ClientLaunch

Data Processing Agreement

Effective date: 2026-05-25 · Version 1.0

This Data Processing Agreement (“DPA”) supplements the ClientLaunch Terms of Service between Arktos Marketing LLC (“Processor”) and the Customer firm (“Controller”). It governs the processing of End Client personal data by the Processor on behalf of the Controller.

1. Roles

The Controller is the customer accounting / bookkeeping / tax / advisory firm that uses ClientLaunch to onboard its own clients. The Processor is Arktos Marketing LLC, the operator of ClientLaunch. End Clients are the natural persons whose data is processed through the onboarding wizard.

2. Scope and purpose of processing

The Processor processes End Client personal data solely to:

  • Provide the onboarding wizard experience.
  • Store intake-form responses, uploaded files, e-signatures, and consent records as configured by the Controller.
  • Generate AI-assisted reminder, summary, and intake-draft content for the Controller’s use.
  • Fire outbound webhooks to integrations selected by the Controller (e.g., GoHighLevel) to enable the Controller’s own messaging workflows.
  • Maintain audit logs for security and dispute resolution.

The Processor will not process End Client personal data for any other purpose, including but not limited to advertising, profiling, or sale to third parties.

3. Categories of data and data subjects

Data subjects: End Clients of the Controller (typically individuals or authorized representatives of business entities engaging with the Controller).

Categories of personal data: name, business name, email address, phone number, IP address, browser user-agent, electronic signature image, uploaded documents (which may include identification documents, financial records, prior-year tax returns, bank statements), and intake-form responses as configured by the Controller.

Sensitive categories: Where the Controller’s configured forms or uploaded documents include sensitive personal data (e.g., Social Security Numbers, banking information), such processing occurs solely under the Controller’s instruction. The Processor recommends that the Controller use the purpose-built file upload, e-signature, and payment step types for sensitive data rather than free-form intake fields.

4. Controller obligations

The Controller represents and warrants that it:

  • Has a lawful basis to collect and process End Client personal data via the Service.
  • Has obtained any necessary consents from End Clients for outbound SMS, email, and voice communications, including TCPA-compliant consent where applicable.
  • Will respond directly to End Client privacy requests (access, correction, deletion, portability, objection), with the Processor’s reasonable assistance.

5. Processor obligations

The Processor will:

  • Process End Client personal data only on the Controller’s documented instructions, as configured through the Service.
  • Implement and maintain the security measures described in Section 9.
  • Ensure that personnel with access to End Client personal data are bound by confidentiality.
  • Provide reasonable assistance to the Controller in responding to End Client privacy requests and in conducting data protection impact assessments where required.
  • Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach involving End Client data.
  • Delete or return all End Client personal data within 90 days of termination of the Service, except where law requires retention.

6. Sub-processors

The Controller authorizes the Processor to engage the sub-processors listed in our Privacy Policy at /legal/privacy. The Processor will:

  • Impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
  • Notify Controller of any intended additions or replacements of sub-processors at least 14 days in advance.
  • Remain liable for the acts and omissions of its sub-processors.

7. International data transfers

Some sub-processors may process End Client personal data outside the country in which the Controller is located. Where required by law (e.g., GDPR Chapter V), the Processor will rely on Standard Contractual Clauses or other approved transfer mechanisms.

8. End Client rights

The Processor will reasonably assist the Controller in fulfilling End Client requests for access, correction, deletion, restriction, portability, and objection. The Controller is responsible for verifying End Client identity and for the substantive response.

9. Security measures

The Processor implements at minimum:

  • Tenant isolation enforced at the database level via PostgreSQL row-level security policies on every Controller-owned table.
  • Encryption in transit (TLS 1.2+) for all connections.
  • Encryption at rest for sensitive credentials (AES-256-GCM).
  • Tokenized magic links with HMAC envelope, SHA-256 hashing, and per-token expiry and revocability.
  • Signed URLs for file downloads with short TTLs.
  • HMAC-signed outbound webhooks; inbound webhooks accept HMAC or Bearer authentication with constant-time comparison.
  • IP-based rate limiting on client-facing endpoints.
  • Append-only audit logging covering authentication, access, mutations, and integration events.
  • Role-based access control with Owner, Admin, Staff, and Read-only roles.
  • Optional multi-factor authentication for firm users.

10. Breach notification

Upon becoming aware of a personal data breach affecting End Client personal data, the Processor will notify the Controller without undue delay and within 72 hours. The notice will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

11. Audit

The Processor will make available to the Controller, on reasonable request and no more than once per calendar year (or more frequently if required by a supervisory authority or a material breach), information reasonably necessary to demonstrate compliance with this DPA. The Controller may audit the Processor at its own expense, subject to reasonable confidentiality, scope, and scheduling constraints.

12. Term and termination

This DPA remains in effect for as long as the Processor processes End Client personal data on behalf of the Controller. Upon termination of the Service, the Processor will, at the Controller’s choice, delete or return all End Client personal data within 90 days, unless law requires longer retention.

13. Liability

Each party’s liability under this DPA is subject to the limitation of liability in the Terms of Service.

14. Order of precedence

In the event of conflict, the order of precedence is: (i) this DPA, (ii) the Terms of Service, (iii) the Privacy Policy.

15. Contact

Privacy: support@arktosmarketing.com.

Version 1.0 — drafting baseline. We recommend review by counsel before signing with regulated or enterprise customers.