Data Processing Agreement

01Definitions

“Controller,” “Processor,” “Personal Data,” “Processing,” “Data Subject,” and “Sub-processor” have the meanings given in the GDPR. “Customer Data” means Personal Data we process on the Controller’s behalf through the Service. “Data Protection Law” means the EU GDPR, the UK GDPR and Data Protection Act 2018, the Swiss FADP, and other applicable privacy laws. “Standard Contractual Clauses” (“SCCs”) means the clauses approved by the European Commission for transfers to third countries.

02Roles & scope of processing

For Customer Data, the customer is the Controller and AxioRankis the Processor. We process Customer Data only on the Controller’s documented instructions, including those given through the Service’s configuration, unless required to act otherwise by law (in which case we notify the Controller unless legally prohibited). For account, billing, and website data we act as an independent Controller, as described in our Privacy Policy.

03Subject-matter of processing

Nature & purpose: providing the Zero-Trust control plane for AI agents — evaluating, governing, and logging agent tool calls and inbound requests. Duration: the term of the agreement plus the retention periods in our Privacy Policy. Data subjects:the Controller’s authorized users and the individuals whose data appears in the Controller’s agent traffic. Categories: identifiers, usage and connection data, and any Personal Data contained in tool-call payloads (which the Service redacts at write time).

04Processor obligations

• process Customer Data only on the Controller’s documented instructions;
• ensure personnel authorized to process Customer Data are bound by confidentiality;
• implement the technical and organizational measures described below;
• assist the Controller, taking into account the nature of processing, with data-subject requests and with its obligations under Articles 32–36 (security, breach notification, and DPIAs);
• engage Sub-processors only under the conditions in this DPA; and
• make available the information needed to demonstrate compliance.

05Security measures (Article 32)

We maintain administrative, technical, and organizational safeguards including encryption in transit and at rest, least-privilege and role-based access controls, tenant isolation, secret management, write-time redaction of secrets and personal data in logs, a tamper-evident audit ledger, and continuous monitoring. These mirror the measures in our Privacy Policy.

06Sub-processors

The Controller provides a general authorization for AxioRank to engage the Sub-processors listed at axiorank.com/subprocessors, each bound by data-protection terms no less protective than this DPA. We will notify the Controller of intended changes and give the Controller the opportunity to object on reasonable data-protection grounds.

07International data transfers

Where processing involves transferring Personal Data out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties rely on the appropriate SCCs (EU Module Two or Three as applicable), the UK International Data Transfer Addendum, and the Swiss addendum, which are incorporated by reference. See International data transfers.

08Assisting with data-subject requests

Taking into account the nature of the processing, we assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise data-subject rights. The Service provides self-service export and deletion that the Controller can use directly.

09Personal-data breach notification

We notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Data, and provide the information reasonably available to help the Controller meet its own notification obligations.

10Return & deletion of Customer Data

On termination, and at the Controller’s choice, we delete or return Customer Data and delete existing copies except where retention is required by law. Customer Data is otherwise deleted in accordance with the retention periods in our Privacy Policyand the Controller’s configured data-retention settings.

11Audits

We make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and security conditions.

12Precedence & governing law

In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA prevails. This DPA is governed by the law stated in the Terms of Service.

13How to execute

To request a signed copy of this DPA, or with any questions, contact us: