← Back to Legal & Compliance

Data Processing Agreement (DPA)

1. Parties

Data Controller ("Controller"):
The merchant or e-commerce platform utilising the Armour Cart Recovery API.

Data Processor ("Processor"):
Armour Consortium AI
Contact: hello@armourconsortium.ai

---

2. Purpose of Processing

The Processor provides an AI-powered cart recovery content generation API. Processing is strictly limited to:

• Generating personalised email, SMS, and WhatsApp recovery messages
• Predicting conversion metrics and optimal send times
• Returning content to the Controller for their transmission

The Processor does not send any communications directly. All transmission is the responsibility of the Controller.

---

3. Nature of Processing

Aspect	Detail
Type	Transient processing only
Duration	Milliseconds (generation time only)
Storage	None - data is not persisted after API response
Purpose	Cart recovery content generation

---

4. Categories of Data Processed

The following personal data may be included in API requests:

Category	Data Elements	Purpose
Customer Identifiers	Email address, phone number, first name	Personalisation of recovery content
Transaction Data	Cart ID, order value, currency, product details	Context for message generation
Behavioural Data	Abandonment timestamp, order history, total spent	Tone and urgency calibration
Consent Flags	Marketing preferences (accepts_sms_marketing, accepts_email_marketing)	Compliance enforcement

---

5. Data Retention

The Processor retains NO personal data.

• API requests are processed in memory only
• No database storage of customer PII
• No logging of personal data to files
• Aggregate analytics (non-identifying) retained for service improvement

---

6. Security Measures (Article 32)

The Processor implements appropriate technical and organisational measures:

Measure	Implementation
Encryption in Transit	TLS 1.3 for all API communications
Access Control	x402 cryptographic payment verification
Rate Limiting	220 requests/minute (Global Limit)
Input Validation	Strict schema validation, injection prevention
No PII Storage	Transient processing architecture
Audit Trail	Anonymised request logging only

See Security & Technical Measures for full details.

---

7. Sub-Processors

The Processor engages the following sub-processors for content generation:

Sub-Processor	Purpose	Location	Transfer Mechanism
Anthropic (Claude)	Armour Ensemble processing	USA	Standard Contractual Clauses
Google (Gemini)	Armour Ensemble processing	USA/EU	Standard Contractual Clauses
OpenAI (GPT)	Armour Ensemble processing	USA	Standard Contractual Clauses
xAI (Grok)	Armour Ensemble processing	USA	Standard Contractual Clauses
Coinbase (x402)	Payment facilitation	USA	Standard Contractual Clauses

The Controller is deemed to consent to the use of these sub-processors by virtue of using the API.

See Sub-Processor List for current status.

---

8. Controller Obligations

The Controller warrants that:

1. Lawful Basis: They have a valid lawful basis for processing (consent, legitimate interests, or transactional exemption)
2. Consent Accuracy: The accepts_sms_marketing and accepts_email_marketing flags accurately reflect customer preferences
3. Transmission Responsibility: They are solely responsible for sending any generated content
4. Privacy Notices: Include appropriate disclosures regarding automated messaging services
5. Opt-Out Handling: They honour unsubscribe requests within 10 business days

---

9. Processor Obligations

The Processor commits to:

1. Instructions Compliance: Process data only as instructed via API parameters
2. Confidentiality: Ensure personnel are bound by confidentiality obligations
3. Security: Implement and maintain Article 32 security measures
4. Sub-Processor Management: Ensure sub-processors meet equivalent standards
5. Assistance: Assist Controller with DSARs, DPIAs, and regulatory inquiries
6. Breach Notification: Notify Controller within 72 hours of any personal data breach
7. Deletion: No data to delete as no data is stored

---

10. Data Subject Rights Assistance

Upon Controller request, the Processor will assist with:

Right	Assistance Provided
Access	Confirm no data stored; provide processing description
Erasure	Confirm no data to erase
Rectification	N/A - no stored data to rectify
Portability	N/A - transient processing only
Objection	Guidance on consent flag configuration

---

11. International Transfers

Where personal data is transferred outside the UK/EEA:

• Standard Contractual Clauses (Module 3: Processor to Processor) are in place with all sub-processors
• The UK International Data Transfer Agreement (IDTA) is incorporated where required
• Supplementary measures (encryption, access controls) are implemented

---

12. AI Agent Exemption

For x402 Agentic Traffic:

Where the API is called by autonomous AI agents via the x402 payment protocol:

(a) The agent's principal (wallet owner) may be unidentifiable at request time.

(b) Per EDPB and ICO guidance on AI agents, where the Controller cannot be reasonably identified, the Processor's standard DPA obligations apply to the extent technically feasible.

(c) Agents are deemed to accept this DPA by virtue of API usage.

(d) Agents warrant they have appropriate authority to process the submitted data.

(e) The agent (or its principal, where identifiable) assumes Controller responsibilities including obtaining lawful basis for processing.

(f) No data subject rights requests can be fulfilled against unidentified Controllers; however, as no data is stored, this is moot.

See x402 Exemption Note for details.

---

13. Audit Rights

The Controller may request:

1. Documentation of security measures (provided upon request)
2. Compliance certifications (when available)
3. Sub-processor audit reports (subject to confidentiality)

Physical audits are not feasible due to the cloud-hosted nature of the service. The Processor will provide equivalent assurance documentation.

---

14. Liability

• The Processor's liability is limited to direct damages caused by non-compliance with this DPA
• The Processor is not liable for Controller's misuse of generated content
• The Processor is not liable for transmission of content by the Controller

---

15. Term and Termination

This DPA:

• Comes into effect upon first API usage
• Remains in effect for the duration of API access
• Survives termination to the extent necessary to fulfil ongoing obligations

Upon termination: No data deletion required as no data is stored.

---

16. Governing Law

This DPA is governed by:

• UK Controllers: Laws of England and Wales
• EU Controllers: Laws of the Controller's member state
• Other Controllers: Laws of England and Wales

---

17. Contact

Data Protection Enquiries:
Armour Consortium AI
Email: hello@armourconsortium.ai

By using the Armour Cart Recovery API, the Controller agrees to this Data Processing Agreement.

Last updated: December 2025