Skip to main content

GDPR FAQ

Learn how Arketa meets GDPR requirements, processes EU personal data, supports data subject rights, manages sub-processors, and uses a standardized Privacy Annex for controller-processor compliance.

Updated this week

What is the GDPR?

The General Data Protection Regulation (“GDPR”) is a comprehensive privacy law governing how personal data belonging to individuals in the European Economic Area (EEA) is collected, used, and protected.


It applies to any business—whether located in Europe or not—that processes the personal data of individuals in the EEA.

The GDPR establishes strict requirements around transparency, security, individual rights, and controller-processor relationships.

Does the GDPR apply to Arketa and its customers?

Yes. If you have clients, members, or users in the EEA, or process their personal data in Arketa, GDPR obligations apply.

Arketa processes personal data on behalf of studios and creators, which makes Arketa a processor, and you (the business using Arketa) a controller under GDPR definitions.

What is Arketa’s role under the GDPR?

Under the GDPR:

  • You, the studio or creator, act as the data controller.

  • Arketa acts as the data processor for personal data you store or process through the Arketa platform.

As processor, Arketa follows your instructions and implements appropriate safeguards to protect personal data.

For data Arketa collects on its own behalf—such as platform analytics, website usage, or Arketa marketing—it acts as an independent controller.

Where does Arketa store and process personal data?

Arketa processes data primarily in the United States, using:

  • AWS (us-east-2)

  • Google Cloud Platform (us-central-1)

For transfers from the EEA to the U.S., Arketa relies on the 2021 EU Standard Contractual Clauses (SCCs), which are incorporated into the Arketa Privacy Annex.

What personal data does Arketa process on behalf of studios?

Arketa processes the information you collect from your clients, which may include:

  • Name, email address, phone number

  • Birthday, gender (optional)

  • Waiver signatures

  • Shipping address

  • Payment history (not card numbers—stored by Stripe)

  • Marketing preferences

  • Geolocation (opt-in)

Arketa does not intentionally collect special category (sensitive) data or children’s data under GDPR thresholds.

How does Arketa protect personal data?

Arketa uses a combination of organizational and technical safeguards, including:

  • Encryption at rest and in transit

  • Role-based access (RBAC) and least-privilege controls

  • SSO and MFA for internal access

  • Logging and monitoring through GCP

  • Daily encrypted backups

  • On-call incident-response rotation

  • A formal breach notification process

  • Strict employee confidentiality obligations

Full details are listed in Annex 2 of the Arketa Privacy Annex.

Does Arketa help customers respond to data subject requests?

Yes.


If an EU individual exercises any GDPR right (access, deletion, correction, portability), Arketa will assist you as the controller.

Requests can be sent to:
📧 support@arketa.com

You are responsible for determining the appropriate response, and Arketa will act on your documented instructions.

What happens to my data if I close my Arketa account?

Arketa retains Customer Personal Data for 90 days after account closure to allow for export and transition needs.


After that, data is deleted from active systems, with backups removed on their standard rotation schedule.

Most data can be exported directly from the Arketa dashboard; payment-related data can be provided upon request.

Does Arketa have a list of sub-processors?

Yes. Arketa uses trusted service providers such as AWS, GCP, Stripe, and PostHog.

Arketa provides notification-only updates when adding or changing sub-processors.

Does Arketa sign customer-provided DPAs or negotiate custom terms?

No.
Arketa does not sign customer-provided DPAs or accept customized amendments to our data-processing terms.

Here's why:

  • Arketa operates one platform and one processing model for all customers.

  • Custom DPAs often impose obligations that are inconsistent with how the platform actually works.

  • Negotiating many bespoke DPAs would create conflicting requirements and increase risk for all customers.

  • GDPR only requires that a compliant processor agreement exists—not that each customer provides the template.

Instead:

Arketa provides a standardized Privacy Annex that:

  • Includes all GDPR-required Article 28 processor clauses

  • Incorporates the 2021 SCCs (Module 2)

  • Describes Arketa’s security measures

  • Covers international transfers

  • Defines data retention and deletion

  • Explains sub-processor use and notifications

This ensures every customer benefits from the same strong, operationally accurate privacy protections, without variations that Arketa cannot support.

This is the same approach used by major SaaS companies, including Shopify, Stripe, and others.

Where can I find Arketa’s Privacy Annex?

The Privacy Annex is published here:

📄 https://www.arketa.com/legal/privacy-annex

It is incorporated by reference into the Arketa Terms of Service and applies automatically to all customers.

Where can I download the SCCs?

You can access the full text of the EU Commission’s 2021 Standard Contractual Clauses here:

📄 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

These SCCs are incorporated by reference into the Arketa Privacy Annex.

Who can I contact with GDPR or privacy questions?

You can reach Arketa’s team at:
📧 security@arketa.com (security inquiries)
📧 support@arketa.com (data subject requests or general questions)

Did this answer your question?