Data Processing Agreement
Effective date: 2026-04-11 Version: 2026-04-11
This Data Processing Agreement ("DPA") is entered into between the customer identified in the applicable order form or account record ("Customer", "you", or "Controller") and Arms Inventory ("Arms Inventory", "we", "us", "our", or "Processor"). It supplements, and is incorporated into, the Arms Inventory Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of personal data.
1. Parties and Definitions
Controller means the Customer, which determines the purposes and means of the processing of personal data relating to its own users, employees, contractors, and end users.
Processor means Arms Inventory, which processes personal data on behalf of the Controller in accordance with its documented instructions.
Personal data means any information relating to an identified or identifiable natural person that is processed by Arms Inventory as part of providing the Service.
Processing means any operation or set of operations performed on personal data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, combination, restriction, erasure, or destruction.
Sub-processor means any third party engaged by Arms Inventory to carry out specific processing activities on behalf of the Controller.
Data subject means the natural person to whom personal data relates.
Capitalized terms not otherwise defined in this DPA have the meanings given to them in the Terms of Service.
2. Scope and Subject Matter
This DPA applies to all personal data processed by Arms Inventory on behalf of the Controller while providing the Service. The processing activities covered include:
- Ingestion, parsing, and storage of invoices and purchase orders.
- Invoice-to-order matching, including AI-assisted match suggestions.
- Receiving workflow, audit logging, and POS export.
- FastBound acquisition handoff, where enabled by the Controller.
- Authentication, session management, role-based access control, and multi-factor authentication for users within the Controller's tenant.
- Transactional email, error monitoring, and support ticket handling.
Roles. The Controller is the data controller of all personal data it uploads to or enters into the Service. Arms Inventory acts as the Controller's data processor and processes personal data only on the Controller's documented instructions, as set out in the Terms of Service, the Privacy Policy, this DPA, and any written instructions the Controller may issue through its administrator accounts.
Duration. This DPA takes effect on the date the Controller accepts the Terms of Service (or an equivalent order form) and remains in effect until the earlier of (a) the termination of the Terms of Service, or (b) the destruction of all Controller personal data pursuant to section 9.
3. Processor Responsibilities
Arms Inventory will:
- Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data, unless required to do so by applicable law. If a legal requirement compels Arms Inventory to process personal data beyond the Controller's instructions, Arms Inventory will inform the Controller of that legal requirement before processing, unless that law prohibits such disclosure on important grounds of public interest.
- Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement the technical and organizational security measures described in section 5 to protect personal data against unauthorized access, loss, alteration, or disclosure.
- Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to data subject requests.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
- Notify the Controller without undue delay if it determines that any Controller instruction infringes applicable data protection law.
4. Sub-processors
The Controller grants Arms Inventory general authorization to engage sub-processors for the purpose of providing the Service. Arms Inventory is liable for the acts and omissions of its sub-processors as if they were its own. The current list of sub-processors is:
| Sub-processor | Service | Location |
|---|---|---|
| Anthropic | Claude API for PDF vision extraction and Excel header mapping. Zero-retention commitment for API traffic. | United States |
| FastBound | ATF compliance handoff — acquisition push on receive confirmation. | United States |
| Hetzner Cloud | Production hosting (application servers, MongoDB, object storage). US-East Hillsboro region. | United States (Oregon) |
| Resend | Transactional email delivery. | United States |
| Sentry | Application error monitoring. | United States |
| UptimeRobot | External uptime and latency monitoring. | United States |
Arms Inventory will notify the Controller of any intended additions or replacements of sub-processors at least thirty (30) days in advance via email to the administrator contact on file and an in-app banner. The Controller may object to the change in writing within the notice period. If the Controller's objection cannot be reasonably resolved, the Controller may terminate its use of the Service in accordance with the Terms of Service.
5. Security Measures
Arms Inventory implements the following technical and organizational measures, which are described in greater detail in the Privacy Policy:
- Transport encryption. All traffic is protected by TLS 1.2 or higher, terminated at our reverse proxy.
- Authentication. Passwords are hashed with Argon2id. Sessions are issued as signed JWTs stored in HTTP-only, SameSite=Strict, Secure cookies. TOTP multi-factor authentication is available and can be required for administrators.
- Access control. Per-tenant database isolation, role-based access control, and location scoping enforce least privilege.
- CSRF protection. All state-changing requests require a double-submit CSRF token.
- Audit logging. Security-relevant events are written to an append-only audit log collection that does not support updates or deletes.
- Backups and restore readiness. Production data is backed up regularly, and restore procedures are tested through documented operational drills.
- Secrets management. Secrets are loaded from environment variables and never committed to source control.
- Change management. Production changes flow through a reviewed pull-request pipeline with automated type checks, linters, and tests.
Arms Inventory may update its technical and organizational measures from time to time, provided that any update does not materially reduce the overall level of security described in this section.
6. Breach Notification
Arms Inventory will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting the Controller's personal data. The notification will include, to the extent then known:
- The nature of the personal data breach, including the categories and approximate number of data subjects and records concerned.
- The name and contact details of the Arms Inventory security point of contact.
- The likely consequences of the personal data breach.
- The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.
Notifications will be sent to the administrator email address on file for the affected tenant. Arms Inventory will cooperate with the Controller's reasonable requests for additional information and remediation support in the aftermath of any breach.
7. Data Subject Rights
Arms Inventory will, to the extent legally permitted, promptly forward any data subject request it receives directly (including requests for access, correction, erasure, portability, restriction, or objection) to the administrator contact for the affected tenant, and will not respond to such requests directly unless authorized by the Controller to do so. The Controller remains responsible for responding to data subject requests.
8. International Transfers
The Service is currently hosted and operated exclusively in the United States. Arms Inventory does not currently transfer personal data outside the United States. If, in the future, Arms Inventory intends to transfer Controller personal data to a sub-processor located outside the United States, it will first update this DPA, obtain the Controller's consent, and put in place appropriate transfer safeguards, including where applicable the Standard Contractual Clauses adopted by the European Commission.
9. Termination of DPA
This DPA terminates automatically when the Terms of Service between the Controller and Arms Inventory terminate. Within thirty (30) days after termination, Arms Inventory will, at the Controller's choice, either return all Controller personal data in a machine-readable format or delete it from active infrastructure. Archived tenant databases are retained for the period described in the account service agreement and are then destroyed, except where longer retention is required by law.
10. FastBound Handoff Clause
The Controller acknowledges and agrees that Arms Inventory acts as a conduit for the initial push of firearm acquisition records from the Service to the Controller's FastBound account. Once a firearm record is successfully pushed to FastBound, the authoritative Acquisition and Disposition (A&D) record is owned and maintained by FastBound under FastBound's own terms of service and data processing agreement with the Controller, not ours.
This has the following specific consequences:
- The twenty (20) year ATF A&D retention obligation under 27 CFR 478.129(b) applies to the FastBound record, not to any local copy the Service may retain.
- Deleting a firearm record in Arms Inventory (for example, by archiving a tenant) does not delete the corresponding record in FastBound. The Controller is solely responsible for the management, retention, and deletion of records in its FastBound account.
- Data subject requests relating to firearm records that have already been handed off to FastBound must be directed to FastBound and are governed by FastBound's own policies.
Arms Inventory will provide reasonable assistance, limited to the non-FastBound portion of the Controller's data, in response to any Controller instruction to delete, export, or rectify firearm records.
11. Liability Allocation
Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA excludes or limits any liability that cannot be excluded or limited under applicable law, including liability for gross negligence, willful misconduct, or fraud.
12. Governing Law
This DPA is governed by the laws of the State of Delaware, United States of America, without regard to its conflict of law provisions. Any disputes arising out of or related to this DPA will be resolved in the state or federal courts located in Delaware, and the parties consent to the personal jurisdiction of those courts.
13. Signatures
This DPA is incorporated into the Terms of Service and takes effect
when the Controller accepts those Terms electronically or signs an
order form incorporating them by reference. For Controllers that
require a countersigned DPA, please contact
support@armsinventory.com to arrange a wet-signature version on
Arms Inventory letterhead.
On behalf of the Controller:
Name: ______
Title: ______
Signature: ______
Date: ______
On behalf of Arms Inventory (Processor):
Name: ______
Title: ______
Signature: ______
Date: ______