Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the agreement between Axora Infotech, as operator of AxoDesk ("Processor"), and the customer using AxoDesk ("Customer"). It applies where AxoDesk processes personal data on behalf of Customer and is incorporated into the parties' agreement or accepted through an applicable order form.

If a signed enterprise DPA conflicts with this page, the signed DPA controls. Contact sales@axodesk.io to request an executed DPA, including any required transfer addendum.

"Customer Personal Data" means personal data contained in Customer Data that AxoDesk processes on behalf of Customer. Customer is the controller or processor that determines the permitted processing. AxoDesk is a processor or subprocessor. Terms such as controller, processor, processing, personal data, personal-data breach, and supervisory authority have the meanings given by applicable data-protection law.

AxoDesk will process Customer Personal Data only on documented Customer instructions, including instructions expressed through configuration and authorized use of the service, to provide, secure, support, maintain, and improve the contracted service, unless law requires otherwise.

Customer is responsible for ensuring its instructions comply with law. If AxoDesk reasonably believes an instruction violates applicable data-protection law, it may suspend the affected processing and notify Customer where legally permitted.

AxoDesk will limit access to Customer Personal Data to personnel and providers who need access to perform the service and are subject to appropriate confidentiality obligations.

Taking into account the nature of processing, implementation costs, and risks to individuals, AxoDesk will maintain reasonable technical and organizational safeguards. Current product measures are described in the Security Overview.

Customer is responsible for using available security controls, assigning least-privilege roles, reviewing integrations, protecting credentials, and configuring data flows appropriately.

Customer authorizes AxoDesk to engage subprocessors as needed to provide the service. AxoDesk will impose data-protection obligations appropriate to the subprocessor's role and remains responsible for its processor obligations under the DPA.

Our Third-Party Services and Subprocessors Notice explains provider categories and distinguishes AxoDesk vendors from customer-directed integrations. Enterprise customers may request the applicable production list and a change-notification process.

Taking into account the nature of processing and information available to AxoDesk, we will provide reasonable assistance for Customer's response to data-subject requests, security obligations, breach obligations, data-protection impact assessments, and consultations with supervisory authorities. Customer is responsible for communicating with individuals and authorities unless law requires AxoDesk to do so.

AxoDesk will notify Customer without undue delay after becoming aware of a confirmed personal-data breach affecting Customer Personal Data and will provide information reasonably available to support Customer's obligations. Notification is not an admission of fault or liability.

At the end of the service, AxoDesk will delete or return Customer Personal Data as agreed, unless law requires continued storage. Some residual copies may remain temporarily in backups, logs, and records subject to secure retention controls and deletion cycles.

AxoDesk will make information reasonably necessary to demonstrate compliance with processor obligations available to Customer. Where required by law and not satisfied by available documentation, the parties will agree reasonable audit scope, timing, confidentiality, security, cost allocation, and measures to avoid disruption or exposure of other customers' data.

Where Customer Personal Data is transferred across borders and a transfer mechanism is legally required, the parties will use an appropriate safeguard, which may include standard contractual clauses and any required supplementary measures. Customer is responsible for assessing customer-directed integrations.