1. Our Role Under GDPR
AAQUILIX ("AAQUILIX") operates in two distinct capacities under the GDPR:
1.1 Data Controller
AAQUILIX is a Data Controller for personal data we collect directly from individuals via our website (www.aaquilix.com) — including enquiry submissions, account registrations, demo bookings, and marketing communications. We determine the purposes and means of processing this data.
1.2 Data Processor
AAQUILIX is a Data Processor when processing personal data on behalf of enterprise customers ("Controllers") through the AAQUILIX Platform. In this capacity, AAQUILIX acts strictly on the documented instructions of the Controller as set out in the Data Processing Agreement.
Importantly: the AAQUILIX client-local AI architecture means that customer infrastructure data is processed within the customer's own network and is not stored on AAQUILIX servers. This architectural choice minimises AAQUILIX's exposure as a processor of customer infrastructure data.
2. Lawful Bases for Processing
| Processing activity | Lawful basis (GDPR Article 6) |
|---|---|
| Performing a subscription contract | Article 6(1)(b) — Contract performance |
| Processing payments | Article 6(1)(b) — Contract performance |
| Security monitoring, fraud prevention | Article 6(1)(f) — Legitimate interests |
| Product improvement analytics (anonymised) | Article 6(1)(f) — Legitimate interests |
| Marketing emails (opt-in) | Article 6(1)(a) — Consent |
| Compliance with legal obligations (tax, audit) | Article 6(1)(c) — Legal obligation |
| Demo scheduling and pre-sales enquiries | Article 6(1)(f) — Legitimate interests |
3. Data Subject Rights
EEA, UK, and Swiss residents have the following rights under GDPR. We will respond to verified requests within one calendar month (extendable to three months for complex requests):
- Right of access (Art. 15): Obtain a copy of personal data we hold about you and information about how it is processed
- Right to rectification (Art. 16): Have inaccurate or incomplete personal data corrected
- Right to erasure (Art. 17): Request deletion of your data where no overriding legal basis exists for retention
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
- Right to restrict processing (Art. 18): Temporarily limit processing during a dispute or correction
- Right to object (Art. 21): Object to processing based on legitimate interests or direct marketing at any time
- Rights related to automated decision-making (Art. 22): Not be subject to solely automated decisions with significant legal or similar effects. The AAQUILIX Platform may operate autonomously, but all autonomous actions are governed by human-approved GoalSet policies and are fully auditable.
Submit requests to: support@aaquilix.com
4. International Data Transfers
AAQUILIX is headquartered in India. The European Commission has not issued an adequacy decision for India as of the date of this document. Accordingly, when personal data of EEA residents is transferred to India or other third countries by our sub-processors, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): We use the European Commission's 2021 SCCs (Implementing Decision 2021/914) with all sub-processors located outside the EEA
- UK International Data Transfer Agreements (IDTAs): For transfers involving UK personal data, we use ICO-approved IDTAs
- Supplementary measures: Where required by our transfer impact assessments, we apply technical supplementary measures including data minimisation, pseudonymisation, and encryption
5. Sub-Processors
We engage the following categories of sub-processors. A complete and current sub-processor list is available on request from support@aaquilix.com:
| Sub-processor | Service | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure (website hosting) | India (ap-south-1) | SCCs |
| Stripe Inc. | Payment processing | USA | SCCs |
| Razorpay Software Pvt. Ltd. | Payment processing (INR) | India | N/A (same jurisdiction) |
| SendGrid (Twilio) | Transactional email delivery | USA | SCCs |
| Google LLC | Analytics (anonymised) | USA | SCCs / DPF |
| Calendly LLC | Demo scheduling | USA | SCCs |
We will notify enterprise customers at least 30 days in advance before adding or replacing sub-processors, providing an opportunity to object.
6. Data Processing Agreement
For enterprise customers subject to GDPR, a Data Processing Agreement is incorporated by reference into our Terms of Service. The DPA sets out: processing instructions, security obligations, sub-processor management, data subject request handling, breach notification (within 72 hours of AAQUILIX becoming aware), and data return/deletion provisions.
A copy of our standard DPA is available at /legal/dpa. Enterprise customers may request a countersigned copy by emailing support@aaquilix.com.
7. Data Protection Officer
AAQUILIX has appointed a Data Protection Officer (DPO) accessible to data subjects and supervisory authorities:
DPO
AAQUILIX
Bangalore, Karnataka 560001, India
Email: support@aaquilix.com
8. Right to Lodge a Complaint
If you are an EEA resident and believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.
We encourage you to contact us first to resolve any concerns before approaching a supervisory authority.
9. AAQUILIX and Automated Decision-Making
The AAQUILIX Platform uses AI to make and execute decisions about IT infrastructure. To ensure GDPR compliance in the context of autonomous operations:
- All autonomous actions are governed by human-defined GoalSet policies that you configure and approve
- Every action executed by a AAQUILIX agent is logged, attributable, and auditable
- Customers retain the ability to require human approval for any action category at any time
- The Platform does not make decisions that produce legal effects on data subjects without human oversight
For enterprise deployments involving decisions that affect individuals (e.g., user account suspension automation), customers should conduct a Data Protection Impact Assessment (DPIA) and configure appropriate approval gates in GoalSet. AAQUILIX can assist with DPIA documentation on request.
10. Record of Processing Activities
AAQUILIX maintains an internal Record of Processing Activities (ROPA) as required by Article 30 GDPR. EEA enterprise customers may request a summary of our ROPA entries relevant to their processing by contacting support@aaquilix.com.