Last updated: 20 March 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Artanis Ltd ("Processor", "Artanis", "We") and the Customer ("Controller", "You"). This DPA applies to the extent that Artanis processes Personal Data on behalf of the Customer in the course of providing the Service.
This DPA is incorporated automatically when You agree to the Terms of Service. Enterprise customers requiring a countersigned copy may contact privacy@artanis.ai.
Capitalised terms not defined in this DPA have the meanings given to them in the Terms of Service. In addition:
The Customer is the Controller and Artanis is the Processor with respect to any Personal Data contained within Customer Data submitted to the Service. The details of the processing are set out in Annex 1.
For the avoidance of doubt, Artanis is a Controller in its own right for account data, usage data, and other personal data described in Our Privacy Policy. This DPA does not apply to that processing.
Artanis shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Artanis shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure.
The Customer's instructions for processing are as set out in the Terms of Service, this DPA, and any subsequent written instructions agreed between the parties. If Artanis believes that an instruction from the Controller infringes Data Protection Laws, Artanis shall promptly notify the Controller.
Artanis shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require access to perform their duties in connection with the Service.
Artanis shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR. These measures are described in Annex 2 and include, at a minimum:
The Controller provides general written authorisation for Artanis to engage Sub-Processors. The current list of approved Sub-Processors is set out in Annex 3.
Artanis shall:
Taking into account the nature of the processing, Artanis shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to Data Subject requests to exercise their rights under Chapter III of the UK GDPR (Articles 15 to 22).
If Artanis receives a request from a Data Subject directly, Artanis shall promptly notify the Controller and shall not respond to the request without the Controller's prior written instructions, unless required to do so by applicable law.
Artanis shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on the Controller's behalf. The notification shall include:
Artanis shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.
Artanis shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Articles 35 and 36 of the UK GDPR, taking into account the nature of the processing and the information available to Artanis.
Artanis shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
Audits shall be:
Where Artanis obtains relevant third-party audit reports or certifications (such as SOC 2 or ISO 27001), Artanis may make these available to the Controller to satisfy audit requests, provided they are reasonably current and comprehensive.
Personal Data may be transferred outside the United Kingdom in connection with the Sub-Processors listed in Annex 3. Artanis shall ensure that any such transfer is subject to appropriate safeguards in accordance with Article 46 of the UK GDPR, specifically:
Artanis shall conduct and document a transfer risk assessment for each international transfer and shall implement supplementary measures where necessary to ensure that the level of protection for Personal Data is not undermined.
Upon termination or expiry of the Terms of Service, at the Controller's choice:
Artanis may retain Personal Data to the extent and for the period required by applicable law, provided that Artanis ensures the confidentiality of such data and processes it only for the purposes for which retention is required.
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except that the limitations of liability shall not apply to the extent prohibited by Data Protection Laws.
This DPA shall remain in effect for as long as Artanis processes Personal Data on behalf of the Controller. Sections that by their nature should survive termination shall survive, including but not limited to data deletion obligations, audit rights (for a period of 12 months following termination), and confidentiality obligations.
In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data protection matters.
The processing of Personal Data in connection with the provision of the Artanis AI evaluation and observability platform, for the duration of the Customer's Subscription.
Data Subjects may include any individuals whose personal data is contained within the Customer Data submitted to the Service. This is determined by the Controller and may include:
The categories of Personal Data are determined by the Controller and may include any personal data contained within prompts, AI inputs and outputs, labels, evaluation data, and associated metadata. Artanis does not require or request that the Controller submit special category data (Article 9) or criminal conviction data (Article 10).
Personal Data is retained for the duration of the Customer's Subscription, plus 30 days following termination to facilitate data export, after which it is securely deleted unless otherwise instructed by the Controller or required by applicable law.
Artanis implements the following security measures in accordance with Article 32 of the UK GDPR:
The following Sub-Processors are authorised to process Personal Data on behalf of the Controller:
| Sub-Processor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Vercel Inc. | Application hosting, serverless compute, and content delivery | United States | UK IDTA / EU SCCs + UK Addendum |
| Google LLC | AI processing (Gemini API) for evaluation building and prompt improvement | United States | UK IDTA / EU SCCs + UK Addendum |
Optional integrations: The Service allows Customers to configure optional third-party integrations (such as Langfuse, LangSmith, or AWS) using the Customer's own API keys. These integrations are controlled entirely by the Customer and are not Sub-Processors of Artanis. The Customer is responsible for ensuring an appropriate legal basis for any data sharing with such third parties.
This Sub-Processor list was last updated on 20 March 2026. To be notified of changes, contact privacy@artanis.ai.
For questions about this DPA, to request a countersigned copy, or to exercise any rights described herein, please contact: