Data Processing Agreement (DPA)

Effective: March 25, 2026 · GDPR Article 28 Compliant

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between AKAXA Limited (“Processor”) and the enterprise customer (“Controller”) who uses the AKAXA Service. This DPA is incorporated into and subject to the Terms of Service.

This DPA applies to enterprise customers processing personal data of EU/EEA data subjects through the AKAXA platform in accordance with GDPR Article 28.

1. Subject Matter and Duration

AKAXA processes personal data on behalf of the Controller solely to provide the Service as described in the Terms of Service, for the duration of the subscription.

2. Nature and Purpose of Processing

AKAXA processes personal data to: (a) provide AI-powered due diligence analysis; (b) operate and maintain the platform; (c) provide technical support; (d) comply with legal obligations.

3. Categories of Data Subjects

Employees and representatives of the Controller and its portfolio companies, deal targets, and other individuals whose data may be included in uploaded documents.

4. Types of Personal Data

Business contact information, professional details, and any personal data contained in documents uploaded by the Controller for analysis.

5. Processor Obligations (GDPR Art. 28(3))

AKAXA shall:

• Process personal data only on documented instructions from the Controller
• Ensure that authorized personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (Art. 32)
• Not engage sub-processors without prior written authorization
• Assist the Controller in responding to data subject rights requests
• Assist with security breach notification (Art. 33/34)
• Delete or return personal data upon termination of services
• Provide all information necessary to demonstrate compliance

6. Authorized Sub-processors

The Controller authorizes AKAXA to use the following sub-processors:

• Anthropic, Inc. (USA) — AI analysis processing
• Perplexity AI, Inc. (USA) — web research enrichment
• Cloudflare, Inc. (USA) — CDN, WAF, object storage
• Railway Corporation (USA) — application hosting
• Resend, Inc. (USA) — email delivery
• Functional Software, Inc. (Sentry) (USA) — error monitoring

AKAXA will notify the Controller of intended sub-processor changes with at least 14 days' notice, giving the Controller the opportunity to object.

7. International Transfers

Transfers of personal data to sub-processors outside the EEA are protected by Standard Contractual Clauses (SCCs) Module 2 as adopted by the European Commission Decision 2021/914.

8. Security Measures (Art. 32)

AKAXA implements the following technical and organizational measures:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• API key encryption using Fernet symmetric encryption
• Role-based access controls and least-privilege principles
• Regular security assessments and penetration testing
• Incident response procedures with 72-hour breach notification
• Data minimization — AI providers receive only necessary data, no PII where avoidable

9. Data Subject Rights

AKAXA will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, objection) within 5 business days of receiving the request.

10. Termination

Upon termination, AKAXA will, at the Controller's election, delete or return all personal data within 30 days, and certify deletion in writing.

Enterprise DPA Execution

Enterprise customers requiring a countersigned DPA for compliance purposes should contact legal@akaxa.io. A countersigned PDF version is available upon request.

Contact

AKAXA Limited · Hong Kong SAR
Legal: legal@akaxa.io
Privacy / DPO: privacy@akaxa.io