legal · 04

Data Processing Addendum.

effective April 20, 2026 aqnex, inc. · delaware, usa
summary
When aqnex processes personal data on your instructions to operate the Service, this DPA governs that processing. It incorporates the EU Standard Contractual Clauses, lists our security measures, names our sub-processors, and sets the breach-notification, audit, and deletion terms required by GDPR Article 28 and comparable laws.
how to execute
This DPA forms part of, and is incorporated by reference into, the Terms of Service between you (Customer) and aqnex, inc. It takes effect upon your acceptance of the Terms of Service. Customers requiring a countersigned copy on letterhead may request one by writing to dpa@aqnex.com; we will return a counter-signed PDF within five business days.

01 Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Terms of Service. The following terms have the meanings set out below:

  • Applicable Data Protection Law means all laws and regulations applicable to the processing of personal data under this DPA, including (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK Data Protection Act 2018 and the UK GDPR; (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); and (e) other applicable U.S. state privacy laws (Colorado, Connecticut, Virginia, Utah, Texas, and others as enacted).
  • Customer Personal Data means personal data submitted, configured, or instructed by Customer to be processed by aqnex through the Service.
  • Controller, Processor, Sub-processor, Personal Data, Processing, Data Subject, and Personal Data Breach have the meanings given in the GDPR.
  • Standard Contractual Clauses or SCCs means the standard contractual clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021 (Module 2 — Controller to Processor; Module 3 — Processor to Processor — as applicable).
  • UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (ICO), version B1.0.
  • Restricted Transfer means a transfer of Customer Personal Data from the EEA, the UK, or Switzerland to a country that is not subject to an adequacy decision under Applicable Data Protection Law.

02 Roles of the parties

The parties acknowledge and agree that with respect to Customer Personal Data, Customer is the Controller, aqnex is the Processor, and aqnex's sub-processors are Sub-processors. Where Customer is itself a Processor acting on behalf of a third-party Controller, Customer warrants that it has obtained the necessary authorizations from the Controller to instruct aqnex to process the Customer Personal Data, and aqnex acts as a Sub-processor.

03 Subject matter, duration, nature, and purpose of processing

  • Subject matter: The provision of the aqnex Service as described in the Terms of Service.
  • Duration: For the term of the Terms of Service plus the deletion / return period set out in Section 13.
  • Nature: Hosting, storage, transmission, structuring, organization, retrieval, consultation, erasure, and destruction of Customer Personal Data on Customer's documented instructions, plus distribution of fields classified by Customer as Public or AI-only to authorized AI partners pursuant to the Data Use Policy.
  • Purpose: To enable Customer to operate, verify, publish, and distribute its business profile and to receive analytics about how AI partners cite that profile.

04 Categories of data subjects and personal data

See Annex I for a complete description of categories of data subjects and categories of personal data processed under this DPA.

05 Customer instructions

aqnex will process Customer Personal Data only on the documented instructions of Customer, including with regard to transfers, except as required by laws to which aqnex is subject (in which case aqnex will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). The Terms of Service, this DPA, the Data Use Policy, the configuration choices Customer makes in its dashboard, and Customer's use of the API constitute Customer's complete and final documented instructions to aqnex. Additional or alternative instructions require a written amendment.

aqnex will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. aqnex is not obliged to monitor Customer's compliance with Applicable Data Protection Law.

06 Confidentiality

aqnex ensures that persons authorized to process Customer Personal Data have committed themselves to confidentiality (whether through written agreement or appropriate statutory obligation) and have undergone training on data-protection responsibilities appropriate to their role.

07 Security measures

aqnex implements and maintains the technical and organizational measures described in Annex II, designed to ensure a level of security appropriate to the risk associated with the processing. aqnex may update those measures from time to time, provided that the level of security is not materially diminished.

08 Sub-processors

Customer authorizes aqnex to engage Sub-processors to process Customer Personal Data in connection with the provision of the Service, subject to the requirements of this Section 8.

  • aqnex maintains a current list of Sub-processors at Annex III of this DPA, which is also published at aqnex.com/legal/dpa#sub-processors.
  • aqnex enters into a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA, in satisfaction of Article 28(4) GDPR.
  • aqnex remains fully liable to Customer for the acts and omissions of each Sub-processor.
  • aqnex will provide Customer with at least 30 days' prior notice of any new or replacement Sub-processor (the "Notice Period") via email to the designated DPA contact and via in-product notification. Customer may object on reasonable data-protection grounds within the Notice Period. If the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Service for cause and receive a pro-rated refund of pre-paid fees attributable to that portion.

09 Assistance with data-subject requests

Taking into account the nature of the processing, aqnex provides reasonable assistance to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, restriction, erasure, portability, objection, and restriction of automated decision-making. Where a Data Subject submits a request directly to aqnex, aqnex will, without undue delay, forward the request to Customer and instruct the Data Subject to contact Customer directly. aqnex will not respond to such a request on Customer's behalf except on Customer's instruction or where required by law.

10 Personal data breach notification

aqnex will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. The notification will, to the extent possible, describe (a) the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and to mitigate adverse effects; and (d) the contact point for further information. Where information is not available within 72 hours, aqnex will provide it in phases without undue further delay. Notifications are not an admission by aqnex of fault or liability.

11 Data protection impact assessments and prior consultation

Taking into account the nature of the processing and the information available to aqnex, aqnex provides reasonable assistance to Customer with any data-protection impact assessment ("DPIA") and any prior consultation of a supervisory authority that Customer is required to carry out under Articles 35 and 36 of the GDPR. aqnex publishes standing assistance materials, including a DPIA template, at trust.aqnex.com.

12 Audits and inspections

aqnex makes available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to the following conditions:

  • Customer's audit right is satisfied by aqnex's annual SOC 2 Type II report, current ISO 27001 certificate, current penetration-test summary, and standard security questionnaires (CAIQ, SIG-Lite). aqnex will provide these on written request, subject to confidentiality obligations no less protective than this DPA.
  • Where the foregoing materials are insufficient and Customer can demonstrate that an on-site or remote inspection is necessary (for example, in response to a regulator request), Customer may, at Customer's expense, conduct one such inspection per calendar year on at least 60 days' prior written notice, during normal business hours, in a manner that does not unreasonably interfere with aqnex's operations, and subject to a confidentiality agreement in form and substance acceptable to aqnex.

13 Return and deletion

Upon termination or expiration of the Service, aqnex will, at Customer's choice, delete or return all Customer Personal Data, except to the extent required by applicable law to retain it. The default disposition is deletion in accordance with the retention schedule in our Privacy Policy. Encrypted backups containing Customer Personal Data are deleted on their normal rolling 35-day schedule. Aggregated, deidentified data that cannot reasonably be re-identified is not subject to this Section 13.

14 International data transfers

Where the processing of Customer Personal Data involves a Restricted Transfer:

  • The parties incorporate by reference the Standard Contractual Clauses, which apply as follows: Module 2 (Controller-to-Processor) where Customer is the Controller; Module 3 (Processor-to-Processor) where Customer is itself a Processor.
  • For the purposes of the SCCs: (a) Clause 7 (docking clause) is incorporated; (b) the option in Clause 9(a) for general written authorization of Sub-processors is selected, with the Notice Period set to 30 days as in Section 8; (c) the optional language in Clause 11(a) (independent dispute resolution) is not selected; (d) for Clause 17, the governing law is Ireland; (e) for Clause 18, the forum is the courts of Ireland; (f) Annex I, II, and III to the SCCs are populated by reference to Annex I, Annex II, and Annex III of this DPA.
  • For Restricted Transfers from the United Kingdom, the parties incorporate the UK Addendum, with Customer designated as the "exporter" and aqnex as the "importer."
  • For Restricted Transfers from Switzerland, the SCCs apply with the Swiss Federal Data Protection and Information Commissioner as the competent authority and Swiss law applied in lieu of GDPR where required by Swiss law.

15 CCPA and U.S. state privacy specifics

With respect to Customer Personal Data subject to the CCPA or other U.S. state privacy laws, aqnex is a "service provider," "processor," or "contractor" (as those terms are defined under applicable law) and:

  • will not sell or share Customer Personal Data;
  • will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Terms of Service and this DPA, including retaining, using, or disclosing it for a commercial purpose other than providing the Service to Customer;
  • will not retain, use, or disclose Customer Personal Data outside the direct business relationship between aqnex and Customer;
  • will not combine Customer Personal Data with personal information that aqnex receives from or on behalf of any other person, except as permitted under applicable law;
  • will provide the same level of privacy protection to Customer Personal Data as required of Customer by applicable law;
  • will notify Customer if it determines that it can no longer meet its obligations under applicable law; and
  • grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

16 Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that nothing in this DPA or the Terms of Service excludes or limits a party's liability under the SCCs to the extent that such limitation would be void or unenforceable under Applicable Data Protection Law.

17 Conflict

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict with respect to the processing of Customer Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

18 Order of precedence

Where the parties have signed a separately negotiated data processing agreement that specifically references and supersedes this DPA, that agreement controls; otherwise, this DPA controls.

A1 Annex I — Description of processing

Categories of data subjects

  • Customer's authorized users (administrators, owners, billing contacts).
  • Where applicable, individuals named on a business profile (owners, principals, licensed practitioners) whose data Customer has elected to publish.
  • End users of the public directory who create a visitor account, post a review, or send a contact-form message.
  • Recipients of communications sent through the Service.

Categories of personal data

  • Identification and contact data (name, email, phone, address).
  • Account data (login identifier, hashed credentials, role, preferences).
  • Profile data (job title, business affiliation, professional licenses).
  • Verification data (government-issued identifiers and documents Customer chooses to submit for verification purposes).
  • Billing data (limited to last four digits of payment card and billing address).
  • Communications and support content.
  • Technical data (IP address, device data, log data).
  • Special-category data only where Customer voluntarily submits it; aqnex does not require, request, or otherwise solicit such data.

Frequency, nature, and purpose

Continuous processing for the duration of the Service, for the nature and purposes described in Section 3 of this DPA.

Retention period

As described in the Privacy Policy and Section 13 of this DPA.

A2 Annex II — Technical and organizational measures

aqnex maintains, at minimum, the following measures:

  • Encryption. TLS 1.2 or higher for data in transit; AES-256 (or equivalent) for data at rest; encrypted, access-controlled backups; key management with rotation and separation of duties.
  • Access control. Single sign-on with mandatory multi-factor authentication for all employees; role- and attribute-based access control on production systems; least-privilege defaults; access reviews at least quarterly; separation of production and non-production environments.
  • System development. Mandatory peer code review; static analysis; dependency vulnerability scanning; secrets-scanning in CI; segregation of duties between developers and release operators.
  • Operational security. Hardened production base images; centralized log aggregation with anomaly alerting; intrusion-detection on production networks; managed patching of OS and dependencies.
  • Network security. Defense in depth; private subnets for data tier; restricted egress from production; web application firewall in front of public surfaces; rate limiting on public APIs.
  • Vulnerability management. Annual third-party penetration testing; continuous internal vulnerability scanning; documented service-level objectives for remediation by severity.
  • Resilience. Multi-zone production deployment; documented business continuity and disaster recovery plans; tested point-in-time database restore procedures.
  • Incident response. 24/7 on-call rotation; defined severity levels; documented runbooks; tabletop exercises at least annually.
  • People controls. Background checks consistent with applicable law; mandatory security and privacy training at hire and at least annually thereafter; documented joiner-mover-leaver process.
  • Vendor management. Risk-based diligence on Sub-processors; contractual security and confidentiality terms; annual review of high-risk vendors.
  • Audit and assurance. SOC 2 Type II audit performed annually by an independent registered public accounting firm.

A3 Annex III — Sub-processors

The following Sub-processors are authorized to process Customer Personal Data as of the effective date of this DPA. Updates are published in advance per Section 8.

Sub-processor Purpose Location of processing
Cloud infrastructure provider Production hosting, storage, networking United States, European Union
Managed database provider Primary and replica relational databases United States, European Union
Object storage provider Document, image, and backup storage United States, European Union
Observability and logging provider Metrics, traces, structured logs, alerting United States
Payment processor Card processing, invoicing, tax calculation United States
Transactional email provider Account, security, and operational email United States
Customer support platform Help desk, ticketing, knowledge base United States
Identity and fraud signals provider Sign-in risk scoring, abuse detection United States
Privacy-preserving product analytics Aggregated usage and feature metrics European Union

19 Contact

  • DPA execution and amendments — dpa@aqnex.com
  • Data Protection Officer — dpo@aqnex.com
  • Privacy and rights requests — privacy@aqnex.com
  • Security and breach notifications — security@aqnex.com
related documents
Privacy Policy Terms of Service Data Use Policy Cookie Policy