Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Anvixa AI ("Anvixa", "Processor", "we", "us") and you ("Customer", "Controller", "you") and governs the processing of personal data by Anvixa on behalf of the Customer.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other similar regulations.
- "Sub-processor" means any third party engaged by Anvixa to process Personal Data on behalf of the Customer.
2. Scope and roles
When you use Anvixa to process Personal Data of your end users or customers, you act as the Controller and Anvixa acts as the Processor. This DPA applies to all processing of Personal Data by Anvixa on your behalf in connection with the Service.
3. Data processing details
3.1 Categories of data subjects
- Customer's employees and authorized users
- Customer's end users and contacts (if uploaded or processed through the Service)
3.2 Types of Personal Data processed
- Account information (name, email address)
- Authentication data (Google OAuth tokens)
- Content data (text, images, and other content uploaded or generated)
- Usage data (logs, analytics, feature usage)
- Social media account data (when connected for publishing)
3.3 Processing purposes
- Providing and operating the Service
- User authentication and account management
- Content generation and storage
- Social media publishing
- Customer support
- Service improvement and analytics
3.4 Duration of processing
Personal Data will be processed for the duration of the service agreement. User-generated content is automatically deleted after 15 days. Account data is retained until account deletion is requested.
4. Processor obligations
Anvixa agrees to:
- Process Personal Data only on documented instructions from the Customer, unless required by law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Customer in responding to data subject requests where possible
- Delete or return Personal Data upon termination of the service, subject to legal retention requirements
- Make available information necessary to demonstrate compliance with this DPA
5. Sub-processors
The Customer authorizes Anvixa to engage the following categories of Sub-processors to process Personal Data:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud | Authentication (OAuth) | United States |
| Google (Gemini AI) | AI content generation | United States |
| Black Forest Labs (FLUX) | AI image generation | Germany/United States |
| Cloudflare (R2) | File storage | Global |
| Stripe | Payment processing | United States |
| Resend | Email delivery | United States |
| Upstash | Queue/rate limiting | United States |
| Meta (Facebook/Instagram) | Social media publishing | United States |
| Google Analytics | Usage analytics | United States |
Anvixa will notify the Customer of any intended changes to Sub-processors by updating this list. The Customer may object to a new Sub-processor by terminating the service.
6. International transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, Anvixa relies on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The EU-U.S. Data Privacy Framework, where applicable
- Other lawful transfer mechanisms as required by Data Protection Laws
7. Security measures
Anvixa implements appropriate technical and organizational measures including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest where applicable
- Access controls and authentication
- Regular security assessments
- Employee confidentiality agreements
- Incident response procedures
8. Data subject rights
Anvixa will assist the Customer in fulfilling data subject requests (access, rectification, erasure, portability, etc.) to the extent technically feasible. Requests should be directed to privacy@anvixa.app.
9. Data breach notification
In the event of a Personal Data breach, Anvixa will notify the Customer without undue delay after becoming aware of the breach. The notification will include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
10. Audit rights
Upon reasonable request and subject to confidentiality obligations, Anvixa will make available information necessary to demonstrate compliance with this DPA. Anvixa may satisfy audit requests through third-party audit reports or certifications.
11. Limitation of liability
The limitations of liability set forth in the Terms of Service apply to this DPA. Anvixa's total liability under this DPA shall not exceed the amounts paid by the Customer in the 12 months preceding the claim.
12. Term and termination
This DPA remains in effect for the duration of the service agreement. Upon termination, Anvixa will delete Personal Data in accordance with its standard data retention policies, unless retention is required by applicable law.
Contact
For questions about this DPA or data protection matters, contact us at:
- Email: privacy@anvixa.app
- General support: support@anvixa.app