ArtAML™ Data Processing Agreement

Last updated 27th August 2025

1. Introduction

This Data Processing Agreement (DPA) forms part of the contract between ArtAML™ Limited and its Clients. It sets out the terms under which ArtAML™ processes personal data on behalf of Clients in providing Anti-Money Laundering (AML) compliance services to Art Market Participants (AMPs). It is designed to ensure compliance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Money Laundering Regulations 2017 (MLRs).

2. Who We Are

ArtAML™ Limited provides Anti-Money Laundering compliance technology to Art Market Participants. We are registered in the United Kingdom and regulated by applicable UK data protection law. For questions about this policy, you can contact [email protected] . You also have the right to raise concerns with the Information Commissioner’s Office (ICO).

3. Definitions

  • AML: Anti-Money Laundering.
  • AMP: Art Market Participant, as defined in the MLRs.
  • CDD: Customer Due Diligence, the process of verifying identity and assessing risk under the MLRs.
  • Client: The business or organisation that enters into this Agreement with ArtAML as the Data Controller. The Client determines the purposes and means of processing personal data and instructs ArtAML in its role as Data Processor.
  • Controller: The entity that determines the purposes and means of processing personal data.
  • Customer: Our Clients’ ‘customers’ in context of performing Customer Due Diligence (CDD). 
  • Data Protection Officer (DPO): The person appointed to oversee data protection compliance. 
  • DPA: This Data Processing Agreement.
  • ICO: Information Commissioner’s Office, the UK supervisory authority.
  • IDTA: International Data Transfer Agreement approved for UK GDPR international transfers.
  • KYC: Know Your Customer, part of the CDD process.
  • MLRs: Money Laundering Regulations 2017.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data such as collection, storage, use, disclosure or deletion.
  • Processor: The entity that processes personal data on behalf of a Controller.
  • Special Categories of Personal Data: Information revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health data and data concerning a person’s sex life or sexual orientation.
  • Sub-processor: A third party engaged by a Processor to process personal data on behalf of a Controller.
  • UBO: Ultimate Beneficial Owner.
  • UK GDPR: United Kingdom General Data Protection Regulation.

4. Roles and Responsibilities

ArtAML™ acts as a Processor when handling CDD and KYC data uploaded by or collected on behalf of Clients. ArtAML™ acts as a Controller when handling data relating to platform accounts, billing, analytics and communications. Our Clients act as Controllers and are responsible for ensuring they have a lawful basis for processing and for issuing lawful instructions to ArtAML™.

5. Processing Details

The processing performed under this DPA covers:

  • Categories of data subjects: Clients, Clients’ staff and Clients’ Customers
  • Types of personal data: identification data, government-issued ID, proof of address, contact details, AML screening data, financial data and technical data
  • Duration of processing: while the Client maintains an active subscription with ArtAML™ and for five years under MLRs following completion of a business relationship or occasional transaction
  • Nature and purpose: to provide AML compliance technology services, conduct identity verification, enable platform operation, manage billing and fulfil regulatory obligations

6. Purposes, Types of Data and Lawful Basis

The following table summarises processing activities:

Purpose / Activity Type of Data Lawful Basis
AML CDD/KYC checks IDs, proofs of address, date of birth, PEP status, UBO data Legal obligation under MLRs
Identity verification via partners ID images, metadata, verification results Legal obligation under MLRs
Platform account creation and login Name, email, login credentials, logs Performance of contract; legitimate interest in security
Billing and payments Contact details, payment records Performance of contract; legal obligation for accounting
Support and service communications Contact details, correspondence Performance of contract; legitimate interest in continuity
Security monitoring and fraud prevention Technical logs, IP addresses Legitimate interest in maintaining integrity
Analytics and service improvement Usage data, error reports Legitimate interest in improving service
Regulatory or law enforcement requests Relevant personal data Legal obligation

7. Obligations of ArtAML™ as Processor

ArtAML™ shall:

  • Process personal data only on documented instructions from the Client
  • Ensure confidentiality of persons authorised to process personal data
  • Implement appropriate technical and organisational measures to protect personal data 
    • These are further described in ArtAML’s Platform Security and Compliance Policy (https://artaml.com/platform-security-and-compliance-policy/) , which is incorporated into this Agreement by reference. The measures include physical access controls, system access controls, data access controls, transmission controls, input controls, data backups and data segregation. ArtAML may update these measures from time to time to reflect changes in best practice, applicable law and security standards.
  • Assist the Client with data subject rights requests
  • Support the Client with data protection impact assessments
  • Maintain records of processing activities

8. Sub-processors

ArtAML™ uses sub-processors to deliver services, including:

  • Acuity: scheduling
  • Backblaze: backup storage
  • Auth0: secure login management
  • Chargebee: billing
  • ComplyAdvantage: PEP and sanctions screening
  • Digital Ocean: hosting
  • Docupilot: document automation
  • DocuSign: e-signatures
  • GoCardless: direct debit payments
  • Google: business services
  • Hubspot: CRM
  • Open Corporates: publicly-accessible information on companies such as ownership and officers
  • RingCentral: telephony
  • SendSafely: secure file transfer
  • Stripe: payment processing
  • Slack: internal communication
  • Vimeo: training videos
  • Xero: accounting
  • Yoti: ID verification
  • Zoom: video meetings

9. International Data Transfers

ArtAML™ primarily processes personal data within the United Kingdom. Where personal data is processed or accessed outside the UK, including within the European Economic Area (EEA) or other jurisdictions such as the United States, we shall ensure that appropriate safeguards are in place to protect the data in accordance with applicable data protection law.

For transfers to the EEA, ArtAML™ shall rely on the UK Government’s adequacy decisions or the International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as appropriate.

For transfers to the United States or other jurisdictions not deemed adequate by the UK Government, we shall implement appropriate contractual and organisational safeguards such as SCCs with the UK Addendum or equivalent legally recognised mechanisms.

ArtAML™ will provide clients with details of any material processing or storage of personal data outside the UK on request.

10. Data Retention and Deletion

ArtAML™ will retain CDD data for five years after the end of an occasional transaction or business relationship as required by the MLRs. During an active subscription ArtAML™ stores CDD data on behalf of the Client. After a subscription ends ArtAML™ will securely transfer the data to the Client and delete it from its systems.

11. Data Breach Notification

ArtAML™ will notify the Client without undue delay upon becoming aware of a personal data breach and provide necessary information to assist with regulatory reporting.  This action will be taken immediately as realistic. 

12. Audit and Compliance

Clients may request information to demonstrate compliance with this DPA. Clients may conduct audits subject to reasonable notice and limits to protect confidentiality.

13. Liability and Indemnities

ArtAML™’s liability under this DPA is limited to breaches caused by failure to comply with data protection obligations. Clients indemnify ArtAML™ for any claims arising from unlawful instructions or failure to obtain a lawful basis for processing. Liability caps shall be consistent with the underlying SaaS contract.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the English courts.

15. Conflict and Precedence

In case of conflict between this DPA and any other agreement, this DPA shall prevail with respect to processing of personal data.

16. Third-Party Rights

No provision of this DPA is intended to confer rights on any third party under the Contracts (Rights of Third Parties) Act 1999.

17. Contact Us and Data Protection Officer

If you have questions about this policy, please contact our DPO Dr. Chris King via [email protected] or details outlined on our Contact page.

Annex A: Processing Activities

  • Nature and subject matter: provision of AML compliance services.
  • Categories of data subjects: Clients, Clients’ staff, Clients’ Customers.
  • Categories of personal data: identification data, ID documents, address proofs, PEP/UBO information, contact data, billing data, technical data.
  • Duration: as long as necessary to provide services and for five years after completion of an occasional transaction or business relationship.
  • Purpose: support compliance with the MLRs and operation of the ArtAML™ platform.