Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between Panoraxis AI ("Processor") and the entity using its services ("Controller") in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and other relevant privacy laws.

1. Definitions

1.1 Personal Data

Any information relating to an identified or identifiable natural person.

1.2 Processing

Any operation performed on Personal Data, including collection, storage, use, modification, disclosure, or deletion.

1.3 Controller

The entity determining the purposes and means of processing Personal Data.

1.4 Processor

The entity processing Personal Data on behalf of the Controller.

1.5 Data Subject

The natural person to whom the Personal Data relates.

1.6 Sub-Processor

Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Roles

2.1 Role of Parties

Controller engages Processor to process Personal Data in accordance with the terms of this DPA.

2.2 Types of Data Processed

• User account data (e.g., names, email addresses, phone numbers)
• Communications data (e.g., chatbot interactions)
• Payment details (if applicable)
• Other business-specific data as required

2.3 Processing Purposes

Processor shall process Personal Data only for the following purposes:

• Providing AI-driven services (e.g., chatbots, automation tools)
• Enhancing and securing services
• Complying with legal and contractual obligations

2.4 Duration of Processing

Processing shall continue for the duration of the Controller's use of Processor's services unless otherwise agreed.

3. Obligations of Processor

3.1 Lawful Processing

Processor shall process Personal Data only in accordance with applicable laws, this DPA, and the Controller's documented instructions.

3.2 Security Measures

• Encrypt Personal Data in transit and at rest (TLS 1.2+, AES-256)
• Implement access controls and multi-factor authentication (MFA)
• Maintain a least-privilege access policy
• Regularly test and audit security practices

3.3 Confidentiality

Processor ensures that personnel processing Personal Data are subject to strict confidentiality obligations.

3.4 Sub-Processors

• Processor shall engage sub-processors only with prior authorization from Controller.
• Sub-processors must comply with equivalent data protection obligations.

3.5 Data Subject Rights

Processor shall assist Controller in fulfilling requests from Data Subjects, including:

• Right to access, rectify, or delete Personal Data
• Right to data portability and restriction of processing
• Right to object to automated decision-making

4. Obligations of Controller

4.1 Lawful Basis

Controller must ensure that all Personal Data processed has a lawful basis under applicable data protection laws.

4.2 Instructions

Controller shall provide documented processing instructions to Processor.

4.3 Accuracy of Data

Controller is responsible for ensuring the accuracy and legality of Personal Data provided.

4.4 Notification of Changes

Controller must inform Processor of any changes in data processing requirements.

5. Data Breach Notification

5.1 Incident Response

• Processor shall implement an incident response plan to detect and respond to data breaches.
• Breaches will be assessed and classified by severity.

5.2 Notification Obligations

• Processor shall notify Controller of any Personal Data breach without undue delay (within 72 hours if required under GDPR).
• Notification shall include:
  • Nature and scope of the breach
  • Categories and number of affected Data Subjects
  • Mitigation and remediation measures taken

6. International Data Transfers

6.1 Compliance with Transfer Laws

Processor shall ensure data transfers comply with applicable laws (e.g., Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement, or equivalent safeguards).

6.2 Data Hosting

Personal Data is processed and stored in secure data centers within the EEA, UK, or other approved jurisdictions.

7. Audits and Compliance

7.1 Audit Rights

Controller may audit Processor's compliance with this DPA once per year, subject to reasonable notice.

7.2 Regulatory Compliance

• Processor shall maintain records of data processing activities.
• Processor shall cooperate with data protection authorities as required.

8. Data Retention and Deletion

8.1 Retention Policy

Personal Data shall be retained only as long as necessary for processing purposes.

8.2 Deletion Upon Termination

Upon termination of services, Processor shall delete or return all Personal Data unless legal obligations require retention.

9. Liability and Indemnification

9.1 Liability Limitation

Processor's liability for breaches of this DPA is limited to direct damages, except in cases of gross negligence or intentional misconduct.

9.2 Indemnification

Processor shall indemnify Controller against third-party claims arising from Processor's non-compliance with this DPA.

10. Termination

10.1 Termination Rights

Either party may terminate this DPA if the other party materially breaches its terms.

10.2 Effect of Termination

Processor shall cease all processing activities and ensure data is securely deleted or returned.

11. Governing Law and Jurisdiction

11.1 Governing Law

This DPA is governed by the laws of England and Wales.

11.2 Dispute Resolution

• Parties shall attempt to resolve disputes through negotiation.
• If unresolved, disputes shall be settled in the courts of England and Wales.

12. Amendments

12.1 Right to Modify

Processor reserves the right to update this DPA with prior written notice to Controller.

12.2 Notification of Changes

Controller will be notified of material changes via email or an official notice.

Contact Information

For questions regarding this DPA, contact our Data Protection Officer (DPO) at privacy@panoraxis.tech.