Data Processing Addendum

Effective date: March 1, 2026

Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between HemanthVA Ventures LLC, doing business as Authex ("Authex," "Processor") and the entity agreeing to the Agreement ("Customer," "Controller"), and governs the processing of Personal Data by Authex on behalf of Customer in connection with the provision of the Authex email security platform (the "Service").

This DPA is designed to ensure compliance with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act ("CCPA").

This DPA applies automatically to all Customers who process Personal Data of individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland through the Service.

Definitions

In addition to terms defined elsewhere in this DPA, the following definitions apply:

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in the GDPR.
  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data. Under this DPA, the Customer acts as the Controller.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Authex acts as the Processor.
  • "Sub-processor" means any third party engaged by Authex to assist in processing Personal Data on behalf of the Customer.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Data Protection Laws" means all applicable legislation relating to the protection of personal data, including the GDPR, UK GDPR, FADP, CCPA, and any applicable national implementing legislation.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Standard Contractual Clauses" ("SCCs") means the contractual clauses approved by the European Commission for the transfer of Personal Data to countries outside of the EEA that have not been deemed to provide an adequate level of data protection.

Scope and Roles

This DPA applies to the processing of Personal Data by Authex on behalf of Customer in connection with the Service. The parties acknowledge and agree that:

  • Customer is the Controller: Customer determines the purposes and means of processing Personal Data through its use of the Service.
  • Authex is the Processor: Authex processes Personal Data solely on behalf of and in accordance with Customer's documented instructions, as described in this DPA and the Agreement.

With respect to the processing of publicly available DNS record data, Authex acts as an independent Controller, as such data is not Personal Data belonging to the Customer.

Processing Details

Subject Matter and Duration

The subject matter of data processing is the provision of the Authex email security platform. Processing will continue for the duration of the Agreement, plus any period required for data deletion or return as specified in this DPA.

Nature and Purpose of Processing

Authex processes Personal Data for the following purposes:

  • Providing account management and authentication
  • Delivering domain monitoring, scanning, and email authentication services
  • Processing and displaying DMARC aggregate reports
  • Generating AI-powered security insights and recommendations
  • Providing customer support and communications
  • Billing and payment processing
  • Sending transactional notifications and alerts

Types of Personal Data

The following types of Personal Data may be processed:

  • Contact information (name, email address, phone number)
  • Professional information (company name, job title)
  • Account credentials (hashed passwords)
  • Technical identifiers (IP addresses, browser user agents)
  • Usage data (pages visited, features used, timestamps)
  • DMARC aggregate report metadata (source IP addresses, email volume counts, authentication results)
  • Communication records (support tickets, correspondence)

Categories of Data Subjects

Personal Data processed under this DPA relates to the following categories of Data Subjects:

  • Customer employees and authorized users
  • Customer contacts and administrators
  • Individuals whose IP addresses appear in DMARC aggregate reports

Obligations of Authex

As the Processor, Authex shall:

  • Process on instructions: Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. If Authex is compelled by law to process Personal Data for another purpose, it will inform the Customer of that requirement prior to processing, unless prohibited from doing so by law.
  • Confidentiality: Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
  • Security measures: Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, as described in the Security Measures section of this DPA.
  • Sub-processors: Not engage another processor (Sub-processor) without prior general or specific written authorization of the Customer, as described in the Sub-processors section.
  • Data transfers: Not transfer Personal Data to a country outside the EEA without ensuring adequate safeguards are in place, as described in the International Transfers section.
  • Assistance: Assist the Customer in fulfilling its obligations to respond to Data Subject requests and in ensuring compliance with its obligations under Data Protection Laws regarding security, breach notification, impact assessments, and prior consultations.
  • Deletion and return: Upon termination of the Agreement, at the Customer's choice, delete or return all Personal Data and delete existing copies, unless applicable law requires storage of the Personal Data. Customer Data will be available for export for 30 days following termination.
  • Audits: Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or a qualified auditor mandated by the Customer. Audits shall be conducted with reasonable advance notice (at least 30 days) and during normal business hours, no more than once per year.

Sub-processors

Authorization

Customer provides general written authorization for Authex to engage Sub-processors to assist in providing the Service. Authex maintains a list of current Sub-processors, which is available upon request.

Notification of Changes

Authex will notify the Customer at least 30 days in advance before adding or replacing any Sub-processor. The notification will include the identity of the new Sub-processor, the country in which it operates, and the nature of the processing activities it will perform.

Right to Object

Customer may object to the appointment of a new Sub-processor by notifying Authex in writing within 14 days of receiving the notification. If Customer objects, Authex will use commercially reasonable efforts to make available an alternative solution that does not involve the objected Sub-processor. If no alternative is reasonably available, either party may terminate the affected portion of the Service with 30 days' written notice.

Sub-processor Obligations

Authex will impose contractual obligations on each Sub-processor that are no less protective than those in this DPA. Authex remains fully liable to the Customer for the performance of each Sub-processor's obligations.

Security Measures

Authex implements and maintains the following technical and organizational security measures to protect Personal Data:

Technical Measures

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256
  • Network segmentation and firewall protections
  • Intrusion detection and prevention systems
  • Regular vulnerability scanning and penetration testing
  • Automated backup and disaster recovery procedures
  • Multi-factor authentication for administrative access
  • Logging and monitoring of access to systems containing Personal Data

Organizational Measures

  • Role-based access control with the principle of least privilege
  • Mandatory security awareness training for all employees
  • Background checks for employees with access to Personal Data
  • Written information security policies and procedures
  • Incident response plan with defined roles and escalation procedures
  • Regular review and testing of security measures
  • Vendor security assessment program for Sub-processors
  • SOC 2 Type II-aligned controls and practices

Data Breach Notification

Notification Timeline

Authex will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach. Where notification is not possible within 72 hours, Authex will provide reasons for the delay along with the notification.

Notification Content

The breach notification will include, to the extent available:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected
  • The name and contact details of Authex's data protection point of contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its potential adverse effects
  • The date and time the breach was detected

Cooperation

Authex will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach. Authex will also assist the Customer in fulfilling any notification obligations the Customer may have under Data Protection Laws.

Data Subject Rights

Authex will assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including the rights of:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure of Personal Data ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Objection to processing

If Authex receives a request from a Data Subject directly, Authex will promptly redirect the Data Subject to the Customer and notify the Customer of the request. Authex will not respond to a Data Subject request directly unless authorized by the Customer or required by applicable law.

Authex will provide the Customer with the technical capabilities necessary to fulfill Data Subject requests through the Service, such as data export and deletion features. Where requests cannot be fulfilled through the Service, Authex will provide reasonable assistance within 30 days.

International Transfers

Authex is headquartered in the United States. Personal Data processed under this DPA may be transferred to and stored in the United States or other countries where Authex or its Sub-processors operate.

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not been recognized as providing an adequate level of data protection, Authex relies on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs): Authex enters into the SCCs approved by the European Commission (Commission Implementing Decision (EU) 2021/914) with each Customer as appropriate. For transfers from the UK, the UK International Data Transfer Addendum is incorporated.
  • Supplementary measures: In addition to the SCCs, Authex implements supplementary technical, organizational, and contractual measures to ensure that the level of protection of Personal Data is not undermined by the transfer.
  • Sub-processor transfers: Authex ensures that any Sub-processor that processes Personal Data outside the EEA does so under equivalent contractual protections and transfer mechanisms.

Term and Termination

This DPA takes effect on the date the Customer agrees to the Agreement and will remain in force for the duration of the Agreement. The obligations of Authex under this DPA will survive termination of the Agreement to the extent that Authex retains any Personal Data.

Upon termination of the Agreement, Authex will:

  • Cease all processing of Personal Data on behalf of the Customer, except as necessary for deletion or return
  • At the Customer's election (to be communicated within 30 days of termination), return or delete all Personal Data
  • If no election is made, delete all Personal Data within 90 days of termination
  • Certify the deletion of Personal Data in writing upon Customer's request

Authex may retain Personal Data to the extent and for the period required by applicable law, provided that it continues to protect such data in accordance with this DPA.

Contact

For questions or requests related to this Data Processing Addendum, please contact us:

  • Email: legal@authex.online
  • Mail: HemanthVA Ventures LLC, 131 Continental Drive, Suite 305, Newark, DE 19713, United States