Data Processing Agreement (DPA)
Effective: April 12, 2026 · GDPR Article 28 Compliant
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between AKAXA Limited (“Processor”) and the Customer (“Controller”) who uses the AKAXA Services. In the event of a conflict between the Terms of Service and this DPA regarding personal data processing, this DPA shall prevail.
This DPA complies with GDPR, UK Data Protection Act 2018, Swiss Federal Data Protection Act, CCPA/CPRA, and other applicable data protection laws.
1. Subject Matter and Duration
AKAXA processes personal data on behalf of the Controller solely to provide the Services as described in the Terms of Service, for the duration of the subscription.
2. Nature and Purpose of Processing
AKAXA processes personal data to: (a) provide AI-powered due diligence analysis; (b) operate and maintain the platform; (c) provide technical support; (d) comply with legal obligations.
3. Categories of Data and Data Subjects
Data Subjects: employees and representatives of the Controller and its portfolio companies, deal targets, and other individuals whose data may be included in uploaded documents.
Data Types: account information (name, email, phone, company, job title), company financial and operational data, usage data, communication data, and technical data.
4. Processor Obligations (GDPR Art. 28(3))
AKAXA shall:
- Process personal data only on documented instructions from the Controller
- Ensure that authorized personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (Art. 32)
- Not engage sub-processors without prior written authorization
- Assist the Controller in responding to data subject rights requests
- Assist with security breach notification (Art. 33/34) within 72 hours
- Delete or return personal data upon termination of services
- Provide all information necessary to demonstrate compliance
5. AI Data Processing & Zero Data Retention
AKAXA shall not:
- Use Customer personal data for any purpose other than providing Services
- Train, fine-tune, enhance, or develop machine learning models on Customer personal data for any third-party access or general model improvement without explicit written consent
- Combine Customer data with data from other customers (except aggregated, de-identified benchmarking)
- Sell personal data or use it for behavioral targeting or profiling
Sub-processors providing AI services are contractually prohibited from retaining User Data beyond the processing session (Zero Data Retention). AI partners process data through enterprise-grade APIs that do not use Customer data for model training.
6. Authorized Sub-processors
| Sub-Processor | Location | Function |
|---|---|---|
| Railway | USA | Cloud infrastructure, hosting |
| Anthropic | USA | AI/LLM analysis (Zero Data Retention) |
| Cloudflare | USA/EU | CDN, DDoS protection, R2 storage |
| Resend | USA | Email delivery |
| Sentry | USA | Error monitoring (anonymized) |
| Stripe | USA | Payment processing |
AKAXA will notify the Controller of intended sub-processor changes with at least 30 days' notice, giving the Controller the opportunity to object. All sub-processors have signed Data Processing Agreements with equivalent security requirements.
7. International Transfers
EU → Hong Kong SAR: Transfers from the EU/EEA to AKAXA in Hong Kong SAR are protected by Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission under GDPR Article 46.
Hong Kong SAR → US: Secondary transfers to US-based sub-processors are protected by Standard Contractual Clauses (Module 3: Processor to Processor) as adopted by the European Commission.
8. Security Measures (Art. 32)
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- API key encryption using Fernet symmetric encryption
- Role-based access controls (RBAC) with principle of least privilege
- Multi-factor authentication for all administrative access
- Comprehensive audit logging of all data access events
- Real-time monitoring and automated alerting for suspicious activity
- Regular security assessments and penetration testing
- Incident response procedures with 72-hour breach notification
- Logical data isolation: each Customer's data processed in isolated environment
9. Data Subject Rights
AKAXA will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, objection, restriction) within 5 business days. AKAXA does not engage in automated individual decision-making with legal effects under GDPR Article 22. All Analysis Reports are advisory and require independent human judgment.
10. Breach Notification
AKAXA notifies the Controller without undue delay and no later than 72 hours of becoming aware of a confirmed data breach. Notification includes: description of the breach, approximate number of affected records, likely impact, and measures taken to mitigate harm.
11. Termination
Upon termination, AKAXA will, at the Controller's election, delete or return all personal data within 30 days, and certify deletion in writing. Backup copies are deleted after an additional 90 days. Electronic files are destroyed using methods that render recovery impossible.
12. Audit Rights
Customer may request audits or inspections of AKAXA's processing (up to one full audit per calendar year). AKAXA is pursuing SOC 2 Type I certification (expected Q4 2026). Prior to certification, AKAXA provides an Internal Security Self-Assessment Report upon request.
Enterprise DPA Execution
Enterprise customers requiring a countersigned DPA for compliance purposes should contact legal@akaxa.io. A countersigned PDF version is available upon request.
Contact
AKAXA Limited · Hong Kong SAR
Legal: legal@akaxa.io
DPA inquiries: dpa@akaxa.io
Data Protection Officer: dpo@akaxa.io