Data Processing Addendum.

This Data Processing Addendum (“DPA”) forms part of the agreement between Acilox LLP (“Acilox,” “Processor,” “we,” “our”) and the business customer (“Customer,” “Controller”) that purchases Acilox Labs services. It applies where Acilox processes personal data on behalf of Customer under applicable data protection laws.

Definitions

Capitalized terms not defined here have the meanings in the underlying agreement or, where referenced, the EU Standard Contractual Clauses (“SCCs”). “Personal data,” “processing,” “controller,” and “processor” carry the meanings under applicable law.

Subject matter, nature, and purpose of processing

Subject matter: Provision of the Labs services described in the order or subscription. Nature: Hosting, storage, retrieval, support, security monitoring, backups, and related operations. Purpose: To deliver the services Customer configures and to meet our contractual and legal obligations.

Categories of data subjects and data

Depending on Customer’s use, processing may concern Customer’s employees, contractors, and end users, and categories including identifiers, account details, content Customer stores in the service, usage metadata, and support communications. Customer is responsible for the lawfulness of its instructions.

Sub-processors

Customer authorizes Acilox to engage sub-processors to support the services. We maintain an up-to-date list at /trust/sub-processors. We impose data protection terms on sub-processors consistent with this DPA.

Security measures

Acilox implements appropriate technical and organizational measures, including access controls, encryption in transit where supported, logging, and vulnerability management. Further detail may be provided in security documentation or an annex labeled “Annex II” in customer security reviews.

International transfers

Where personal data originating in the EU, UK, or other regions is transferred internationally, we implement appropriate safeguards, including the SCCs incorporated by reference where required, supplemented measures where mandated by case law, and India-permitted mechanisms where applicable.

Audits

On reasonable written request, and subject to confidentiality, we will make available information necessary to demonstrate compliance with this DPA and allow for audits mandated by applicable law, which may be satisfied by third-party certifications or questionnaires where appropriate.

Assistance with data subject requests

We will assist Customer in responding to requests from data subjects, to the extent technically feasible, considering the nature of processing and information available to us.

Breach notification

We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer data, and in any event within 72 hours where feasible, providing information required for Customer to meet its obligations.

Deletion and return

On termination of services, we will delete or return personal data per the service functionality and contract, except where retention is required by law.

Liability

Liability for claims arising from processing under this DPA is subject to the limitations in the main agreement, except where prohibited by applicable law.

How to execute a signed DPA

Customers wishing to execute a signed DPA can request one via privacy@acilox.com. You may also initiate a request through /contact?type=privacy.

Contact us

Privacy and DPA inquiries: privacy@acilox.com. Legal: legal@acilox.com.