Data Processing Agreement

This DPA applies when Aexiz processes personal data on behalf of customers

1. Definitions

• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Data Subject" means the individual whose Personal Data is processed.
• "Sub-processor" means any third party engaged by Processor to process Personal Data.

2. Scope and Roles

2.1 Applicability

This DPA applies when:

• Customer is a Controller of Personal Data
• Aexiz processes such data as a Processor on Customer's behalf

2.2 Data Processing Role

Aexiz acts as both Controller and Processor, depending on the service:

• Controller: For account management, billing, and direct customer relationships
• Processor: When processing customer data according to customer instructions

2.3 Services Covered

This DPA applies to: ZTA-AI, Kyros, 24LLM, AISL

3. Processor Obligations

Aexiz shall:

3.1 Processing Instructions

• Process Personal Data only on documented instructions from Customer
• Inform Customer if instructions violate applicable law

3.2 Confidentiality

• Ensure personnel are bound by confidentiality obligations
• Limit access to personnel who need it to perform Services

3.3 Security Measures

Implement appropriate technical and organizational measures including:

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.3)
• Access controls and authentication
• Quarterly penetration testing
• Annual vulnerability scanning
• Incident detection and response procedures

3.4 Sub-processor Management

• Use Sub-processors only with Customer consent
• Notify Customer 30 days before adding Sub-processors
• Impose data protection obligations on Sub-processors
• Remain liable for Sub-processor compliance

3.5 Data Subject Rights

• Assist Customer in responding to Data Subject requests
• Notify Customer promptly of any requests received
• Process deletion requests within 24 hours

3.6 Security Incidents

Notify Customer without undue delay (within 72 hours) of any Personal Data breach, providing:

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences
• Measures taken or proposed

3.7 Deletion/Return

Upon termination of Services:

• Delete or return all Personal Data (as Customer chooses)
• Delete existing copies within 30 days unless legally required
• Deletion of active data within 7 business days
• Certify deletion upon request

4. Controller Obligations

Customer shall:

• Ensure lawful basis for Processing
• Provide accurate Processing instructions
• Fulfill transparency obligations to Data Subjects
• Obtain necessary consents where required
• Respond to Data Subject requests

5. Sub-processors

5.1 Current Sub-processors

Note: Self-hosted AI models may be used based on client's requirements.

6. International Transfers

6.1 Data Storage Locations

• Primary: Singapore, India
• Backups: European Union

Customers can choose their preferred data storage region.

6.2 Transfer Mechanisms

• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Other lawful transfer mechanisms

7. Audits

7.1 Audit Rights

Customer may audit Aexiz compliance with this DPA by:

• Requesting and reviewing audit reports (when available)
• Submitting written questions
• Conducting on-site audits with 30 days notice

7.2 Conditions

• Audits at Customer's expense
• Not more than once per year (except for material concerns)
• Subject to confidentiality obligations

8. Duration and Termination

• This DPA is effective for the duration of the Service Agreement
• Provisions relating to return/deletion survive termination
• Indemnification obligations survive termination

9. Contact

Data Protection Contact: privacy@aexiz.com