1. Application
This Data Processing Schedule applies only where Axulu processes Customer Personal Data as processor on behalf of the Customer as controller. Where Axulu acts as independent controller, this schedule does not apply to that processing and the Axulu Privacy Notice applies instead.
2. Processing Instructions
Axulu will process Customer Personal Data only to provide the Services, comply with the Agreement, follow documented Customer instructions, comply with applicable law, protect systems and users, maintain evidence and service records, and exercise or defend legal rights.
3. Processing Details
Subject matter: provision of Axulu services, software, platform access, consultancy, managed technology, cyber/evidence services, AI/automation support and related administration.
Duration: for the term of the relevant Order and any retention period permitted by the Agreement or applicable law.
Types of personal data: business contact details, user account details, system identifiers, device/user inventory, security logs, policy/evidence materials, communications, support records, uploaded files, transaction data and other data provided by the Customer.
Categories of data subjects: Customer staff, contractors, representatives, users, clients, suppliers, prospects and other individuals whose data is provided by or on behalf of the Customer.
Special category or criminal offence data: not intended unless expressly agreed in the Order or otherwise approved in writing by Axulu.
4. Customer Obligations
The Customer must ensure it has a lawful basis for processing and sharing Customer Personal Data with Axulu, has provided required notices, has obtained required consents or authorisations, and does not provide data that is unnecessary or unlawful for the Services.
5. Confidentiality
Axulu will ensure that persons authorised to process Customer Personal Data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.
6. Security Measures
Axulu will apply reasonable technical and organisational measures appropriate to the Services, which may include access controls, MFA, least privilege, encryption in transit where supported, logging, backup, supplier review, secure configuration, staff instructions, incident handling and segregation of customer data where appropriate. No specific measure is guaranteed unless stated in the Order.
7. Sub-Processors
The Customer authorises Axulu to use sub-processors and third-party services to deliver the Services. Axulu will remain responsible for sub-processor performance as required by applicable data protection law and will impose appropriate data protection obligations on sub-processors. Axulu may change sub-processors where reasonably required for service, security, operational or supplier reasons.
8. International Transfers
Where Customer Personal Data is transferred outside the UK or EEA, Axulu will use an appropriate transfer mechanism where required by applicable data protection law, such as adequacy regulations, approved contractual clauses or another lawful mechanism.
9. Assistance
Taking into account the nature of processing and information available to Axulu, Axulu will provide reasonable assistance with data subject requests, security obligations, breach notifications, impact assessments and regulator consultations. Assistance outside normal service scope is chargeable at Axulu's then-current rates unless caused by Axulu's breach.
10. Personal Data Breaches
Axulu will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data processed by Axulu as processor. Axulu will provide information reasonably available to it to help the Customer meet its legal obligations.
11. Return, Export and Deletion
Following service closure, the Customer may request export or return of Customer Personal Data. Export, migration, transition, holding or deletion assistance is chargeable at Axulu's then-current rates unless the Order says otherwise. Axulu may delete live service data 60 days after service closure unless retention is required or permitted by the Agreement or applicable law.
12. Audit and Information
Axulu will make available information reasonably necessary to demonstrate compliance with this Data Processing Schedule. Audits must be reasonable, on notice, during business hours, subject to confidentiality and security controls, and must not disrupt Axulu or other customers. Customer-requested audits or questionnaires outside normal service scope are chargeable at Axulu's then-current rates.