How to execute this DPA
- Self-service (recommended for Pro and Growth). Email legal@axiru.com from your billing-of-record address with the subject "DPA countersignature". Include the legal entity name, jurisdiction of incorporation, and the contact email for data-subject requests. We countersign and return a PDF within two business days.
- Click-through (Free shadow-mode tier). The DPA terms below are incorporated by reference into the Terms of Service when a workspace is opened. No separate signature is required for shadow-mode-only workspaces; an executed DPA becomes a prerequisite the moment enforcement is enabled.
- Custom redlines (Scale and above). Send proposed redlines to legal@axiru.com. We aim for first-pass response within five business days.
Roles
Axiru acts as a data processor for personal data the customer routes through the platform (decision payloads, evidence attachments, customer references). The customer is the data controller. Where Axiru independently determines processing purposes (operating the service, billing, security telemetry), Axiru is a controller; those activities are governed by the privacy policy, not by this DPA.
Article 28 obligation map
The mapping below shows where each GDPR Article 28 obligation lives in our document set.
| Obligation | Axiru document | Reference |
|---|---|---|
| Process only on documented controller instructions | DPA §2 (Scope) + Order Form / Terms | GDPR Art. 28(3)(a) |
| Confidentiality of personnel | DPA §4 (Personnel) + Security overview | GDPR Art. 28(3)(b) |
| Security of processing | DPA §5 + /security | GDPR Art. 32 |
| Sub-processor engagement & flow-down | DPA §6 + /subprocessors | GDPR Art. 28(2)/(4) |
| Assistance with data-subject rights | DPA §7 | GDPR Art. 28(3)(e) |
| Personal-data breach notification | DPA §8 (notification within 72 hours) | GDPR Art. 33 |
| Assistance with DPIAs | DPA §9 | GDPR Art. 28(3)(f) + Art. 35 |
| Deletion or return of personal data on termination | DPA §10 + /data-retention | GDPR Art. 28(3)(g) |
| Audit rights | DPA §11 (annual SOC 2 + reasonable inspection) | GDPR Art. 28(3)(h) |
| International transfers (EEA/UK → US) | EU SCCs (Module 2) + UK IDTA Addendum (Annex) | GDPR Ch. V; UK GDPR |
International transfers
- EEA → US: Module 2 (controller-to-processor) of the 2021 EU Standard Contractual Clauses, incorporated by reference. The Annex is auto-populated from the customer's order form.
- UK → US: UK Information Commissioner's Office International Data Transfer Addendum to the EU SCCs, executed alongside.
- Switzerland: EU SCCs apply with Swiss-law modifications: references to GDPR include the Swiss FADP, the FDPIC is the supervisory authority, and Swiss law governs.
- Onward transfers to sub-processors are covered by flow-down DPAs. The current list is at /subprocessors; we publish 30-day advance notice for additions.
Security commitments
The full description lives at /security. Highlights:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Per-tenant logical isolation; secrets stored in dedicated KMS-managed key material
- Annual SOC 2 Type II report (in progress; bridge letter available on request)
- Personnel access governed by least-privilege and reviewed quarterly
- Breach notification within 72 hours of confirmation
Retention and deletion
Retention windows per data category are documented in /data-retention. On termination, the controller may instruct return or deletion of personal data; deletion respects the statutory overrides described in that document.
Sub-processors
The current list is published at /subprocessors with an RSS feed for change notifications. Customers may object to a new sub-processor in writing within 30 days of notice; if Axiru cannot provide an alternative, the customer may terminate the affected service component.
Term and termination
This DPA is in force for the duration of the Order Form / Terms of Service it incorporates by reference, and survives termination only to the extent necessary to complete the deletion or return obligations and address residual liability.
Definitions
Capitalized terms not defined here have the meanings given in GDPR, the UK GDPR, the Swiss FADP, the CCPA/CPRA as applicable, or in our Terms of Service. "Personal data", "processing", "data subject", "controller", and "processor" mirror their GDPR definitions.
Questions?
Email legal@axiru.com for redlines, signing requests, or procurement questions. Email privacy@axiru.com for data-subject requests or sub-processor change notifications.