
Get Started
Discover what’s achievable with a product demo, or talk to an Axonius representative.
Effective September 30, 2024
This Data Processing Agreement (this “DPA”) is entered into by and between Axonius, Inc. and its Affiliates (collectively, “Axonius”) and the entity or organization, including any participating Affiliates of such entity or organization (collectively, “Company”), that has agreed to the Axonius Terms and Conditions available at https://www.axonius.com/terms-conditions/, or otherwise executed a License Agreement or other software subscription agreement with Axonius in connection with the provision of Axonius Solutions (as applicable, the “Agreement”), and reflects such parties’ agreement with respect to the Processing of Personal Data by Axonius solely on behalf of Company. Axonius and Company are hereinafter referred to individually as a “Party” and collectively as the “Parties”. This DPA is deemed to be entered into as of the applicable effective date of the Agreement (the “Effective Date”).
Nature and Purpose of Processing
Duration of Processing
Axonius will Process Personal Data for the effective duration of the Agreement and Company’s license subscriptions to Axonius Solutions thereunder, as well as any further period either required or permitted by applicable laws or agreed to by the Parties in the Agreement and/or this DPA.
Types of Personal Data
Company may submit Personal Data to the Solutions, the extent of which is determined and controlled by Company in its sole discretion. More specifically, the following categories of Personal Data may be Processed:
No Sensitive Data may be submitted by Company.
Categories of Data Subjects
Company may transmit Personal Data to the Solutions relating to the following categories of Data Subjects: Company’s employees and users who use Company’s network.
Axonius maintains a formal cybersecurity program to safeguard the Processing of Personal Data. The program is structured according to the ISO 27001 standards and is certified on a regular basis by independent external auditors for compliance with ISO 27001 or an equivalent cybersecurity management framework. The program enables Axonius to establish comprehensive and risk-informed security measures that span the following areas and address the confidentiality and integrity of Personal Data:
Part 1 – EEA Transfer
The Parties agree that the terms of the EU SCCs are herein incorporated by reference and shall apply to any EEA Transfer, with the following specifications:
Data Exporter: Company.
Contact details: As detailed in the Agreement.
Data Exporter Role: Controller.
Activities relevant to the data transferred: As detailed in Schedule 1 of the DPA.
Signature and Date: By entering into the Agreement and the DPA, Data Exporter is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the Effective Date.
Data Importer: Axonius.
Contact details: [email protected].
Data Importer Role: Processor.
Activities relevant to the data transferred: As detailed in Schedule 1 of the DPA.
Signature and Date: By entering into the Agreement and the DPA, Data Importer is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the Effective Date.
Categories of data subjects whose data is transferred: As detailed in Schedule 1 of the DPA.
Categories of personal data transferred: As detailed in Schedule 1 of the DPA.
Frequency of the transfer: Continuous.
Nature of the processing: As detailed in Schedule 1 of the DPA.
Purpose of the data transfer and further processing: As detailed in Schedule 1 of the DPA.
Period for which the personal data will be retained: As detailed in Schedule 1 of the DPA.
For transfers to Sub-processors, the subject matter, nature, and duration of the processing are as set forth in Schedule 1 of the DPA.
The competent supervisory authority in accordance with Clause 13 is the supervisory authority stipulated in Clause 18.
Part 2 – UK Transfer
The Parties agree that the terms of the UK Addendum are herein incorporated by reference and shall apply to any UK Transfer, with the following specifications:
Part 3 – Swiss Transfer
The Parties agree that the EU SCCs as detailed in Part 1 of this Schedule 3 shall be adjusted as set out below where the FADP applies to Swiss Transfers:
Part 4 – Additional Safeguards
In the event of an EEA Transfer, a UK Transfer or a Swiss Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
a. The Processor shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the Controller to the Processor and between different Processor systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
b. The Processor will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”).
c. If the Processor becomes aware that any governmental authority, including law enforcement, wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
I. the Processor shall inform the relevant governmental authority that the Processor is a Processor of the Personal Data and that the Controller has not authorized the Processor to disclose the Personal Data to the government authority, and that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Controller in writing; and
II. the Processor will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Processor’s availability. Notwithstanding the above, (a) the Controller acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (c)(II) shall not apply. In such an event, the Processor shall notify the Controller promptly following the access by the government authority, and provide the Controller with relevant details of the same, unless the Processor is legally prohibited from doing so.
Following the Controller’s written requests, but no more often than once every twelve (12) months, the Processor will inform the Controller of the types of binding legal demands for Personal Data it has received (if any) during the twelve (12)-month period preceding the Controller’s inquiry, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.
Discover what’s achievable with a product demo, or talk to an Axonius representative.