tenant access scoping enforced at the database query layer; cross-tenant isolation tested in CI.
  • Server-side session storage with revocation; idle and absolute session expiries.
  • CSRF protection on all state-changing endpoints; per-IP and per-user rate limiting.
  • Encrypted off-site database backups; automated restore drills.
  • Centralised structured logging; production secrets stored outside source control.
  • Vulnerability monitoring and patching of base images and dependencies.

8. Confidentiality

Weft personnel authorised to process personal data are bound by written confidentiality obligations and receive periodic training on data protection.

9. Personal data breach notification

Weft will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer data. The notification will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

10. Audit

Weft will make available to Customer all information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits — including inspections — conducted by Customer or another auditor mandated by Customer, at Customer's expense and on reasonable notice. To minimise disruption, Weft may provide audit reports from independent third-party auditors (e.g., SOC 2 reports when available) in lieu of on-site inspection.

11. Data subject rights

Weft will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures (insofar as this is possible) for the fulfilment of Customer's obligations to respond to requests for exercising data subject rights.

12. Return or deletion

On termination of the service, Customer may export its data via the API or in-app download. Within 30 days of termination, Weft will delete all Customer personal data from the service and instruct sub-processors to do the same, save where Union or Member State law requires storage of the personal data.

13. Liability and entire agreement

Liability under this DPA is governed by the limitation-of-liability clauses in the Terms of Service. In the event of conflict between this DPA and the Terms, this DPA prevails with respect to data-protection matters.

14. Changes

Weft may update this DPA to reflect changes in law or our processing. Material changes will be announced at least 30 days in advance.

15. Contact

For DPA-related questions or to submit a data-subject request:
[email protected]
Arlualo LLC — Data Protection
30 North Gould Street, Sheridan, WY 82801, USA