Attachment 1 - Data Processing Agreement

Last updated: May 2026

This Data Processing Agreement (“DPA”) forms part of the Agreement between:

Stratum1 GmbH, Schubertstrasse 6a, 8010 Graz, Austria (“Processor”, “Stratum1”, “we”, “us”)

and

the customer or client using the Services as controller (“Controller”, “Customer”, “you”)

(each a “Party” and together the “Parties”).

This DPA applies only where Stratum1 processes Personal Data on behalf of the Controller as processor within the meaning of Art. 28 GDPR. It does not apply where Stratum1 acts as controller for its own processing activities, such as account management, billing, payment administration, security, fraud prevention, website analytics, product analytics, marketing, support administration or legal compliance.

This DPA may be incorporated by reference into the Terms and Conditions and applies to B2B customers where the conditions above are met. Enterprise customers may request a signed version.

1. Definitions

Unless otherwise defined in this DPA, the terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”, “Supervisory Authority” and “Subprocessor” have the meaning given to them in the GDPR.

“Agreement” means the Terms and Conditions, order form, enterprise agreement or other contract governing the Customer’s use of the Services.

“Services” means the Arrival.Space platform and related services provided by Stratum1 to the Controller, including hosting, rendering, space management, communication features, dashboards, APIs, integrations, AI-assisted features, support and related functionality.

“Controller Data” means Personal Data processed by Stratum1 on behalf of the Controller under this DPA.

“Subprocessor” means any third party engaged by Stratum1 to process Controller Data on behalf of the Controller in connection with the Services.

2. Roles and no joint controllership

For Controller Data, the Controller determines the purposes and means of processing and Stratum1 processes such data as processor only to provide the Services and in accordance with the Agreement and this DPA.

Nothing in this DPA creates joint controllership or joint ownership of data. If the Parties intend to act as joint controllers for a specific processing activity, this must be expressly agreed in a separate written arrangement under Art. 26 GDPR.

For processing activities where Stratum1 determines the purposes and means, Stratum1 acts as controller and the Privacy Policy applies.

3. Subject matter and documented instructions

The subject matter, nature, purpose, categories of data subjects, categories of personal data and duration of processing are described in Annex 1.

The Controller instructs Stratum1 to process Controller Data as necessary to provide the Services, comply with the Agreement, process support requests, implement configurations selected by the Controller, comply with applicable law and follow any additional documented instructions agreed by the Parties.

The Controller’s use of Platform settings, uploads, access permissions, API configurations, integrations, dashboard settings, privacy settings, publication settings, AI feature use and support requests constitute documented instructions to the extent they concern processing of Controller Data.

Stratum1 shall inform the Controller if, in Stratum1’s opinion, an instruction infringes applicable data protection law, unless prohibited by law from doing so.

4. Controller obligations

The Controller is responsible for:

• ensuring that it has a valid legal basis for processing Controller Data;
• providing all required privacy notices to data subjects;
• obtaining all required consents or permissions;
• ensuring that User Content, spaces, Gates, external content, integrations, plugins, APIs, MCP tools and AI use are lawful;
• ensuring that only authorised persons are granted access;
• responding to data subject requests unless assistance from Stratum1 is required;
• ensuring that special-category data or criminal-offence data is not uploaded or processed unless legally permitted and appropriately safeguarded;
• ensuring that its use of the Services complies with applicable data protection law.
• ensuring that guests, visitors, collaborators, invitees, employees, contractors, end users, or other persons interacting with the Controller’s spaces receive all legally required information and notices;
• ensuring that any partners, resellers, agencies, consultants, contractors, employees, invitees, or other third parties acting on the Controller’s behalf are properly authorised and supervised;

The Controller shall not use the Services for high-risk, regulated, or sensitive processing unless expressly agreed in writing with Stratum1. This includes, without limitation, systematic processing of special-category data, health data, biometric identification data, criminal-offence data, payment card data outside approved payment providers, government identifiers, or data requiring sector-specific compliance standards.

Customer-authorised Partners, Resellers and Agencies

The Controller may authorise partners, resellers, agencies, consultants, service providers, employees, contractors, or other third parties to access or manage accounts, workspaces, spaces, dashboards, content, integrations, settings, licences, or related functionality on the Controller’s behalf.

Where a partner, reseller, agency, or similar service provider creates, configures, purchases, manages, or prepares an account, workspace, licence, or space for transfer to an end client, such party is responsible for ensuring that it has the necessary authority, rights, permissions, consents, and legal bases to act for that end client and to process or transfer any related personal data.

A transfer of an account, workspace, licence, or space to an end client may require the end client to accept the applicable Terms, Privacy Policy, this DPA where applicable, and any other relevant legal documents. After transfer, the end client is responsible for managing continued access by the partner, reseller, agency, or service provider.

Such persons are deemed to act under the Controller’s responsibility and instructions, unless Stratum1 has separately engaged them as Subprocessors under this DPA. They are not Subprocessors of Stratum1 solely because they access the Services at the Controller’s request, manage a dashboard, purchase a licence, prepare a space for transfer, or continue to support a client after transfer.

The Controller is responsible for ensuring that such persons are properly authorised, bound by appropriate confidentiality and data protection obligations where required, and granted only the access rights necessary for the relevant purpose. The Controller is also responsible for their acts, omissions, configurations, uploads, publications, instructions, access rights, and processing activities within the Services.

Stratum1 may restrict, suspend, or revoke such access where necessary to protect the Services, other customers, users, third-party rights, security, legal compliance, the Agreement, this DPA, or any applicable partner agreement.

5. Processor obligations

Stratum1 shall:

• process Controller Data only on documented instructions of the Controller, unless required by Union or Member State law;
• ensure that persons authorised to process Controller Data are bound by confidentiality obligations;
• implement appropriate technical and organisational measures as described in Annex 2;
• assist the Controller with data subject requests, security obligations, personal data breach obligations, data protection impact assessments and prior consultations where required and reasonably possible;
• make available information reasonably necessary to demonstrate compliance with this DPA;
• engage Subprocessors only in accordance with Section 8;
• delete or return Controller Data in accordance with Section 11.

Any assistance provided by Stratum1 under this DPA shall be provided to the extent legally required and reasonably possible, taking into account the nature of the Services and the information available to Stratum1. Unless mandatory law requires otherwise or the assistance is necessary due to Stratum1’s breach of this DPA, Stratum1 may charge reasonable fees for assistance, audits, questionnaires, assessments, exports, custom deletion requests, or other support outside the standard functionality of the Services.

6. Confidentiality and personnel

Stratum1 shall ensure that employees, founders, contractors and other personnel with access to Controller Data are subject to appropriate confidentiality obligations and are given access only on a need-to-know basis.

7. Security measures

Taking into account the state of the art, costs of implementation, nature, scope, context and purposes of processing, and the risk to the rights and freedoms of natural persons, Stratum1 shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The current technical and organisational measures are described in Annex 2. The Controller acknowledges that the measures are implemented in a risk-based and proportionate manner appropriate for a European startup with a small team operating a global SaaS platform. Stratum1 may update the measures over time, provided that the overall level of protection is not materially reduced.

8. Subprocessors

The Controller grants Stratum1 general authorisation to engage Subprocessors listed in Annex 1 or otherwise made available through a subprocessor list.

Stratum1 shall ensure that Subprocessors are engaged under written or electronic terms that impose data protection obligations substantially consistent with Art. 28 GDPR, where applicable. Such terms shall provide a level of protection that is, in substance, no less protective than the obligations set out in this DPA, to the extent applicable to the nature and scope of the relevant subprocessing.

Stratum1 remains responsible to the Controller for the performance of its obligations under this DPA, including where such obligations are performed by Subprocessors on Stratum1’s behalf.

Stratum1 shall inform the Controller of intended additions or replacements of Subprocessors by appropriate means, such as email, notice in the Platform, update to the subprocessor list, or other reasonable notification. The Controller may object on reasonable data protection grounds within 14 days of notice.

Where a Subprocessor change is required for urgent security, availability, legal, or operational reasons, Stratum1 may implement the change before expiry of the objection period and will notify the Controller as soon as reasonably practicable. If the Parties cannot resolve the objection in good faith, the Controller may terminate the affected Services to the extent the new Subprocessor is necessary for those Services.

9. Data subject rights

Taking into account the nature of processing, Stratum1 shall assist the Controller with appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests from data subjects exercising their rights under applicable data protection law.

If Stratum1 receives a request from a data subject relating to Controller Data, Stratum1 shall, where reasonably identifiable as Controller Data, forward the request to the Controller or direct the data subject to the Controller, unless Stratum1 is legally required to respond.

10. Personal data breaches

Stratum1 shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller Data.

The notification shall include information reasonably available to Stratum1 to enable the Controller to meet its obligations under data protection law, such as the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach.

Stratum1 shall reasonably cooperate with the Controller in investigating, mitigating and remediating the breach.

11. Deletion or return of Controller Data

Upon termination or expiry of the Services involving Controller Data, Stratum1 shall delete or return Controller Data within a reasonable period, unless retention is required by law, necessary for legal claims, required for security or technically required due to backup systems.

Backups may be retained for a limited period in accordance with Stratum1’s backup routines and overwritten or deleted in the ordinary course. During such period, backup data remains protected under this DPA.

The Controller is responsible for exporting or retrieving Controller Data before termination where export functionality is available.

Deletion, export, or return shall generally be performed through the standard functionality of the Services where available. Custom exports, manual deletion assistance, migration support, or non-standard return formats are provided only where required by law or agreed separately in writing and may be subject to reasonable fees.

12. Assistance with DPIAs and prior consultation

Taking into account the nature of processing and information available to Stratum1, Stratum1 shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities where required under Articles 35 and 36 GDPR and where the assessment relates to processing by Stratum1 on behalf of the Controller.

13. Audit and compliance information

Stratum1 shall make available information reasonably necessary to demonstrate compliance with this DPA, taking into account the nature of the Services and the information available to Stratum1. This may include summaries of technical and organisational measures, subprocessor information, security documentation, certifications or third-party reports where available, questionnaires, or written responses.

The Controller may request an audit or inspection only where required by applicable law or where the information provided by Stratum1 is insufficient to reasonably demonstrate compliance with this DPA. Any audit must be subject to reasonable prior written notice, confidentiality obligations, normal business hours, reasonable scope, applicable security restrictions, and measures to avoid disruption of Stratum1’s business, security risks, or risks to other customers, users, systems, or confidential information.

Audits must be conducted remotely or document-based where reasonably possible. On-site inspections may only be conducted where legally required or where a document-based audit cannot reasonably demonstrate compliance. Stratum1 may refuse access to systems, premises, personnel, or information where access would compromise security, confidentiality, trade secrets, other customers’ data, or the integrity of the Services.

The Controller acknowledges that Stratum1 may not be able to provide access to third-party infrastructure, cloud provider systems, source code, internal security tooling, or confidential information of Subprocessors. In such cases, Stratum1 may provide available summaries, third-party documentation, certifications, or written responses instead.

Unless required by law or caused by Stratum1’s material breach of this DPA, audits may not occur more than once per calendar year and shall be conducted at the Controller’s cost. Any external auditor must be independent, professionally qualified, subject to confidentiality obligations, and not be a competitor of Stratum1.

14. International transfers

Stratum1 may process or transfer Controller Data outside the EU/EEA where necessary to provide the Services, where a Subprocessor, customer, user, partner, support location, or service infrastructure is located outside the EU/EEA, including the United States, Canada, Japan, or other countries. Where required, such transfers are protected by adequacy decisions, EU Standard Contractual Clauses, supplementary measures, or other lawful transfer mechanisms. Transfers to countries covered by an adequacy decision, such as Japan where applicable, may take place on the basis of that adequacy decision.

15. Limitation of processing and high-risk data

The Services are not designed for processing special categories of personal data, criminal-offence data, health data, biometric identification data, payment card data beyond payment providers, or highly sensitive regulated data unless expressly agreed in writing.

If the Controller uploads or otherwise processes such data through the Services, the Controller remains responsible for ensuring that the processing is lawful, necessary, proportionate and appropriately safeguarded.

16. Liability

Liability under this DPA is subject to the liability limitations and exclusions set out in the Agreement, including the applicable aggregate liability cap, unless mandatory law provides otherwise. Any liability of Stratum1 arising out of or in connection with this DPA forms part of, and is not in addition to, Stratum1’s aggregate liability under the Agreement.

17. Term and termination

This DPA remains in effect for as long as Stratum1 processes Controller Data on behalf of the Controller under the Agreement.

Termination of the Agreement terminates this DPA, except for provisions that by their nature continue to apply, including confidentiality, deletion, audit evidence, liability and data protection obligations for retained data.

18. Governing law and jurisdiction

This DPA is governed by Austrian law, excluding its conflict-of-law rules and the UN Convention on Contracts for the International Sale of Goods.

For business customers, exclusive jurisdiction lies with the competent court in Graz, Austria.

19. Fees for additional assistance

Unless mandatory law requires otherwise or the assistance is necessary due to Stratum1’s breach of this DPA, Stratum1 may charge reasonable fees for assistance, audits, questionnaires, assessments, exports, custom deletion requests, migration support, or other support outside the standard functionality of the Services.

20. Annexes

The following annexes form part of this DPA:

• Annex 1: Description of Processing and Subprocessors
• Annex 2: Technical and Organisational Measures (TOMs)