Arketa Privacy Annex

Last Updated: 6/3/2025

This Privacy Annex (“Annex”) forms part of, and is incorporated by reference into, the Arketa Terms of Service (“Agreement”) between Sutra Fitness, Inc. d/b/a Arketa (“Arketa,” “we,” “us,” or “our”) and the customer identified in the Agreement (“Customer,” “you,” or “your”).

This Annex describes how Arketa processes personal data on behalf of Customer as a processor, and is intended to satisfy the requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and equivalent data-protection laws.

1. Roles of the Parties

1.1 Customer is the Controller. Customer determines the purposes and means of processing Customer Personal Data.

1.2 Arketa is the Processor. Arketa processes Customer Personal Data solely on Customer’s documented instructions and as necessary to provide the Arketa platform and related services (“Services”).

1.3 Arketa as Independent Controller. For personal data Arketa collects and uses on its own behalf (e.g., Arketa website visitors, platform analytics, marketing leads), Arketa acts as an independent controller as described in the Arketa Privacy Policy. This Annex applies only when Arketa acts as a processor.

2. Customer Instructions

Arketa processes Customer Personal Data only as described in the Agreement, this Annex, Customer’s configuration of the Services, and Customer’s written instructions. Arketa will notify Customer if it reasonably believes an instruction violates applicable law.

3. Confidentiality

Arketa ensures that personnel with access to Customer Personal Data are bound by confidentiality obligations and only access such data as necessary to perform the Services.

4. Security Measures

Arketa implements appropriate technical and organizational measures (“TOMs”) to protect Customer Personal Data, as further described in Annex 2. These include:

  • Encryption at rest and in transit
  • SSO and MFA for internal access
  • Role-based access control (RBAC)
  • Logging and monitoring via Google Cloud Platform
  • Daily encrypted backups
  • Incident detection and on-call escalation

Arketa may update its TOMs from time to time, provided they do not materially reduce the level of protection.

5. Sub-Processors

Customer authorizes Arketa to use sub-processors listed in Annex 3 and any others used by Arketa.

Arketa ensures sub-processors are bound by obligations no less protective than this Annex and remains responsible for sub-processor performance.

Sub-processor notification: Arketa will notify Customer via email to studio administrators before adding or replacing sub-processors. Customer does not have a right to object.

6. Data Subject Rights

Customer is responsible for responding to data-subject requests from its end users. Arketa will assist Customer in fulfilling GDPR requests (access, deletion, correction, portability) submitted to support@arketa.com.

If a request is unclear, or relates to data Arketa controls, Arketa may respond directly.

7. Security Incidents

Arketa maintains an incident-response process and on-call security rotation.

If Arketa becomes aware of a security incident affecting Customer Personal Data, Arketa will notify Customer without undue delay and no later than 72 hours, providing relevant information and updates.

Notifications will be sent to security@arketa.com or Customer’s designated admin email.

8. Return and Deletion of Data

Upon termination of Customer’s account, Customer Personal Data is retained for 90 days and then deleted from active systems. Backup deletion occurs on a rolling schedule.

Customer may export most data directly from the platform. Payment data can be exported upon request.

Arketa will delete Customer Personal Data earlier upon Customer’s request unless retention is legally required.

9. International Data Transfers

Customer Personal Data may be transferred to and processed in the United States, where Arketa’s hosting providers operate (AWS us-east-2, Google Cloud Platform us-central-1).

For such transfers, Arketa relies on the EU Commission’s 2021 Standard Contractual Clauses (“SCCs”).

SCC Incorporation: The SCCs (Module 2) are incorporated by reference. The full text is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

10. Audits

Customer may request security documentation or evidence necessary to verify compliance. On-site audits are permitted only if required by law, subject to 30 days’ notice, mutually agreed scope, and reasonable limits.

11. Liability

Liability under this Annex is subject to the limitations set forth in the Agreement, including any caps or exclusions.

12. Governing Law

This Annex is governed by the same law as the Agreement (California law), except where applicable data-protection law requires otherwise.

13. Conflict of Terms

If there is a conflict between this Annex and the Agreement, this Annex controls to the extent required by GDPR and applicable data-transfer laws.

Annex 1 — Description of Processing

  • Subject Matter: Processing required to provide the Arketa platform.
  • Duration: Term of Agreement + 90 days.
  • Nature: Storage, transmission, organization, modification, retrieval, deletion, support.
  • Data Subjects: Customer’s clients, members, staff, administrators.
  • Personal Data: Name, email, phone, signature (waivers), gender (optional), birthday, shipping address, payment history (not card numbers), marketing preferences, geolocation (opt-in).
  • Special Categories: None intentionally processed.
  • Purpose: To provide, support, secure, and improve the Services.

Annex 2 — Technical & Organizational Measures (TOMs)

1. Encryption

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AWS/GCP native)

2. Access Controls

  • SSO + MFA for internal access
  • Role-based access (RBAC)
  • Least-privilege access

3. Logging & Monitoring

  • GCP logging and monitoring
  • Automated security alerts
  • On-call rotation for incidents

4. Infrastructure Security

  • Hosted on AWS us-east-2 and GCP us-central-1
  • Regular updates and patches

5. Backup & Resilience

  • Daily backups
  • Encrypted backup storage

6. Incident Response

  • Formal incident-response plan
  • 72-hour breach notification commitment

7. Personnel

  • Confidentiality agreements
  • Security training for engineering and support teams

Annex 3 — Sub-Processors

The following sub-processors support Arketa’s Services:

Sub-Processor Purpose Location
AWS (Amazon Web Services) Hosting, compute, storage United States
Google Cloud Platform Infrastructure, logging, compute United States
Stripe Payment processing United States
PostHog Product analytics United States

Additional sub-processors may be added. Arketa will notify Customer via email to studio administrators prior to changes.

Want to start using Arketa now?

TRY for free