Data Processing Agreement

Last updated: July 2026 · Compliant with UK GDPR Article 28 and EU GDPR Article 28

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller

The customer entity that has entered into a subscription agreement with GLLUZ LTD for access to the Axidex platform ("Controller" or "you").

Data Processor

GLLUZ LTD, a company registered in England and Wales, operating the Axidex platform at axidex.ai ("Processor" or "we").

This DPA forms part of and is incorporated into the Axidex Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

2. Definitions

  • "Applicable Data Protection Law" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any equivalent EU legislation that applies to the Controller's operations.
  • "Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to or generates through the Axidex platform.
  • "Processing" has the meaning given under UK GDPR Article 4(2).
  • "Sub-Processor" means any third party engaged by GLLUZ LTD to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

3. Subject Matter and Duration

GLLUZ LTD processes Personal Data on behalf of the Controller solely to provide the Axidex platform and services described in the Terms of Service. Processing commences on the date the Controller creates an account and continues until the subscription is terminated and Personal Data is deleted in accordance with Section 10.

4. Nature and Purpose of Processing

Processing activities carried out on behalf of the Controller include:

  • Storing and retrieving account data (names, email addresses, company information) to provide platform access.
  • Processing prospect and contact data entered by or generated for the Controller, including names, email addresses, job titles, LinkedIn profiles, and phone numbers.
  • Generating AI-powered outreach emails using prospect data provided by or identified for the Controller.
  • Running signal detection queries against publicly available web sources to identify buying signals relevant to the Controller's target market.
  • Storing email sequences, automation rules, and CRM integration data configured by the Controller.
  • Processing payment and billing information in connection with the subscription.

5. Categories of Personal Data and Data Subjects

Categories of Personal Data:

  • Identity data: full name, job title, LinkedIn profile URL
  • Contact data: email address, phone number, business address
  • Account data: username, password hash, subscription tier, usage history
  • Prospect data: names, titles, email addresses, and LinkedIn profiles of third parties identified through the platform
  • Payment data: billing name, address, and last four digits of payment card (full card data is processed by Stripe, not stored by GLLUZ LTD)

Categories of Data Subjects:

  • Controller's employees and authorised users of the platform
  • Third-party business contacts and prospects whose data is processed through the platform

6. Controller Obligations

The Controller warrants and undertakes that:

  • It has a valid lawful basis under Applicable Data Protection Law for all Personal Data submitted to or generated through the Axidex platform.
  • It has provided or will provide all required notices to Data Subjects regarding processing carried out through the Axidex platform.
  • It will comply with all obligations imposed on it as a data controller under Applicable Data Protection Law.
  • It will ensure that any instructions it gives to GLLUZ LTD comply with Applicable Data Protection Law.
  • It will not instruct GLLUZ LTD to process Personal Data in a manner that would violate Applicable Data Protection Law.

7. Processor Obligations

GLLUZ LTD shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
  • Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures as described in Section 8.
  • Not engage Sub-Processors without prior general or specific written authorisation from the Controller, and update the Sub-Processor list in Section 9 when changes are made.
  • Assist the Controller in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law.
  • Assist the Controller in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations.
  • At the Controller's election, delete or return all Personal Data upon termination of the service.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA.
  • Notify the Controller without undue delay if GLLUZ LTD receives an instruction that, in its opinion, infringes Applicable Data Protection Law.

8. Technical and Organisational Security Measures

GLLUZ LTD implements the following measures to protect Personal Data:

  • Encryption in transit — all data transmitted between clients and servers uses TLS 1.3.
  • Encryption at rest — database storage encrypted using AES-256.
  • Access controls — row-level security policies ensure users can only access their own data. Admin access restricted to authorised personnel.
  • Authentication — multi-factor authentication available; session tokens are short-lived and rotated.
  • Infrastructure security — platform hosted on Vercel (edge network) and Supabase (managed PostgreSQL), both of which maintain SOC 2 Type II certifications.
  • Penetration testing and security reviews — periodic security assessments conducted on the platform.
  • Incident response — documented breach response procedures with defined escalation paths.

9. Authorised Sub-Processors

The Controller authorises GLLUZ LTD to engage the following Sub-Processors. GLLUZ LTD will impose data protection obligations on each Sub-Processor equivalent to those in this DPA and remains liable for their compliance.

Sub-ProcessorPurposeLocation
Vercel Inc.Platform hosting and edge networkUSA (EU/UK adequacy)
Supabase Inc.Database and authenticationEU (eu-west-1)
Stripe Inc.Payment processingUSA (EU/UK adequacy)
Resend Inc.Transactional email deliveryUSA (SCCs in place)
OpenRouter Inc.AI email generation (pseudonymised input)USA (SCCs in place)
Groq Inc.AI assistant and signal classificationUSA (SCCs in place)
Vercel AnalyticsPlatform usage analytics (aggregated)USA (EU/UK adequacy)

GLLUZ LTD will provide 30 days' written notice before engaging a new Sub-Processor. The Controller may object to a new Sub-Processor by notifying us at privacy@axidex.ai within 14 days of receiving the notice.

10. International Data Transfers

Where Personal Data is transferred to Sub-Processors located outside the UK or EEA, GLLUZ LTD ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO) or the European Commission, or reliance on an adequacy decision. Details of the transfer mechanism used for each Sub-Processor are available upon request at privacy@axidex.ai.

11. Personal Data Breach Notification

GLLUZ LTD will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting the Controller's data. Notification will be sent to the email address registered on the Controller's account and will include: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to address it.

12. Data Subject Rights

GLLUZ LTD will, to the extent technically feasible, assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, portability, restriction, objection). Where a Data Subject contacts GLLUZ LTD directly, we will promptly forward the request to the Controller unless we are legally prohibited from doing so.

13. Deletion and Return of Personal Data

Upon termination or expiry of the subscription, GLLUZ LTD will, at the Controller's written request made within 30 days of termination, either delete or return all Personal Data processed on the Controller's behalf. After 30 days, GLLUZ LTD will securely delete all Personal Data unless retention is required by applicable law. Backups containing Personal Data will be deleted within 90 days of the request.

14. Audit Rights

GLLUZ LTD will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will permit and contribute to audits and inspections conducted by the Controller or an independent auditor appointed by the Controller. The Controller must provide at least 30 days' written notice and audits may not be conducted more than once per calendar year unless a security incident requires otherwise. Any auditor is subject to confidentiality obligations equivalent to those in this DPA.

15. Liability

Each party's liability under this DPA is subject to the limitations set out in the Axidex Terms of Service. GLLUZ LTD will be liable to the Controller for damages caused by processing that is not compliant with this DPA or with Applicable Data Protection Law, except where GLLUZ LTD can demonstrate it is not responsible for the damage.

16. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA are subject to the exclusive jurisdiction of the courts of England and Wales.

17. Contact

For questions about this DPA, data protection matters, or to exercise your rights as a Controller under this agreement:

GLLUZ LTD — Data Protection

Email: privacy@axidex.ai

If you believe we have not addressed your data protection concerns adequately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.