Short version: when you use Argus, we act as a data processor for your customer/transaction data. This DPA describes our obligations as that processor — security, confidentiality, sub-processors, breach notification, and data deletion. Available signed for any plan.
We can countersign a DPA on any plan. Most customers use this template; we accept reasonable redlines.
"Customer" means the entity using the Argus Service under a paid subscription. "Personal Data" means any information about an identified or identifiable natural person processed by Argus on Customer's behalf. "Processing", "Controller", "Processor", and "Sub-processor" have the meanings given in PIPEDA, GDPR, and analogous data-protection laws. "Service" means Argus, the Excel add-in, the API, and related products provided by Argus Software Inc.
Customer is the Controller of the Personal Data processed by Argus. Argus is the Processor, acting only on Customer's documented instructions (which include using the Service as designed). Argus does not control the purposes for which Personal Data is processed.
Reading QuickBooks Online financial reports, transactions, and account metadata to produce health-check signals on Customer's behalf.
The term of the active subscription, plus 30 days after termination for data return / deletion.
Customer's customers (names, contact information, transaction history); Customer's vendors / suppliers (names, contact information, payment history); Customer's employees with access to Argus (names, work email, role).
Names, business email addresses, transaction descriptions, invoice / bill numbers, dollar amounts, dates, GL coding, and free-text memo fields.
Customer authorizes Argus to engage Sub-processors as needed to provide the Service. Current Sub-processors are:
Argus will notify Customer at least 30 days before adding or replacing a Sub-processor. Customer may object on reasonable grounds; if the parties cannot resolve the objection, Customer may terminate the affected Service.
Argus implements the technical and organizational security measures described on our Security page and in Annex A of this DPA, including encryption at rest (AES-256) and in transit (TLS 1.2+), access controls, and regular review.
If Argus becomes aware of a Personal Data Breach, Argus will notify Customer without undue delay (and in any case within 72 hours of discovery). Notification will include the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach.
Personal Data is hosted in Canada (Azure Canada Central). Argus will not transfer Personal Data outside Canada without Customer's instruction. Where transfers are necessary (e.g., a future EU-based Sub-processor), they will be made under standard contractual clauses or another lawful mechanism.
Argus will provide all information reasonably necessary to demonstrate compliance with this DPA. Customer may, at its own cost and on at least 30 days' written notice, audit Argus's processing activities — limited to once per 12 months unless required by law or following a Personal Data Breach. We accept third-party audit reports in lieu of an on-site audit where reasonably available.
On termination of the underlying agreement, Customer may export all Personal Data via the standard export tools. Argus will delete remaining Personal Data within 30 days of the termination effective date, except where retention is required by law (in which case the retained data remains subject to this DPA). On request, Argus will provide written confirmation of deletion.
Each party's liability under this DPA is subject to the liability cap and exclusions in the underlying agreement (Terms of Service).
If there is any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA prevails.
Encryption at rest (AES-256), encryption in transit (TLS 1.2+), application-layer encryption of OAuth tokens (AES-256-GCM with per-environment master key in Azure Key Vault), least-privilege access controls, immutable audit logging, regular access reviews, mandatory two-factor authentication for production access, encrypted backups (90-day retention, in-region), annual third-party penetration test, formal incident response plan, employee onboarding and offboarding procedures including credential rotation. Full detail at argus.app/security.
Questions, signed-DPA requests, or data-subject requests: legal@argus.app.