Data Processing Agreement (DPA)

Effective Date: 10 March 2026
Last Updated: 10 March 2026
Governing Law: Republic of India

1. Introduction & How This DPA Works

This Data Processing Agreement ("DPA") governs how Axiosky processes Personal Data on behalf of customers in the course of providing its Services — including Governor, Policy Engine, Orchestrator, and related features.

This DPA is incorporated by reference into and forms part of the Terms of Service. Where a separate written service agreement exists between Axiosky and a customer, this DPA forms a part of that agreement.

Custom DPA requests: Enterprise and government customers who require a signed, negotiated DPA may request one by contacting legal@axiosky.com. This standard DPA represents our baseline terms.

This DPA is governed by the Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable Indian law.

2. Parties & Roles

Data Fiduciary (Customer): The organisation or entity that enters into a service agreement with Axiosky and determines the purpose and means of processing Personal Data.

Data Processor (Axiosky): Axiosky, a company registered in India, which processes Personal Data on behalf of and under the instructions of the Data Fiduciary.

The parties acknowledge that in the context of the Services, the Customer acts as the Data Fiduciary and Axiosky acts as the Data Processor, as those terms are defined in the DPDP Act 2023.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual (referred to as a "Data Principal" under the DPDP Act 2023).
  • Data Principal: The individual to whom Personal Data relates.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, alteration, or deletion.
  • Customer Data: All data, including any Personal Data, that the Customer submits to, uploads into, or generates through the Services.
  • Sub-Processor: A third party engaged by Axiosky to process Personal Data in connection with the Services.
  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to Personal Data.

4. Processing Details

The following describes the nature and scope of processing carried out by Axiosky under this DPA:

Element Details
Types of Personal Data Contact and professional details (name, work email, job title, organisation); technical identifiers (IP addresses, access logs); any Personal Data included within Customer Data submitted to the Services
Categories of Data Principals The Customer's authorised users; individuals whose data is processed by AI agents governed through the platform, as determined by the Customer
Nature of Processing Hosting, storage, policy evaluation, audit logging, governance enforcement, and orchestration of AI agent actions as directed by the Customer
Purpose of Processing Provision of governance infrastructure services as described in the applicable service agreement
Duration For the term of the service agreement, plus the 30-day post-termination period specified in §11

5. Scope & Instructions

Axiosky processes Personal Data only in accordance with:

  • The documented instructions of the Customer as set out in this DPA and any applicable service agreement
  • The requirements of applicable Indian law, including the DPDP Act 2023

If Axiosky determines that a Customer instruction would violate applicable law, Axiosky will promptly notify the Customer and will not be obliged to carry out that instruction.

6. Axiosky's Obligations as Data Processor

Axiosky will:

  • Process Personal Data only on the documented instructions of the Customer, and for no other purpose
  • Ensure that personnel with access to Personal Data are bound by appropriate confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures as described in §12
  • Assist the Customer in responding to Data Principal rights requests (access, correction, erasure) within a reasonable timeframe
  • Notify the Customer of a confirmed Personal Data Breach within 72 hours of becoming aware of it, with sufficient detail to allow the Customer to meet any applicable notification obligations
  • Assist the Customer in conducting privacy impact assessments where required by applicable law
  • Not engage Sub-Processors without authorisation as described in §8
  • Delete or return all Personal Data upon termination as described in §11
  • Make available to the Customer, upon reasonable written request, information reasonably necessary to demonstrate compliance with this DPA

7. Customer's Obligations as Data Fiduciary

The Customer, as the Data Fiduciary, is responsible for:

  • Ensuring that all Personal Data provided to Axiosky has been collected lawfully and that the Customer has the right to transfer it for processing under this DPA
  • Providing clear and lawful instructions to Axiosky regarding the processing of Personal Data
  • Ensuring that Data Principals have been informed of the processing, where required by applicable law
  • Determining the appropriate technical and organisational measures required for the Customer's specific regulatory obligations
  • Promptly informing Axiosky of any changes to instructions that affect the nature, purpose, or scope of processing

8. Sub-Processors

The Customer grants Axiosky general authorisation to engage Sub-Processors in connection with the Services, subject to the conditions below.

Axiosky will:

  • Maintain a current list of Sub-Processors, available upon written request to legal@axiosky.com
  • Provide the Customer with at least 30 days' written notice before engaging a new Sub-Processor that will process the Customer's Personal Data
  • Impose data protection obligations on Sub-Processors that are equivalent to those set out in this DPA
  • Remain fully liable to the Customer for any failure by a Sub-Processor to meet its obligations

If the Customer reasonably objects to a new Sub-Processor on grounds related to data protection, the Customer must notify Axiosky in writing within 14 days of receiving notice. The parties will work in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the affected Services on reasonable written notice.

9. Data Principal Rights

The Customer, as Data Fiduciary, is responsible for responding to Data Principals exercising their rights under the DPDP Act 2023 (access, correction, erasure, nomination, and grievance redressal).

Axiosky will provide the Customer with reasonable technical assistance to respond to such requests, including access to relevant Personal Data held within the Services, within a reasonable timeframe following a written request.

10. Personal Data Breach

In the event of a confirmed or suspected Personal Data Breach affecting Customer Data:

  • Axiosky will notify the Customer within 72 hours of becoming aware, providing: a description of the nature of the breach; the categories and approximate volume of Personal Data and Data Principals affected; likely consequences; and the measures taken or proposed to address the breach
  • If all information is not yet available within 72 hours, Axiosky will provide an initial notification with available information and follow up as additional details become known
  • Axiosky will take reasonable steps to contain the breach and mitigate its effects
  • The Customer is responsible for determining whether and how to notify Data Principals or any regulatory authority, including the Data Protection Board of India

11. Data Deletion & Return

Upon termination or expiry of the relevant service agreement:

  • Axiosky will make Customer Data available for export for a period of 30 days following the termination date
  • After the export period, Axiosky will securely delete all Customer Data from its systems within a reasonable time, except where retention is required by applicable Indian law
  • Axiosky will provide written confirmation of deletion upon the Customer's written request
  • Immutable audit logs that form part of the Services may be retained only to the extent and for the duration required by applicable law or regulatory requirement

12. Security Measures

Axiosky implements appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorised access. These measures include:

  • Encryption of data in transit using industry-standard protocols
  • Access controls limiting Personal Data access to personnel who require it for the provision of the Services
  • Logical separation of Customer Data between customers
  • Incident detection and response procedures

The specific measures applied will be proportionate to the nature, scope, and sensitivity of the Personal Data being processed. Axiosky may update security measures over time to reflect evolving threats and practices.

13. Audit Rights

The Customer may, upon at least 30 days' prior written notice, request documentation or information from Axiosky to verify compliance with this DPA, including security measures. Axiosky will respond to such requests in good faith and within a reasonable timeframe.

On-site audits may be conducted at most once per calendar year, subject to reasonable notice and agreement on scope, timing, and confidentiality. The costs of any audit shall be borne by the Customer unless the audit reveals a material breach of this DPA by Axiosky.

14. International Data Transfers

Some Sub-Processors engaged by Axiosky may process Personal Data on servers located outside India. Where this occurs, Axiosky will take reasonable steps to ensure that such Sub-Processors maintain appropriate security standards and process Personal Data only for the purposes described in this DPA. Axiosky will update its Sub-Processor list to reflect the locations of processing upon request.

15. Liability

Axiosky's total liability under this DPA is subject to the limitations set out in the Terms of Service. Axiosky is not liable for losses caused by:

  • The Customer's instructions, including unlawful instructions
  • The Customer's failure to implement appropriate security measures on their own systems
  • Actions of third parties outside Axiosky's reasonable control

16. Governing Law

This DPA is governed by the laws of the Republic of India, including the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. Any disputes shall be subject to the exclusive jurisdiction of the courts in Kerala, India.

17. Changes to This DPA

Axiosky may update this DPA to reflect changes in law or operational practice. The updated version will be posted on this page with a new "Last Updated" date. For material changes, Axiosky will provide reasonable advance written notice to active customers.

18. Contact

For DPA enquiries and custom DPA requests:
Email: legal@axiosky.com
Security & breach notifications: security@axiosky.com

`