1. Definitions
In this DPA, the following terms have the meanings given below:
| Controller | The Customer, who determines the purposes and means of the processing of personal data. |
| Processor | ITLOX LTD (trading as AegisWire), which processes personal data on behalf of the Controller. |
| Personal Data | Any information relating to an identified or identifiable natural person as defined by applicable data protection law. |
| Processing | Any operation performed on personal data, including collection, storage, use, disclosure, or deletion. |
| Data Subject | The natural person to whom personal data relates. |
| Applicable Data Protection Law | GDPR (EU 2016/679), UK GDPR, and any other applicable national or regional data protection legislation. |
| Sub-Processor | Any third party engaged by AegisWire to process personal data on behalf of the Controller. |
| Security Incident | A confirmed or suspected unauthorised access to, disclosure, alteration, loss, or destruction of personal data. |
2. Scope and Nature of Processing
AegisWire processes personal data solely to the extent necessary to provide the platform services as described in the applicable order or contract. The processing activities covered by this DPA are:
| Subject matter | Secure transport, encrypted session management, policy enforcement, and related platform operations |
| Duration | For the duration of the Customer's subscription and as required for wind-down upon termination |
| Nature and purpose | Transmission, routing, encryption, and policy-controlled filtering of data passing through the platform on behalf of the Customer |
| Categories of personal data | Network metadata (e.g., source/destination identifiers where present in Customer traffic); session identifiers; policy enforcement logs; any personal data contained in Customer Data transmitted through the platform |
| Categories of data subjects | Employees, contractors, and authorised users of the Customer organisation who use the platform; any persons whose data is transmitted through the Customer's deployment |
AegisWire does not process personal data beyond what is necessary for the purposes above and does not process personal data for its own commercial purposes (including advertising or profiling).
3. Controller Obligations
The Controller represents and warrants that:
- It has a lawful basis under applicable data protection law for all personal data it directs AegisWire to process.
- It has provided all required notices to and obtained all required consents from data subjects.
- Its instructions to AegisWire comply with applicable law.
- It will notify AegisWire promptly if it becomes aware that any processing instruction violates applicable law.
4. Processor Obligations
AegisWire, as Processor, agrees to:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law (in which case AegisWire will inform the Controller of that requirement before processing, unless prohibited by law).
- Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organisational security measures as set out in Section 5 of this DPA.
- Assist the Controller, as far as technically possible and commercially reasonable, in fulfilling its obligations to respond to data subject requests under applicable law.
- Assist the Controller in fulfilling its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
- Delete or return all personal data to the Controller upon termination of the agreement, at the Controller's choice, and delete existing copies unless retention is required by law.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Controller or an authorised auditor, subject to reasonable notice and agreement on cost.
- Promptly notify the Controller if it becomes aware that an instruction infringes applicable data protection law.
5. Security Measures
AegisWire implements technical and organisational measures appropriate to the nature, scope, context, and purposes of the processing, and to the risks to the rights and freedoms of natural persons. These measures include, as a minimum:
- Encryption of personal data in transit using strong cryptographic protocols (including post-quantum key exchange where deployed).
- Encryption of personal data at rest.
- Ongoing confidentiality, integrity, availability, and resilience of processing systems.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.
- Access controls limiting processing of personal data to authorised personnel on a need-to-know basis.
- Audit logging of significant access events.
Full details of AegisWire’s security practices are available in our Security & Trust Centre. Enterprise customers requiring additional security documentation should contact legal@aegiswire.com.
6. Security Incident Notification
AegisWire will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Security Incident affecting personal data processed under this DPA. The notification will include, to the extent available at the time:
- A description of the nature of the Security Incident including, where possible, the categories and approximate numbers of data subjects and records concerned.
- The contact details of AegisWire's data protection point of contact.
- A description of the likely consequences of the Security Incident.
- A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.
AegisWire’s notification obligation does not imply acceptance of fault or liability. The Controller remains responsible for assessing whether the incident requires notification to supervisory authorities or data subjects.
7. Sub-Processing
7.1 General Authorisation
The Controller grants AegisWire general authorisation to engage Sub-Processors for the purposes of providing the platform services. AegisWire will maintain a current list of Sub-Processors and will provide notice of additions or replacements, giving the Controller a reasonable opportunity to object before the new Sub-Processor commences processing.
7.2 Current Sub-Processors
AegisWire currently uses the following categories of Sub-Processor:
| Sub-Processor | Location | Processing Activities |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | United States | Cloud infrastructure hosting (us-west-2), content delivery, email delivery |
7.3 Sub-Processor Requirements
AegisWire will impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA. AegisWire remains liable to the Controller for the acts and omissions of its Sub-Processors to the same extent as AegisWire’s own acts and omissions under this DPA.
8. International Data Transfers
Where personal data subject to GDPR or UK GDPR is transferred to a third country (including to AWS infrastructure in the United States), AegisWire will ensure that such transfers are made subject to appropriate safeguards under applicable law. These safeguards include:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (in the context of GDPR).
- The UK International Data Transfer Addendum issued by the ICO (in the context of UK GDPR).
- Any other transfer mechanism recognised as adequate by the applicable supervisory authority.
Copies of the relevant transfer mechanisms are available upon request from legal@aegiswire.com.
9. Data Subject Rights
AegisWire will, to the extent technically feasible and within the scope of the platform, assist the Controller in responding to data subject requests (including access, rectification, erasure, portability, restriction, and objection rights). Where AegisWire receives a data subject request directly, it will promptly forward such request to the Controller and will not respond to data subjects directly except on the Controller’s instruction or as required by law.
10. Return and Deletion of Data
Upon termination or expiry of the applicable agreement, AegisWire will, at the Controller’s choice:
- Return all personal data to the Controller in a commonly used machine-readable format where technically feasible; or
- Delete all personal data processed under this DPA.
AegisWire will confirm in writing when deletion is complete. AegisWire may retain personal data beyond this period only where required by applicable law, and will notify the Controller of such retention obligations where permitted by law.
11. Audit Rights
The Controller may, with at least 30 days’ written notice and no more than once per year (unless a credible Security Incident warrants more frequent review), request an audit of AegisWire’s data processing activities under this DPA. Such audits may be conducted by the Controller or a qualified independent auditor bound by confidentiality obligations. The cost of audits is borne by the Controller unless significant non-compliance is identified. AegisWire may meet this obligation by providing current third-party audit reports or certifications in lieu of direct site audits, where these adequately cover the scope of the Controller’s enquiry.
12. Updates and Governing Terms
This DPA is governed by the same law as the underlying Terms of Service. AegisWire may update this DPA to reflect changes in applicable law or sub-processor arrangements, with notice to Customers. Where updates are required by mandatory law, they take effect on the effective date specified in the notice.
To request a countersigned DPA for enterprise contract purposes, contact legal@aegiswire.com.