1. Definitions
Terms used but not defined in this DPA have the meanings given in the AAQUILIX Terms of Service or applicable data protection law.
- "Controller" means the enterprise Customer that determines the purposes and means of processing personal data through the Platform.
- "Processor" means AAQUILIX ("AAQUILIX"), which processes personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA.
- "Processing" has the meaning given in Article 4(2) GDPR.
- "Sub-processor" means any third party engaged by AAQUILIX to process Personal Data in connection with the Platform.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the clauses adopted by the European Commission under Implementing Decision 2021/914.
2. Scope and Roles
This DPA applies where AAQUILIX processes Personal Data on behalf of the Controller in connection with the AAQUILIX Platform. The Controller is responsible for ensuring it has a lawful basis for the processing and for providing valid instructions to AAQUILIX. AAQUILIX acts solely as a Processor and shall not process Personal Data for its own purposes.
Subject matter, nature, and purpose of processing
| Element | Description |
|---|---|
| Subject matter | IT infrastructure management and AI automation services via the AAQUILIX Platform |
| Nature of processing | Collection, storage, use, transmission, analysis, and deletion of personal data as required to deliver the Platform |
| Purpose | Providing the AAQUILIX Platform under the Terms of Service; including account management, licensing, audit log generation, and anonymised platform analytics |
| Duration | The term of the subscription agreement plus any post-termination retention period specified in these Terms |
| Types of personal data | Account holder identity (name, work email, job title, company); usage logs; IP addresses; payment references |
| Categories of data subjects | Employees and contractors of the Controller who access the AAQUILIX Platform |
Note on client infrastructure data: The AAQUILIX Platform's client-local AI architecture processes infrastructure telemetry within the Controller's own network. Such data is not transmitted to or stored by AAQUILIX and is therefore outside the scope of this DPA.
3. Controller Instructions
AAQUILIX shall process Personal Data only on documented instructions from the Controller. The Terms of Service and this DPA constitute the Controller's primary instructions. If AAQUILIX is required by applicable law to process Personal Data beyond these instructions, it shall inform the Controller of that requirement before such processing (unless prohibited by law). If AAQUILIX believes an instruction violates applicable law, it shall notify the Controller promptly.
4. AAQUILIX Obligations
AAQUILIX shall:
- Process Personal Data only as necessary to deliver the Platform and as instructed by the Controller
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations
- Implement and maintain the technical and organisational security measures described in Section 6 and the Security Policy
- Not engage new Sub-processors without prior written authorisation from the Controller (general authorisation is granted for the Sub-processors listed in Section 9; new additions require 30 days' notice)
- Take reasonable steps to assist the Controller in responding to data subject requests (Section 5)
- Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation)
- At the Controller's choice, delete or return all Personal Data upon termination of the agreement, unless EU or Indian law requires retention
- Provide all information reasonably necessary to demonstrate compliance with this DPA and allow audits as described in Section 8
5. Data Subject Rights
AAQUILIX shall, to the extent possible, assist the Controller in fulfilling its obligation to respond to data subject requests under Chapter III GDPR (access, rectification, erasure, portability, objection, restriction). If AAQUILIX receives a data subject request directly, it will promptly forward it to the Controller without responding directly, unless instructed otherwise or required by law.
6. Security Measures (Article 32 GDPR)
AAQUILIX implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Pseudonymisation and encryption of Personal Data (AES-256 at rest, TLS 1.3 in transit)
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore availability and access to Personal Data following a physical or technical incident (RTO 4 hours, RPO 1 hour)
- Regular testing, assessment, and evaluation of the effectiveness of security measures (annual penetration tests, quarterly vulnerability assessments)
- Role-based access control and mandatory MFA for all staff with access to production data
- Comprehensive security logging and 24×7 monitoring
Full details are provided in the Security Policy, which forms part of this DPA.
7. Security Incident Notification
AAQUILIX shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA. The notification shall include, to the extent available:
- A description of the nature of the Security Incident, including categories and approximate number of data subjects and records affected
- The likely consequences of the Security Incident
- Measures taken or proposed to address the incident and mitigate its possible effects
- Contact details of the AAQUILIX Data Protection Officer
AAQUILIX shall cooperate fully with the Controller in complying with any obligations to notify supervisory authorities or data subjects. Notification of a Security Incident does not constitute an admission of fault or liability by AAQUILIX.
8. Audits and Inspection
AAQUILIX shall make available to the Controller all information necessary to demonstrate compliance with this DPA. AAQUILIX shall allow for and contribute to audits and inspections conducted by the Controller or a mandated third-party auditor. The following conditions apply:
- The Controller must provide at least 30 days' written notice of any intended audit
- Audits shall be conducted during business hours, no more than once per year unless a Security Incident warrants an additional audit
- The auditor must execute a confidentiality agreement acceptable to AAQUILIX
- The Controller bears all costs of the audit unless the audit reveals material non-compliance
- AAQUILIX may satisfy audit obligations by providing relevant security documentation, control summaries, or third-party reports when available in lieu of on-site inspection
9. Sub-Processors
The Controller grants AAQUILIX general authorisation to engage the following Sub-processors. AAQUILIX shall impose data protection obligations on Sub-processors equivalent to those in this DPA. AAQUILIX remains liable to the Controller for the Sub-processors' compliance.
| Sub-processor | Purpose | Country |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure hosting | India (ap-south-1) |
| Stripe, Inc. | Payment processing | United States |
| Razorpay Software Pvt. Ltd. | INR payment processing | India |
| Twilio Inc. (SendGrid) | Transactional email delivery | United States |
| Google LLC | Analytics (anonymised, IP-masked) | United States |
| Calendly LLC | Demo scheduling integration | United States |
AAQUILIX will notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors. If the Controller objects on legitimate data protection grounds within 14 days, the parties shall work in good faith to resolve the objection. If unresolved, the Controller may terminate the affected service with a pro-rated refund.
10. International Transfers
Where Personal Data is transferred to a country not recognised as providing adequate protection under applicable law, AAQUILIX ensures the transfer is subject to appropriate safeguards, including the Standard Contractual Clauses (EU SCCs — Implementing Decision 2021/914) or UK International Data Transfer Agreements (IDTAs). Copies of applicable transfer mechanisms are available on request.
11. Data Return and Deletion
Upon expiry or termination of the subscription agreement, AAQUILIX shall, at the Controller's written election:
- Return: Provide the Controller with an export of all Personal Data in a structured, machine-readable format (JSON or CSV) within 30 days of termination; or
- Delete: Permanently and irreversibly delete all Personal Data within 90 days of termination, and provide written confirmation of deletion.
AAQUILIX may retain Personal Data beyond these periods where required by applicable law (e.g., tax or audit obligations), in which case AAQUILIX shall process such data only for the purpose of complying with the legal obligation and shall notify the Controller of the retention and its legal basis.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the AAQUILIX Terms of Service. This DPA does not limit either party's liability for intentional misconduct, gross negligence, or where liability cannot be limited under applicable law. Where a data subject suffers damage due to a breach of this DPA or the GDPR, the Controller and AAQUILIX are jointly and severally liable to the data subject; either party may seek contribution from the other in proportion to its responsibility for the damage.
13. Governing Law
This DPA is governed by the laws of India. For EU/UK GDPR compliance purposes, the EU SCCs and UK IDTAs incorporated herein are governed by the laws specified therein.
14. Contact and Execution
To request a countersigned copy of this DPA, or to raise any data processing concern, contact:
Data Protection Officer
AAQUILIX
Bangalore, Karnataka 560001, India
Email: support@aaquilix.com