Data Processing Addendum
SOAX LTD — Data Processing Addendum (DPA).
Version | 1.0 |
Effective date | 1 June 2026 |
Last updated | 1 June 2026 |
Publisher | SOAX LTD, a company incorporated under the laws of England and Wales (registered no. 11828506) |
Registered office | The Charter Building, Uxbridge, England, UB8 1JG |
Contact |
This DPA forms part of, and is incorporated by reference into, the SOAX Terms of Use (the "Agreement"). Capitalised terms used but not defined here have the meanings given to them in the Agreement.
1. Purpose and Scope of this DPA
This Data Processing Addendum ("DPA") forms part of the Agreement between SOAX LTD ("SOAX", "Processor") and You ("User", "Controller") governing Your use of the Platform and Services.
In the course of providing the Platform and Services, SOAX may process personal data on behalf of and for the benefit of the User. The Parties acknowledge that SOAX's role in relation to such personal data is limited by the technical design of the Services. SOAX does not access, inspect or store the content of communications or request payloads transmitted through the Services and does not retain full URLs beyond the hostname level. The Services are not designed to store such content.
This DPA is intended to ensure that such processing is carried out in accordance with Applicable Data Protection Law, including Article 28(3) of the GDPR, which requires that processing by a processor on behalf of a controller be governed by a binding contract setting out the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data, the categories of data subjects, and the obligations and rights of the controller.
For the purposes of this DPA, SOAX acts as a processor and shall process personal data only on the documented instructions of the User, as set out in this DPA and the Agreement.
The processing covered by this DPA is limited to the provision of the Platform and Services. In this context, SOAX processes personal data solely as part of providing the Platform and does not determine the purposes or means of the processing carried out by the User, nor does it control the content of data processed by the User through the Platform.
Nothing in this DPA shall be interpreted as expanding the scope of SOAX's role beyond that of a processor in respect of the processing described herein.
Notwithstanding the foregoing, SOAX may act as an independent controller for processing personal data for its own legitimate business purposes, including account administration, billing, identity verification, fraud and abuse prevention, security, legal compliance and service improvement. Such processing is governed by the Privacy Policy and Applicable Data Protection Law, and not by this DPA.
2. Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below.
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including, without limitation, the UK General Data Protection Regulation and the Data Protection Act 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679), and any applicable national implementing legislation, regulations, or amendments thereto.
"Controller", "Processor", "Data Subject", "Personal Data" and "Processing" shall have the meanings given to them under Applicable Data Protection Law.
Capitalised terms not defined in this DPA shall have the meanings given to them in the Agreement.
3. Processing of Personal Data
SOAX shall process personal data for the purposes and only to the extent necessary to provide the Platform and Services in accordance with the Agreement.
The processing carried out by SOAX under this DPA is limited to what is required for the performance of the Agreement and shall be subject to the terms and conditions set out therein.
4. Categories of Data Subjects and Types of Personal Data
The categories of Data Subjects whose personal data may be processed by SOAX on behalf of the User include individuals whose Personal Data the User chooses to process while using the Platform and Services.
The types of personal data which may be processed by SOAX on behalf of the User include any personal data of individuals whose Personal Data the User chooses to process while using the Platform and Services.
5. Controller Instructions
SOAX shall process personal data only on the documented instructions of the User, as set out in this DPA and the Agreement.
The User's use of the Platform and Services, including any configurations, requests, or actions performed through the Platform, shall constitute documented instructions to SOAX for the purposes of this DPA.
SOAX shall not be obliged to comply with any instruction that, in its reasonable opinion, violates Applicable Data Protection Law, other applicable laws or regulations, the Agreement, or may adversely affect the security, integrity or operation of the Platform and Services. In such cases, SOAX may suspend, restrict or refuse the relevant processing and, where appropriate, notify the User of the reason for such decision.
6. Controller Obligations
The User shall be solely responsible for determining the purposes and means of the processing of personal data carried out in connection with its use of the Platform and Services.
The User represents and warrants that it has, and shall maintain at all times, a valid legal basis for the processing of personal data and that such processing complies with all Applicable Data Protection Law and other applicable laws and regulations.
The User shall be solely responsible for complying with all transparency, lawfulness and accountability requirements under Applicable Data Protection Law in relation to its use of the Platform and Services, including providing any required notices and obtaining any necessary consents or authorisations.
The User shall be solely responsible for the accuracy, quality, legality and appropriateness of any personal data processed through the Platform and Services.
The User shall ensure that its instructions to SOAX regarding the processing of personal data comply with Applicable Data Protection Law and other applicable laws and regulations.
Without limiting the foregoing, the User shall ensure that its use of the Platform and Services complies with Applicable Data Protection Law and does not unlawfully infringe the privacy or data protection rights of any third party.
7. Processor Obligations
SOAX shall process personal data only on documented instructions from the User, as set out in this DPA and the Agreement, and in compliance with Applicable Data Protection Law.
SOAX shall ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations and receive appropriate training and guidance relating to the handling and protection of personal data.
8. Assistance to Controller
SOAX shall provide reasonable assistance to the User in fulfilling its obligations under Applicable Data Protection Law, taking into account the nature of the processing carried out by SOAX and the information available to SOAX.
Such assistance may include, where applicable, assistance with responding to requests from Data Subjects and supporting the User in relation to data protection impact assessments or consultations with supervisory authorities.
In case of any requests made by Data Subjects, competent authorities or any other third parties to SOAX regarding the processing of Personal Data covered by this DPA, SOAX shall refer such requests to the User.
SOAX shall not be required to provide assistance beyond what is required under Applicable Data Protection Law or that would require disproportionate effort, taking into account the nature of the Services.
9. Security Measures
SOAX shall implement and maintain appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
Such measures shall be implemented taking into account the nature, scope, context and purposes of processing.
These measures may include, where appropriate, access controls, authentication and identity management measures, encryption, logging and monitoring mechanisms, incident detection and response processes, and other measures designed to protect personal data.
SOAX undertakes not to disclose or otherwise make Personal Data processed under this DPA available to any third party without the User's prior written consent, except for subprocessors engaged in accordance with this DPA.
10. Subprocessors
The User acknowledges and agrees that SOAX may engage third-party service providers to support the provision of the Platform and Services.
The User hereby grants a general authorization to SOAX to enter into agreements with such third-party service providers for the performance of SOAX's obligations under this DPA and the Agreement.
SOAX shall ensure that any such third-party service providers are subject to contractual data protection obligations no less protective than those set out in this DPA.
SOAX shall remain responsible for the performance of its subprocessors' data protection obligations to the extent required under Applicable Data Protection Law.
SOAX is hereby permitted to continue the processing of Personal Data by those third-party service providers engaged by SOAX as at the date of this DPA. A full list of such third-party service providers may be provided to the User upon reasonable request.
SOAX may appoint new third-party service providers in connection with the provision of the Platform and Services and shall make information about such third-party service providers available to the User. The User may object to the appointment of a new third-party service provider on reasonable and documented grounds relating to the proposed provider's non-compliance with Applicable Data Protection Law.
11. International Data Transfers
The User acknowledges that personal data may be transferred to, and processed in, countries outside the United Kingdom and the European Economic Area in connection with the provision of the Platform and Services.
Where such transfers occur, SOAX shall ensure that appropriate safeguards are implemented in accordance with Applicable Data Protection Law.
Such safeguards may include, as applicable:
the use of the Standard Contractual Clauses approved by the European Commission, including, where applicable, the UK International Data Transfer Addendum, or the UK International Data Transfer Agreement (IDTA);
reliance on adequacy decisions, where applicable;
the implementation of additional technical and organisational measures to ensure an adequate level of protection.
12. Data Breach Notification
In the event of a personal data breach affecting personal data processed by SOAX on behalf of the User, SOAX shall notify the User without undue delay after becoming aware of such breach.
Such notification shall include, to the extent available at the time of notification, information on the nature of the breach, the categories of personal data concerned, and any measures taken or proposed to be taken to address or mitigate the possible adverse effects of the breach.
SOAX shall take appropriate steps designed to contain, investigate and mitigate the effects of the breach and shall provide the User with additional relevant information as it becomes available, taking into account the information available to SOAX and the nature of the Services.
Unless required by Applicable Data Protection Law, SOAX shall not be responsible for notifying Data Subjects, supervisory authorities or other third parties of any personal data breach. The User shall remain solely responsible for complying with any breach notification obligations applicable to the User under Applicable Data Protection Law.
13. Data Retention and Deletion
SOAX shall process personal data for as long as necessary to provide access to the Platform and Services under the Agreement, unless otherwise required or permitted by Applicable Data Protection Law.
Upon termination or expiration of the Agreement, SOAX shall delete or, where applicable, return personal data processed on behalf of the User, unless retention of such personal data is required or permitted under Applicable Data Protection Law.
Notwithstanding the foregoing, SOAX may retain limited personal data where necessary for security, fraud prevention, dispute resolution, enforcement of the Agreement, or compliance with legal and regulatory obligations, in accordance with Applicable Data Protection Law.
Where personal data is retained in accordance with this Section, SOAX shall continue to protect such data in accordance with this DPA and Applicable Data Protection Law.
14. Audit and Compliance
SOAX shall make available to the User such information as is reasonably necessary to demonstrate compliance with its obligations under this DPA.
To the extent required by Applicable Data Protection Law, and subject to reasonable prior notice, confidentiality obligations, and appropriate safeguards, the User may request additional information or documentation relating to SOAX's processing of personal data.
Any audit or inspection by the User shall be permitted only to the extent required by Applicable Data Protection Law and where the information made available by SOAX is not sufficient to demonstrate such compliance.
Any such audit or inspection shall be conducted in a manner that does not unreasonably interfere with SOAX's business operations, and shall be subject to reasonable confidentiality obligations and carried out at the User's expense.
15. Liability
The liability of the Parties arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall be construed as independently expanding the scope of either Party's liability under the Agreement.
16. Term and Termination
This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, except to the extent that any provisions of this DPA are intended to survive such termination or expiration.
17. Governing Law
This DPA shall be governed by and construed in accordance with the laws governing the Agreement.
18. Modification
SOAX reserves the right to modify this DPA from time to time in accordance with any modification mechanism provided in the Agreement.
Effective Date: 1 June 2026