Data Processing Addendum.

Introduction

This Data Processing Addendum (“DPA”) forms part of the Terms between HemanthVA Ventures LTD, a Scottish limited company registered in Glasgow (“Authex,” “Processor”), and the entity using the Authex email security platform (“Customer,” “Controller”).

It applies automatically where the Customer processes personal data of individuals located in the UK, EEA, or Switzerland through the Service. It is intended to support compliance with the UK GDPR, EU GDPR (Regulation 2016/679), the Swiss FADP, and the CCPA, as applicable.

Definitions

• Terms such as “Personal Data,” “Data Subject,” “Controller,” “Processor,” and “Personal Data Breach” have the meaning given in the UK GDPR and EU GDPR.
• “Sub-processor” means a third party Authex engages to help process Personal Data.
• “Data Protection Laws” means all applicable data-protection laws, including the UK GDPR, EU GDPR, FADP, and CCPA.

Roles

Customer is the Controller of Personal Data processed through the Service. Authex is the Processor and acts on Customer's documented instructions. For publicly available DNS data Authex acts as an independent Controller, since such data is not Personal Data belonging to the Customer.

Processing Details

Purpose: operate the Service (account management, domain scanning and monitoring, DMARC report processing, support, and billing).

Duration: for the term of the Terms, plus the deletion period below.

Personal Data: contact details (name, email), company info, hashed credentials, IP addresses and user-agent strings, usage events, DMARC aggregate metadata (sending IPs, volume counts, authentication results), and support communications.

Data Subjects:Customer's employees and authorised users, and individuals whose IP addresses appear in DMARC aggregate reports.

Authex's Obligations

• Instructions. Process Personal Data only on Customer's documented instructions, unless required otherwise by law (in which case Authex will inform Customer first, where permitted).
• Confidentiality. Restrict access to Personal Data to authorised personnel under confidentiality obligations.
• Security. Maintain appropriate technical and organisational measures (see Security section).
• Sub-processors. Use only sub-processors authorised under the section below.
• Assistance. Provide reasonable assistance with Data Subject requests, breach notifications, and impact assessments.
• Deletion or return. On termination, delete or return Customer Personal Data within the period set out below, subject to legal retention.
• Audit information. Provide information reasonably necessary to demonstrate compliance with this DPA in response to written audit requests, no more than once per year. On-site audits and physical inspections are not currently supported.

Sub-processors

Customer authorises Authex to engage the sub-processors listed below to help operate the Service. Authex imposes contractual obligations on each sub-processor that are no less protective than this DPA and remains responsible to Customer for their performance.

We will give at least 30 days' notice before adding or replacing a sub-processor. You may object in writing within 14 days. If we cannot offer an alternative, either party may terminate the affected part of the Service on 30 days' notice.

Security

Authex maintains appropriate technical and organisational measures to protect Personal Data, including encryption in transit and at rest, role-based access control with least privilege, organisation-scoped data isolation, rate limiting, backups with encrypted off-site storage, access logging, and secure development practices.

Personal Data Breach

Authex will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature and scope of the breach, the likely consequences, the measures taken, and a contact point, to the extent the information is available.

Data Subject Rights

Authex provides export and deletion functionality in the Service so Customer can respond to Data Subject requests directly. Where a request cannot be fulfilled through the Service, Authex will provide reasonable assistance within 30 days. If Authex receives a request from a Data Subject directly, it will redirect the request to Customer and notify Customer.

International Transfers

Some sub-processors are based outside the UK and EEA. For transfers from the UK, EEA, or Switzerland to countries without an adequacy decision, Authex relies on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum, together with appropriate supplementary measures.

Term and Deletion

This DPA runs for the term of the Terms. On termination, Customer Personal Data is available for export for 30 days. After that, unless Customer requests otherwise, Authex will delete Customer Personal Data within 90 days, subject to any legal retention obligation. Authex will confirm deletion in writing if asked.

Data Protection Contact

Authex has not formally appointed a Data Protection Officer under UK GDPR / EU GDPR Article 37. For all data-protection matters, including Data Subject requests and breach correspondence, contact privacy@authexlabs.com.

Contact

• Email: legal@authexlabs.com
• Post: HemanthVA Ventures LTD, Clyde Offices, 2nd Floor, 48 West George Street, Glasgow G2 1BP, Scotland, United Kingdom