Effective Date: July 10, 2026
This Data Processing Addendum ("DPA") supplements the Axori OS Terms of Service between Axori LLC ("Axori," "Processor") and the customer identified in the applicable account ("Customer," "Controller"). Where this DPA conflicts with the Terms of Service, this DPA controls with respect to the processing of Customer Personal Data.
1. Definitions
"Customer Personal Data" — any personal information relating to an identified or identifiable natural person that Customer, or Customer's own end users, uploads to or generates within the Service. This includes, without limitation: names, addresses, telephone numbers, email addresses, and payment records.
"Processing" — any operation performed on Customer Personal Data, including collection, storage, use, transmission, and deletion.
"Sub-processor" — a third party engaged by Axori to process Customer Personal Data.
"Security Incident" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
2. Roles
Customer is the Controller. Customer determines the purposes and means of processing Customer Personal Data.
Axori is the Processor. Axori processes Customer Personal Data only on Customer's documented instructions.
Customer's instructions are: (a) the Terms of Service; (b) this DPA; and (c) Customer's use of the Service's features.
3. Axori's Obligations
Axori will:
3.1 Process Customer Personal Data only to provide the Service, and only on Customer's documented instructions. Axori will not sell Customer Personal Data, share it for cross-context behavioral advertising, or process it for any purpose of its own.
3.2 Not use Customer Personal Data to train general-purpose artificial intelligence models. Where AI is used to process Customer Personal Data in delivering the Service, it is used solely to produce output for that Customer.
3.3 Ensure that personnel with access to Customer Personal Data are bound by confidentiality obligations.
3.4 Implement and maintain appropriate technical and organizational security measures, described in Annex B.
3.5 Assist Customer, taking into account the nature of processing, in responding to requests from individuals exercising their rights, and in meeting Customer's own security, breach-notification, and impact-assessment obligations.
3.6 Notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Security Incident affecting Customer Personal Data. The notice will describe the nature of the incident, the categories and approximate number of records affected, the likely consequences, and the measures taken.
3.7 On termination, delete Customer Personal Data in accordance with the Terms of Service (a thirty (30) day export window, then permanent deletion), except where retention is required by law. Encrypted backups expire on Axori's standard rotation schedule.
3.8 Make available to Customer the information reasonably necessary to demonstrate compliance with this DPA.
4. Sub-processors
4.1 Customer authorizes Axori to engage the Sub-processors listed in Annex A.
4.2 Axori will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for its Sub-processors' performance.
4.3 Axori will give Customer at least thirty (30) days' notice before adding or replacing a Sub-processor. Customer may object on reasonable data protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected Service without penalty.
5. Customer's Obligations
5.1 Customer is responsible for the lawfulness of the Customer Personal Data it uploads, and for having any consent, notice, or legal basis required to collect it and to have Axori process it.
5.2 Where Customer uses the Service to collect Taxpayer Identification Numbers, Social Security Numbers, or other sensitive personal data from its own contractors, vendors, or other third parties (for example, on IRS Form W-9 or equivalent), Customer represents, warrants, and covenants that:
- It is fully authorized to collect that information and to instruct Axori to process it;
- It has obtained all necessary consents, authorizations, and notices from each individual whose personal data is being collected (including under applicable tax information reporting and data privacy laws);
- It will use such information solely for lawful tax reporting, payment, contractor management, and legitimate business purposes; and
- It will not upload special categories of data (health information, biometric data, precise geolocation of individuals, or data concerning children under 13) unless expressly agreed in writing by Axori in advance.
Axori reserves the right to suspend or condition any feature involving collection of sensitive third-party data until Axori is satisfied that appropriate safeguards and agreements are in place.
5.3 Customer will not upload special categories of data (health information, biometric data, precise geolocation of individuals, or data concerning children under 13) unless expressly agreed in writing.
6. International Transfers
Axori processes and stores Customer Personal Data in the United States. Axori does not currently offer data residency outside the United States.
7. Audit
Axori will, no more than once per twelve (12) month period and on reasonable written notice, make available documentation reasonably necessary to demonstrate compliance with this DPA. On-site audits, where required by a Customer's regulator, will be conducted at Customer's expense, during business hours, subject to confidentiality, and without unreasonably disrupting Axori's operations.
8. Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.
ANNEX A — Sub-processors
Customer authorizes Axori to engage the following Sub-processors to process Customer Personal Data in order to deliver the Service. Axori remains fully liable for their compliance with this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Google LLC) | Core hosting, compute, database, storage, secrets management, and logging for the Service | United States |
| Stripe, Inc. | Processing of Customer's payment method for Axori subscription fees (Axori does not process or move funds on behalf of Customer's own clients or customers) | United States |
| Anthropic, PBC | AI model inference for document processing, receipt and expense categorization, data extraction, and content generation | United States |
| OpenPhone Technologies, Inc. | SMS messaging and notifications sent on Axori's behalf | United States |
| Google Workspace (Google LLC) | Delivery of service and notification emails on Axori's behalf | United States |
Certain custom or legacy deployments may involve additional sub-processors for specifically configured features (for example, voice-call or transcription providers). Where that applies, the additional sub-processors are disclosed to the affected Customer at onboarding.
Last verified against the live stack: July 10, 2026.
ANNEX B — Technical and Organizational Security Measures
Infrastructure. The Service runs on Google Cloud Platform in the United States.
Encryption in transit. All data transmitted between Customer and the Service is encrypted using TLS.
Encryption at rest. Customer Personal Data is encrypted at rest using the platform's managed AES-256 encryption.
Access control. Access to production systems is restricted to authorized personnel. Authentication uses per-tenant credentials; tenant data is isolated by tenant identifier and enforced at the API layer.
Secrets management. Credentials and API keys are stored in Google Secret Manager, not in source code. Automated secret scanning runs on every commit.
Payment data. Axori does not store full payment card numbers. Card data is tokenized by Stripe.
Read-only financial connections. Where the Service connects to a Customer's payment processor, the connection uses read-only scopes. Axori cannot initiate, capture, refund, or transfer funds.
Logging. System and access events are logged.
Backups. Data is backed up and encrypted.
Breach notification. Axori will notify Customer of a Security Incident affecting Customer Personal Data within seventy-two (72) hours of becoming aware of it.
Signature
This DPA is incorporated into the Terms of Service by reference and does not require signature for standard subscriptions. Enterprise customers may request a countersigned copy at maxx@axori.ai.
Axori LLC · Henderson, Nevada · maxx@axori.ai