About this agreement
Effective date: The date the Customer signs the Service Agreement or first accesses the Services.
Last updated: 14/11/2025
1. Introduction and Relationship to the Service Agreement
This Data Processing Agreement (“DPA”) forms an integral part of the TheAX Service Agreement (the “Agreement”) between Theax Technology Ltd (“Provider”) and the Customer.
This DPA sets out the terms under which the Provider processes Personal Data on behalf of the Customer in connection with the provision of the Services.
By signing the Agreement or by accessing or using the Services, the Customer acknowledges, accepts, and agrees to be bound by this DPA.
This DPA constitutes the written data-processing contract required under Article 28(3) of the UK GDPR.
2. Definitions
Unless otherwise defined in this DPA, terms have the meanings given in the Agreement or in the UK GDPR.
“UK GDPR” means the UK General Data Protection Regulation and the Data Protection Act 2018.
“Customer Data” means any Personal Data processed by the Provider on behalf of the Customer under the Agreement.
“Controller” and “Processor” have the meanings given in the UK GDPR.
“Sub-Processor” means any third party engaged by the Provider to process Personal Data on behalf of the Customer.
3. Roles of the Parties
The Customer acts as the Data Controller.
The Provider acts as the Data Processor when processing Customer Data on behalf of the Customer.
Both parties shall comply with their respective obligations under the UK GDPR and Data Protection Act 2018.
4. Scope, Nature, and Purpose of Processing
Subject matter: Processing of Personal Data to provide the Services described in the Agreement.
Nature and purpose: Storage, transmission, analysis, and other operations necessary to deliver the Services and associated support.
Categories of data subjects: Users authorised by the Customer and other individuals whose data the Customer inputs or transfers to the Services.
Types of personal data: Names, contact details, identifiers, usage data, and any other data the Customer chooses to process via the Services.
Duration: For the term of the Agreement and for the 12-month post-termination retention period specified in the Agreement, after which all Customer Data is deleted.
5. Provider Obligations
The Provider shall:
Process Customer Data only on documented instructions from the Customer, including with respect to international data transfers.
Ensure all persons authorised to process the data are bound by confidentiality obligations.
Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful processing, loss, or damage.
Assist the Customer in meeting obligations regarding data-subject rights (access, rectification, erasure, restriction, and portability).
Assist the Customer with security, breach notification, data-protection impact assessments, and consultations with the ICO where required.
Notify the Customer without undue delay (and within 72 hours of awareness) of any personal data breach affecting Customer Data.
Upon termination, delete or return all Customer Data within the timeframe specified in the Agreement unless retention is required by law.
Make available information necessary to demonstrate compliance and allow for audits (under reasonable notice and conditions).
6. Sub-Processors
The Provider may engage Sub-Processors to support the delivery of the Services.
The Provider shall:
ensure Sub-Processors are subject to equivalent data-protection obligations; and
remain fully liable for each Sub-Processor’s acts and omissions.
A list of current Sub-Processors is maintained at [insert URL of sub-processor list].
The Provider will give reasonable prior notice (normally 30 days) before appointing new Sub-Processors, allowing the Customer to raise reasonable objections.
7. International Data Transfers
The Provider shall not transfer Personal Data outside the UK or EEA unless such transfer complies with Chapter V of the UK GDPR (for example, through adequacy regulations, Standard Contractual Clauses, or other lawful safeguards).
8. Customer Obligations
The Customer shall:
ensure it has a lawful basis for all processing conducted via the Services;
not cause the Provider to process unlawful data;
promptly notify the Provider of any changes affecting the lawfulness of processing; and
remain responsible for its own compliance obligations as Data Controller.
Security Measures, updates, governing law, and notices
9. Security Measures
The Provider maintains industry-standard security controls, including (as applicable):
data encryption in transit and at rest;
access controls and authentication;
regular vulnerability testing and monitoring; and
business continuity and disaster recovery plans.
Full details of current security measures are available on request.
10. Updates to this DPA
The Provider may update this DPA to reflect changes in law, regulatory guidance, or processing practices.
No update will materially reduce the Customer’s rights or protections under this DPA.
The Provider will post updated versions on this page and provide reasonable advance notice (normally at least 30 days) of any material change.
11. Contact and Notices
For data-protection matters, the Provider’s contact is:
Data Protection Officer
Theax Technology Ltd
11 Wolsey Close, Marlborough, SN8 1EZ
Email: hello@theax.ai
12. Governing Law
This DPA and any dispute arising from it shall be governed by the laws of England and Wales, with exclusive jurisdiction of the courts of England and Wales.
Compliance Summary
This DPA satisfies the requirements of UK GDPR Article 28(3) and related obligations under the Data Protection Act 2018 by setting out:
Subject matter, duration, nature and purpose of processing
Types of personal data and data subjects
Controller and processor obligations
Sub-processor rules
Security, breach, and deletion obligations