Data Processing Addendum (DPA)

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and THEAX LTD (Company No. 11980590), trading as Axel Up and A.X.E.L Portal ("Processor") for the provision of A.X.E.L Portal services.

This DPA governs the processing of personal data on behalf of Controller pursuant to the UK General Data Protection Regulation (UK GDPR), EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.

Definitions

Terms used in this DPA have the meanings given in the GDPR unless otherwise defined:

• "Controller" means you, the customer using A.X.E.L Portal services
• "Processor" means THEAX LTD and its authorized sub-processors
• "Data Subject" means your customers and end-users whose personal data is processed
• "Personal Data" means any information relating to an identified or identifiable natural person processed through A.X.E.L Portal
• "Processing" has the meaning given in Article 4(2) of the GDPR

Controller and Processor Roles

Controller Responsibilities (You)

As the Controller, you:

• Determine the purposes and means of processing personal data
• Are responsible for obtaining lawful basis for processing
• Must obtain appropriate consents from data subjects where required
• Are responsible for providing privacy notices to data subjects
• Must ensure accuracy and adequacy of personal data provided to us
• Handle data subject rights requests (with our assistance where needed)

Processor Responsibilities (Us)

As the Processor, we:

• Process personal data solely on your documented instructions
• Implement appropriate technical and organizational security measures
• Assist with data subject rights requests
• Notify you of personal data breaches without undue delay
• Assist with data protection impact assessments when required
• Delete or return personal data upon termination of services

Subject Matter and Duration of Processing

Subject Matter

The subject matter of processing is the provision of A.X.E.L Portal lead and job management services, including but not limited to lead tracking, quote generation, invoice management, expense tracking, and business communications.

Duration

Processing will continue for the duration of your A.X.E.L Portal subscription and for up to 90 days thereafter to allow for data export and account closure procedures.

Nature and Purpose of Processing

We process personal data to provide the following services:

• Lead Management: Storing and organizing customer leads, contact information, and project details
• Quote and Invoice Generation: Creating and managing quotes, invoices, and payment records
• Communication Services: WhatsApp Business API integration for customer communications
• AI Features: Voice-to-text processing for leads, quotes, and invoices (voice data deleted immediately after processing)
• Business Analytics: Generating reports and insights on business performance
• Payment Processing: Processing subscription payments and managing billing information
• Technical Operations: System maintenance, security monitoring, and technical support

Types of Personal Data Processed

We may process the following categories of personal data on your behalf:

• Contact Information: Names, email addresses, phone numbers, postal addresses
• Business Information: Company names, job titles, business addresses
• Project Data: Service requests, project descriptions, specifications, timelines
• Financial Information: Quote amounts, invoice details, payment preferences
• Communication Records: WhatsApp messages, email communications, notes, call logs
• Voice Recordings: Temporarily processed for speech-to-text conversion (immediately deleted after processing)
• Technical Data: IP addresses, device information, usage analytics (where relating to identifiable individuals)

Categories of Data Subjects

Personal data processed may relate to:

• Your Customers: Individuals who have requested quotes or services from your business
• Prospective Customers: Leads and enquiries received through various channels
• Business Contacts: Suppliers, contractors, and other business relationships
• Your Team Members: Employees and contractors using A.X.E.L Portal on your behalf

Processor Obligations

Processing Instructions

We will process personal data solely on your documented instructions, including:

• The initial instructions set out in your service agreement
• Any additional written instructions you provide through the platform
• Instructions necessary to comply with applicable law

If we believe an instruction violates applicable data protection law, we will inform you immediately.

Security Measures

We implement appropriate technical and organizational measures including:

• Encryption: Data encrypted in transit (TLS) and at rest (AES-256 via Cloudflare infrastructure)
• Access Controls: Role-based access, multi-factor authentication, and principle of least privilege
• Infrastructure Security: Cloudflare security services, DDoS protection, and secure hosting
• Regular Audits: Security monitoring, vulnerability assessments, and compliance reviews
• Staff Training: Regular data protection and security training for all personnel
• Data Minimization: Processing only personal data necessary for service provision

Sub-Processor Management

We may engage sub-processors to assist with service delivery. Our current sub-processors are listed at axelup.dev/sub-processors.

• All sub-processors are bound by data protection obligations equivalent to this DPA
• We remain fully liable for sub-processor compliance
• You will be notified of any changes to our sub-processor list with 30 days' notice
• You may object to new sub-processors on reasonable data protection grounds

Data Subject Rights Assistance

We will assist you in responding to data subject rights requests by:

• Providing access to personal data within our systems
• Implementing corrections to inaccurate data
• Enabling data deletion or restriction of processing
• Facilitating data portability through standard export formats
• Responding to requests within 72 hours of receipt

Data Breach Notification

In the event of a personal data breach, we will:

• Notify you without undue delay and in any event within 72 hours of becoming aware
• Provide details of the breach, affected data categories, and potential consequences
• Describe measures taken to contain and remedy the breach
• Assist with any required notifications to supervisory authorities or data subjects
• Cooperate fully with breach investigation and response efforts

Controller Obligations

As Controller, you must:

• Ensure you have lawful basis for all processing activities
• Obtain necessary consents and provide appropriate privacy notices
• Only provide personal data that is accurate, relevant, and necessary
• Inform us promptly of any errors or required corrections
• Handle data subject rights requests (we will assist where needed)
• Conduct data protection impact assessments where required
• Comply with data retention requirements relevant to your business

International Data Transfers

Some of our sub-processors are located outside the UK and EU. When personal data is transferred internationally, we ensure appropriate safeguards through:

• Standard Contractual Clauses: EU-approved SCCs with all international sub-processors
• Additional Safeguards: Technical measures including encryption and access controls
• Transfer Impact Assessments: Regular review of transfer risks and safeguards
• Data Localization: Where possible, processing data within UK/EU boundaries

Data Return and Deletion

Upon termination of services or upon request, we will:

• Provide you with copies of all personal data in standard formats (CSV, JSON, PDF)
• Allow a 90-day grace period for data export and transition
• Permanently delete all personal data from our systems after the grace period
• Provide written confirmation of deletion upon request
• Exception: Data required for legal or regulatory compliance may be retained

Audit Rights

You have the right to audit our compliance with this DPA through:

• Documentation Review: Access to relevant policies, procedures, and certifications
• Questionnaires: Annual compliance questionnaires and security assessments
• Third-Party Audits: Independent security audits and compliance reports
• On-Site Audits: By mutual agreement and at your expense, with reasonable notice

Audit requests must be reasonable in scope and frequency, and conducted in a manner that does not disrupt our operations.

Liability and Indemnification

Each party will be liable for damages caused by its breach of this DPA, subject to the liability limitations in our main service agreement.

You will indemnify us against claims arising from:

• Your failure to have lawful basis for processing
• Your failure to provide adequate privacy notices
• Processing instructions that violate applicable law
• Inaccurate or unlawful personal data you provide to us

Amendments and Termination

This DPA may be amended by mutual written agreement. We may make unilateral amendments to comply with applicable law, providing 30 days' notice.

This DPA remains in effect for the duration of our service agreement and any subsequent data retention period.

Governing Law

This DPA is governed by English law and subject to the exclusive jurisdiction of the English courts.

Contact Information

Data Protection Contact:
Email: dpo@axelup.dev
Post: Data Protection Contact, THEAX LTD, 3 Crompton Street, Bury, BL9 0AD