Data Processing Agreement

Version

1.0

Effective Date

March 19, 2026

Entity

Axle Tech, Inc.

Address

20 W 22nd Street, Suite 1411–1412, New York, NY 10010

About this document

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement, Order Form, or other written agreement (collectively, the "Agreement") between Axle Tech, Inc., a Delaware corporation with its principal place of business at 20 W 22nd Street, Suite 1411-1412, New York, NY 10010 ("Axle" or "Provider"), and the Customer identified in the Agreement or as set forth in the signature block below ("Customer"), and governs the processing of Customer Data (as defined in the Agreement) by Axle on behalf of Customer. Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement.

In the course of providing the Services to Customer pursuant to the Agreement, Axle may Process Customer Data on behalf of Customer. Axle agrees to comply with the following provisions with respect to Customer Data Processed by Axle as part of the Services.

Contents

01

Definitions

03

Rights of Individuals

05

Affiliates and Third-Party Service Providers

07

Security

09

Customer Privacy Obligations

11

Anonymized and Aggregated Data

13

Term

15

General

S2

UK International Data Transfer Addendum

A2

Details of Data Processing

A4

Sub-Processors

E1

AI/ML Usage Controls Policy

02

Data Processing

04

Axle Tech Personnel

06

Additional Terms for EEA and UK Personal Data

08

Security Breach Management and Notification

10

Deletion and Retention of Personal Data

12

Limitation of Liability

14

Compliance

S1

Standard Contractual Clauses

A1

List of Parties

A3

Technical and Organizational Security Measures

A5

CCPA / CPRA Service Provider Terms

01

Definitions

1.1 "Affiliate" means any legal entity directly or indirectly controlling, controlled by, or under common control with a party, where "control" means ownership of a majority of the voting stock, equity, or voting interests of such entity.

1.2 "Agents" means all third-party service providers (including Sub-processors) that Axle Tech and its Affiliates engage to Process Customer Data on their behalf in connection with the Services.

1.3 "Axle Tech Information Security Policy" means the information security documentation applicable to the specific Services purchased by Customer, as updated from time to time and made available by Axle Tech upon written request. As of the Effective Date, Axle Tech's primary information security documentation is the Axle Tech AI/ML Usage Controls Policy, a copy of which is attached as Exhibit

1.1.4 "CCPA/CPRA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 et seq.).

1.5 "Data Privacy Framework" or "DPF" means the EU-US Data Privacy Framework, as administered by the U.S. Department of Commerce and approved by the European Commission, including the Data Privacy Framework Principles set forth at www.dataprivacyframework.gov.

1.6 "Individual" means a natural person to whom Personal Data relates, also referred to as a "Data Subject" pursuant to EU data protection laws and regulations.

1.7 "Model Training" means the use of data to train, fine-tune, improve, or develop any artificial intelligence, machine learning, or large language model on a generalized or persistent basis, including for use outside or beyond the scope of a specific Customer's account.


1.8 "On-Premises Software" means Axle Tech software deployed by Customer within Customer’s own IT environment, where Customer Data does not leave Customer’s infrastructure unless cloud-connected features are explicitly enabled by Customer.


1.9 "Personal Data" means data about an identified or identifiable Individual.

1.10 "Privacy and Security Requirements" means applicable data protection and privacy laws and regulations (including, as applicable, the CCPA/CPRA, GDPR, and UK GDPR) and the Axle Tech Information Security Policy, in each case solely as applicable to Axle Tech's Processing of Personal Data under this DPA.

1.11 "Process" or "Processing" means any operation or set of operations performed upon Customer Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.

1.12 "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries.

1.13 "Security Incident" means any confirmed or reasonably suspected unauthorized access to, acquisition of, or disclosure of Customer Data by Axle Tech or its Affiliates or Agents of which Axle Tech becomes aware.

1.14 "Sub-processor" means any third-party processor engaged by Axle Tech to Process Customer Data in connection with the provision of the Services, as listed in Annex 4 to this DPA.

1.15 "UK GDPR" means the GDPR as it forms part of United Kingdom domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

02

Data Processing

2.1  Scope and Roles.  This DPA applies when Customer Data is Processed by Axle as part of the Services, as further specified in the Agreement and the applicable Order Form. To the extent that EU Privacy Laws and Regulations or the UK GDPR apply to the Personal Data included in Customer Data that Axle Processes for Customer, Customer is the Data Controller and Axle and its applicable Affiliates are the Data Processor under such laws and regulations.

2.2 Processing of Customer Data. Customer’s instructions to Axle to Process Customer Data will comply with all Privacy and Security Requirements. Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Customer acquired Personal Data, and Customer’s permissions to Process Personal Data pursuant to this DPA.

2.3 Instructions for Axle Tech's Processing of Customer Data. Axle will only Process Customer Data on behalf of and in accordance with Customer’s documented instructions as set forth herein. Customer instructs Axle to Process Customer Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Forms; and (ii) Processing to comply with other reasonable written instructions expressly provided by Customer where such instructions are consistent with the Agreement and comply with applicable Privacy and Security Requirements. Any additional instructions outside the scope of this DPA must be agreed in writing by the parties and may be subject to additional fees.

2.4 Processing for Legitimate Purposes. Notwithstanding the foregoing, Axle may Process Customer Data for legitimate business purposes, including archiving, back-up and disaster recovery, cyber security, service operations, improvements and development of Axle’s Services, fraud and service misuse prevention, and legal and administrative proceedings, all in accordance with the Privacy and Security Requirements.

2.5 Restrictions on Model Training. Notwithstanding anything to the contrary in this DPA or the Agreement, Axle will not use, access, Process, or otherwise exploit any Customer Data for the purpose of Model Training, whether to benefit third parties, to improve Axle’s general AI/ML models, or for any other purpose. For the avoidance of doubt, Axle’s AI/ML systems operate solely on data required for real-time functionality and outputs, and Customer Data is never retained for model training purposes, consistent with Axle’s AI/ML Usage Controls Policy. Axle will not permit any third party, including Sub-processors, Affiliates, or Agents, to use Customer Data for Model Training or AI development. For clarity, the use of properly anonymized and aggregated data is governed by Section 11 of this DPA.

2.6 On-Premises Software. For On-Premises Software, Axle’s obligations under this DPA apply solely to the extent that Axle Processes Customer Data in connection with support, maintenance, or cloud-connected features explicitly enabled by Customer. Customer is solely responsible for the security of its own infrastructure, network, and data storage for On-Premises deployments.

03

Rights of Individuals

3.1 Requests. Axle will, to the extent legally permitted, promptly notify Customer (and in any event within five (5) business days of receipt) if it receives a request from an Individual whose Personal Data is included in Customer Data, or a request by such Individual’s legal guardians, to exercise any right to access, correct, amend, delete, restrict, or port their Personal Data, or to exercise any other right to which the Individual is entitled pursuant to applicable Privacy and Security Requirements.

3.2 Assistance. Axle will provide Customer with commercially reasonable cooperation and assistance, at Customer’s reasonable expense for excessive or repetitive requests, in handling an Individual’s request, to the extent legally permitted under applicable Privacy and Security Requirements, and to the extent Customer does not have direct access to such Personal Data through its use of the Services. Axle will not respond to any such request without Customer’s prior written authorization, except to acknowledge receipt and inform the Individual that the request has been forwarded.

04

Axle Personnel

4.1 Limitation of Access. Axle will ensure that Axle’s access to Customer Data is limited to those personnel who require such access to perform the Services.

4.2 Confidentiality. Axle will impose appropriate contractual obligations upon its personnel and third-party contractors engaged in the Processing of Customer Data, including obligations regarding confidentiality, data protection, and data security. Axle will ensure that its personnel engaged in the Processing of Customer Data: (i) are informed of the confidential nature of the Customer Data; (ii) have received appropriate training in their responsibilities commensurate with their access; and (iii) have executed written confidentiality agreements that survive the termination of their employment or engagement.

05

Affiliates and Third-Party Service Providers

5.1 Affiliates. Some or all of Axle’s obligations under this DPA may be performed by Axle Affiliates, provided that Axle remains responsible for its Affiliates’ compliance with this DPA.

5.2 Agents. Customer acknowledges and agrees that: (i) Axle’s Affiliates may Process Customer Data on Axle’s behalf to perform the Services under the Agreement; and (ii) Axle and its Affiliates may engage Agents in the performance of the Services. Axle will conduct reasonable and appropriate due diligence on all Agents’ privacy, security, and compliance practices before permitting them to Process Customer Data and on a periodic basis thereafter. All Affiliates and Agents to whom Axle transfers Customer Data to provide the Services have entered into written agreements that bind them by substantially the same material data protection obligations as those under this DPA.

5.3 Liability. Axle will be liable for the acts and omissions of its Affiliates and Agents to the same extent Axle would be liable if performing the relevant Services directly under the terms of this DPA.

5.4 Consent to Sub-processors. Customer consents to Axle’s use of the Affiliates and Agents set forth in Annex 4 to this DPA in the performance of the Services.

5.5 Notification and Objection to New Sub-Processors. Axle will notify Customer of any intended addition or replacement of Sub-processors or Agents by updating Annex 4 to this DPA at least thirty (30) days in advance. Customer may object to the engagement of a new Sub-processor or Agent on reasonable grounds relating to the protection of Customer Data within thirty (30) days of such notification. If Customer raises such an objection, the parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Axle will, at its sole discretion, either not appoint the new Sub-processor or Agent, or permit Customer to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

06

Additional Terms for EEA and UK Personal Data

6.1 To the extent Axle self-certifies to and maintains certification under the DPF, Axle will comply with the DPF Principles for transfers of Customer Personal Data from the EEA, UK, or Switzerland, including the requirements for onward transfers to Sub-processors. Axle will notify Customer if it ceases to maintain DPF certification.

6.2 All Axle Affiliates and Agents to whom Axle transfers Personal Data to provide the Services are certified to the DPF, or provide at least the same level of protection for such Personal Data as is required by the relevant DPF Principles, and comply with the requirements of the DPF for onward transfers of Personal Data to Agents.

6.3  Axle and its Affiliates and Agents will take all measures necessary to facilitate the lawful Processing of Personal Data in accordance with all applicable Privacy and Security Requirements.

6.4 Customer authorizes the transfer of Personal Data to any jurisdiction outside the EEA or UK, including the United States, for the purpose of providing the Services, pursuant to the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, which are incorporated by reference into this DPA as Schedule 1 and apply to any Personal Data transfers outside the EEA, including onward transfers to Sub-processors, together with the UK Addendum incorporated as Schedule 2. Axle and its Affiliates and Agents to whom Axle transfers Personal Data to provide the Services will comply with the SCCs in all respects, with Customer as the controller and Axle and its applicable Affiliates and Agents as processors.

6.5 For transfers of Personal Data subject to the Swiss Federal Act on Data Protection, references in the SCCs to the GDPR shall be read as referring to the Swiss FDPA, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner.

07

Security

7.1 Controls. Axle will maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Data, pursuant to the Axle Information Security Policy and in compliance with the Privacy and Security Requirements. The technical and organizational measures maintained by Axle are described in Annex 3 to this DPA. Axle regularly monitors compliance with these safeguards. Axle will not materially decrease the overall security of the Services during the term of the Agreement.

7.2 Policies, Certifications, and Audit Reports. Axle uses external auditors to verify the adequacy of its security measures. The internal controls of the Services are subject to periodic testing by such auditors. Upon Customer’s written request at reasonable intervals and subject to confidentiality limitations, Axle will make available to Customer (provided Customer is not a direct competitor of Axle), or to a third-party auditor on Customer’s behalf (provided such auditor is not a direct competitor of Axle and has executed Axle’s non-disclosure agreement), the then-current Axle Information Security Policy and summaries of third-party audit or certification reports commonly made available to Axle customers.

7.3 On-Site Audit. Customer may conduct or commission an on-site audit of Axle’s data processing practices, subject to: (i) at least forty-five (45) days’ prior written notice; (ii) once per calendar year absent a Security Incident requiring broader review; (iii) conducted by a mutually acceptable third-party auditor subject to a confidentiality undertaking; (iv) conducted in a manner that does not unreasonably disrupt Axle’s operations or compromise the security of other customers’ data; and (v) at Customer’s expense, except that if the audit reveals material non-compliance by Axle, Axle shall bear the reasonable documented costs of the audit. Customer agrees that where Axle provides a current third-party audit report or certification covering the relevant subject matter, Customer will accept such report in lieu of an on-site audit unless Customer has reasonable documented grounds to believe it does not address its specific compliance concerns.

08

Security Breach Management and Notification

8.1 Breach Prevention and Management. Axle will maintain security incident management policies and procedures and will, to the extent permitted by law, promptly notify Customer without undue delay (no later than seventy-two (72) hours of discovery of the incident) of any Security Incident. Notification shall be provided to Customer’s designated privacy or security contact and shall include: (a) a description of the nature of the Security Incident, including the categories and approximate number of Individuals and records affected; (b) the name and contact details of Axle’s privacy contact; (c) the likely consequences of the Security Incident; and (d) the measures taken or proposed to address the Security Incident. Where complete information is not available at the time of initial notification, Axle shall provide further information as it becomes available without undue delay.

8.2 Remediation. To the extent that a Security Incident is caused by a violation of Axle’s obligations under this DPA, Axle will identify and make reasonable efforts to remediate the cause of such Security Incident at Axle’s own expense. Axle’s notification of or response to a Security Incident shall not constitute an admission of fault or liability.

8.3 Cooperation. Axle shall cooperate with Customer and provide reasonable assistance in Customer’s investigation of and response to a Security Incident, including preparation of any required regulatory notifications.

09

Customer Privacy Obligations

Customer undertakes to: (a) provide adequate notices to Individuals about the Processing of their Personal Data as required by applicable Privacy and Security Requirements; (b) obtain all necessary consents and authorizations required for Axle to Process Customer Data as instructed under this DPA; and (c) promptly notify Axle if Customer becomes aware of any actual or suspected Security Incident affecting Customer Data within Customer’s own environment.

10

Deletion and Retention of Personal Data

10.1 Data Deletion. Axle will return Customer Data to Customer or delete such data within thirty (30) days of the effective date of termination of the Services, or sooner upon Customer’s written request. At Customer’s request, Axle will certify in writing that it has completed the deletion of Customer Data from its systems. Axle will impose the same deletion and certification obligation on all Sub-processors of Customer Data.

10.2 Data Retention. Notwithstanding the foregoing, Customer acknowledges and agrees that Axle may retain copies of Customer Data solely as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law, including to retain data pursuant to legal requirements and to use such data to protect Axle, its Affiliates, Agents, and any person on their behalf in court and administrative proceedings, and for investigations and inspections related to Axle’s Services. Any retained data shall remain subject to all obligations of this DPA.

10.3 Backup Purge. Axle shall use commercially reasonable efforts to purge Customer Data from backup systems within ninety (90) days of the applicable deletion date. During this period, such data shall not be accessed or used for any purpose other than backup restoration.

10.4 On-Premises. For On-Premises Software, Customer is solely responsible for data management, deletion, and export within its own environment. Axle has no obligation to delete or return data that it does not hold or control.

11

Anonymized and Aggregated Data

Axle shall not Process Customer Data in non-anonymized form for any purposes beyond those authorized in this DPA. Axle may use properly anonymized and aggregated data derived from Customer Data (from which no Individual or Customer can be identified or re-identified) for internal product improvement, service analytics, and benchmarking purposes, provided such use complies with applicable Privacy and Security Requirements. Such anonymized and aggregated data does not constitute Customer Data or Personal Data for purposes of this DPA.

12

Limitation of Liability

Each party’s and its Affiliates’ total cumulative liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability and exclusions set out in the Agreement. Any reference in the Agreement’s limitation of liability provision to the liability of a party means that party and its Affiliates in the aggregate. For the avoidance of doubt, claims arising under this DPA form part of the aggregate liability cap in the Agreement unless the parties have expressly agreed otherwise in writing.

13

Term

This DPA will commence on the same date that the Agreement is effective, and will survive for as long as Axle or its Affiliates or Agents possess Customer Data. The obligations of confidentiality, security, and data deletion set forth in this DPA shall survive the termination or expiry of the Agreement.

14

Compliance

14.1 Axle’s compliance and privacy team is responsible for ensuring that all relevant Axle personnel adhere to this DPA and applicable Privacy and Security Requirements. Axle will maintain records of all categories of Processing activities carried out on behalf of Customer as required by Article 30(2) GDPR, including categories of Processing, transfer details, and a description of Axle’s technical and organizational measures, and will make such records available to competent supervisory authorities upon request. Axle will cooperate with and respond to enquiries from any competent supervisory authority in connection with this DPA.

14.2 Axle’s privacy and compliance team can be reached at: contact@axleaccess.com.

15

General

15.1 Order of Precedence.  In the event of a conflict between this DPA and the Agreement with respect to data protection matters, this DPA shall prevail. The SCCs and UK Addendum shall prevail over this DPA with respect to international transfers to the extent of any inconsistency.

15.2 Amendments. Axle may amend this DPA to reflect changes in applicable Privacy and Security Requirements upon at least thirty (30) days’ prior written notice to Customer. Customer may object to any such amendment within thirty (30) days of notice. All other amendments require the written agreement of both parties.

15.3 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the State of New York, United States, without prejudice to any mandatory provisions of applicable Privacy and Security Requirements. Any disputes shall be subject to the exclusive jurisdiction of the courts of New York County, New York, subject to Schedule 1 with respect to EEA/UK transfer disputes.

15.4 Entire Agreement. This DPA, including all Annexes and Schedules, constitutes the entire agreement between the parties with respect to the subject matter hereof, and supersedes all prior representations, agreements, and understandings relating to the Processing of Customer Data.

15.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.6 Counterparts. This DPA may be executed in counterparts, including electronically, each of which shall be deemed an original and all of which together shall constitute one agreement.

CUSTOMER: AXLE TECH, INC.:
 Authorized Signatory
 Print Name
 Title
 Date
 Authorized Signatory
Sam ShapiroPrint Name
Chief Executive OfficerTitle
 Date

Schedule 1

Standard Contractual Clauses

The parties incorporate by reference the Standard Contractual Clauses (Module Two: Controller to Processor) pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The full text of the SCCs is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. The SCCs are completed as follows:

  • Clause 7 (Docking Clause) does not apply.
  • Clause 9 (Use of Sub-processors): Option 2 (general written authorization) applies. The minimum notice period for Sub-processor changes is thirty (30) days.
  • Clause 11 (Redress): The optional language does not apply.
  • Clause 17 (Option 1): The SCCs are governed by the laws of Ireland.
  • Clause 18(b): Disputes shall be resolved before the courts of Ireland.
  • Annex I: As set out in Annex 1 to this Schedule 1.
  • Annex II: As set out in Annex 3 to this Schedule 1.
  • Annex III (Sub-processor list): As set out in Annex 4 to this DPA.

The parties agree that by executing this DPA, they are deemed to have executed the SCCs with effect from the Effective Date, with Customer as the data exporter and Axle Tech as the data importer.

Schedule 2

UK International Data Transfer Addendum

The parties agree to and incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office (Version B1.0), available at ico.org.uk ("UK Addendum"), completed as follows: Table 1 using the party information in Annex 1; Table 2 using the SCCs incorporated under Schedule 1; Table 3 using the party information from Annex 1 and the processing details from Annex 2; Table 4: neither party may terminate the UK Addendum pursuant to Section 19 thereof. The parties shall cooperate in good faith to update this DPA if the ICO issues a revised Approved Addendum.

Annex 1

List of Parties

Data exporter  


The Customer, as identified in the Agreement. Contact: Customer's designated privacy or data protection contact, as set out in the Agreement and/or Customer's Axle Tech account profile. Role: Controller (or Processor on behalf of Controller where Customer acts as a processor).

Data importer


Axle Tech, Inc. Address: 20 W 22nd Street, Suite 1411–1412, New York, NY 10010, United States. Contact: 

contact@axleaccess.com

. Role: Processor (or Sub-processor where Customer acts as Processor).

Annex 2

Details of Data Processing

Element

details

Categories of data subjects

Customer's authorized users, employees, contractors, and collaborators. Other parties to video calls, meetings, or collaborative sessions recorded or processed through the Services. Any other individuals whose Personal Data is contained within media content, metadata, or other materials uploaded to the Services by Customer or its users.

Categories of personal data

Account and user credentials (name, email address, password hash, user ID). Usage logs, activity records, IP addresses, and device identifiers. Media content uploaded by Customer, including audio, video, images, and associated metadata. Transcripts, notes, tags, and AI-generated metadata derived from Customer-uploaded content. Any other Personal Data submitted by, sent to, or received by Customer or its users via the Services.

Sensitive data

Customer-uploaded video or audio content may incidentally contain images or voice recordings of individuals. Axle Tech does not perform facial recognition or biometric processing on individuals in Customer-uploaded content. Customer shall not upload Special Category Data unless it has a valid legal basis under applicable law and has notified Axle Tech in writing.

Frequency of transfer

Continuous, as Customer and its users upload content and use the Services.

Nature of processing

Storing, indexing, using, transmitting, analyzing, collecting, transferring, and making available Personal Data, including AI-powered tagging, search, metadata extraction, scheduling, and reporting features.

Purpose of processing

To provide the Services pursuant to the Agreement, as further specified in the applicable Order Form, and as further instructed by Customer in its use of the Services.

Retention period

For the duration of the Agreement, subject to Section 10 of this DPA (Deletion and Retention of Personal Data).

Competent supervisory authority

The supervisory authority of the EU Member State in which Customer is established. Where Ireland is the agreed governing Member State for Clause 17 purposes, the Irish Data Protection Commission shall act as the competent supervisory authority for SCCs purposes.

Annex 3

Technical and Organizational Security Measures

The following measures are maintained by Axle Tech in accordance with Clause 8.6 of the SCCs. See also Exhibit 1 (AI/ML Usage Controls Policy), available to Customer upon written request to contact@axleaccess.com.

  • Encryption in Transit: All Customer Personal Data transmitted via cloud Services is encrypted in transit using TLS 1.2 or higher. HTTPS is enforced across all Service endpoints.
  • Encryption at Rest: Customer Personal Data stored within Axle Tech Cloud is encrypted at rest using AES-256 or equivalent. Axle Tech encrypts Customer Data at rest using AWS Key Management Service. Sensitive information such as database credentials are stored in AWS Secrets Manager.
  • Access Controls: Role-based access control (RBAC) is applied to all internal systems processing Customer Data. Multi-factor authentication (MFA) is required for privileged administrative access. Principle of least privilege is enforced. Access rights are reviewed at least annually and revoked promptly upon personnel offboarding.
  • Network Security: Production environments are logically segregated from development and testing environments. Firewalls and intrusion detection/prevention systems are maintained. Vulnerability scanning and patch management are conducted on a regular schedule.
  • Physical Security: Cloud Services are hosted in AWS data centers holding ISO 27001 and/or SOC 2 certifications. Physical security of data centers is managed by the hosting provider.
  • Incident Response: Axle Tech maintains a documented security incident response plan. Customer notification within 72 hours of discovery of a Security Incident. Post-incident review conducted following any material incident.
  • Business Continuity and Backup: Multi-region disaster recovery using active-passive architecture across AWS US-East-1 (primary) and US-West-2 (secondary) with automated fail-over. Automated backups performed on a continuous basis. Documented recovery targets: RTO 1–2 minutes, RPO near-zero (less than 1 second) for the database replication layer.
  • Personnel Security: Data protection training conducted for all personnel with access to Customer Data. Written confidentiality obligations apply to all employees and contractors.
  • Sub-processor Management: Written data processing agreements maintained with all Sub-processors. Due diligence conducted before engagement and periodically thereafter. Customer will receive at least thirty (30) days' prior notice of any Sub-processor changes.
  • AI/ML Usage Controls: Axle Tech does not use Customer Data to train, fine-tune, or improve any AI/ML models, whether internal or third-party. AI/ML systems operate solely on data required for real-time functionality and outputs, and Customer Data is never retained for model training purposes. All AI/ML systems require CTO and CIO approval prior to production deployment. AI outputs are treated as Customer Data and are not shared with or used for the benefit of other customers. Axle Tech does not perform facial recognition or biometric processing on Customer-uploaded content.
  • Certifications: Axle Tech maintains SOC 2 Type II and ISO 27001 certifications. Penetration testing conducted at least annually on systems that handle Customer Data. Summary of results available upon written request subject to confidentiality agreements.
  • GDPR: Axle Tech acknowledges that it is in the process of formalizing its compliance with GDPR and commits to finalizing within ninety (90) days of the Effective Date of this DPA.

Annex 4

Sub-Processors

The following Sub-processors are approved by Customer as of the Effective Date. Axle Tech shall maintain and update this list and provide at least thirty (30) days' prior written notice to Customer before adding or replacing any Sub-processor, in accordance with Section 5.5 of this DPA.


Last updated: March 19, 2026

Sub-Processor Service Provided Location Transfer Mechanism
Amazon Web Services, Inc. Core cloud infrastructure: compute, storage, networking, and database services supporting Axle's platform United States
(us-east-1 / us-east-2)		 EU SCCs (Module 2) via AWS DPA; AWS Customer Agreement governs US-to-US processing
Anthropic, PBC AI/LLM processing powering Axle's intelligent features United States EU SCCs (Module 2) via Anthropic DPA
Auth0, Inc. (an Okta Company) Authentication, SSO, MFA, and user identity / access management United States EU SCCs (Module 2) via Okta/Auth0 DPA
Datadog, Inc. Infrastructure monitoring, observability, and log management for Axle's servers, databases, and services United States EU SCCs (Module 2) via Datadog DPA
Functional Software, Inc. (dba Sentry) Real-time application error tracking and performance monitoring United States EU SCCs (Module 2) via Sentry DPA
GitHub, Inc. (a Microsoft Company) Source code management, version control, code review, and CI/CD workflows United States EU SCCs (Module 2) via Microsoft Online Services DPA
OpenAI, L.L.C. AI/LLM processing powering Axle's intelligent features United States EU SCCs (Module 2) via OpenAI DPA
Osano, Inc. Consent management, cookie compliance, and privacy preference management United States EU SCCs (Module 2) via Osano DPA
PostHog, Inc. Product analytics, session recordings, feature flags, and A/B testing United States
(PostHog Cloud US)		 EU SCCs (Module 2) via PostHog DPA
Pylon Labs, Inc. Customer support ticketing, B2B messaging, and user engagement United States EU SCCs (Module 2) via Pylon DPA

All Sub-processors located outside the EEA or UK are subject to appropriate transfer mechanisms (Standard Contractual Clauses or adequacy decision) as indicated above. Sub-processor details are provided to Customer upon written request to contact@axleaccess.com.

Annex 5

CCPA / CPRA Service Provider Terms

This Annex 5 applies to the extent the CCPA/CPRA applies to the Processing of Customer Personal Data under the Agreement.

A5.1 Service Provider Relationship. The parties acknowledge and agree that Axle Tech is a "service provider" as defined in the CCPA/CPRA and receives Customer Personal Data from Customer solely to provide the Services, which constitutes a limited and specified business purpose. Axle Tech will not "sell" or "share" any Customer Personal Data as those terms are defined in the CCPA/CPRA.

A5.2 Restrictions. Axle Tech will not retain, use, or disclose any Customer Personal Data provided by Customer under the Agreement except: (a) as necessary for the specific business purpose of providing the Services; (b) as stated in the Agreement or this DPA; (c) as permitted by the CCPA/CPRA; or (d) as otherwise agreed in writing by the parties. Axle Tech certifies that it understands these restrictions and will comply with all CCPA/CPRA obligations imposed on service providers.

A5.3 Notification. Axle Tech will notify Customer if it determines that it can no longer meet its obligations as a service provider under the CCPA/CPRA.

A5.4 Consumer Rights Assistance. Axle Tech shall, upon Customer's written instruction, assist Customer in responding to verifiable consumer requests regarding Customer Personal Data Processed by Axle Tech, including requests to know, delete, correct, or opt out of sale or sharing, to the extent technically feasible.

A5.5 Sub-processor Compliance. Axle Tech shall ensure that any Sub-processor engaged to Process Customer Personal Data on its behalf is also a "service provider" or "contractor" as defined in the CCPA/CPRA and is subject to restrictions no less protective than those in this Annex 5.

Exhibit 1

AI/ML Usage Controls Policy

1. Leadership Oversight. All AI/ML systems must be reviewed and approved by the CTO and CIO prior to production deployment. Compliance team must be consulted to ensure contractual and regulatory alignment. Any updates to AI/ML systems require re-approval before release.

2. Data Management and Access. Classify and review all data used in AI/ML systems to confirm privacy and confidentiality standards. Restrict access to AI/ML models, training data, and production environments to authorized personnel. Enforce role-based permissions and maintain audit logs of all AI/ML-related system access. Client data is not used to train, fine-tune, or improve any AI/ML models, whether internal or third-party. AI/ML systems operate solely on data required for real-time functionality and outputs, and client data is never retained for model training purposes.

3. Risk and Compliance Alignment. Validate that all AI/ML use cases are explicitly permitted within customer contracts. Benchmark AI/ML systems against industry best practices and recognized frameworks. Perform risk assessments prior to production release.

4. Documentation and Transparency. Maintain documentation for each AI/ML system, including: purpose and intended use, data sources, model design and assumptions, and risk considerations.

5. Monitoring and Review. Continuously monitor AI/ML systems for anomalies, unexpected outputs, or performance issues. Log and review system activity to identify potential security or operational concerns. Conduct annual policy reviews by senior leadership and update based on evolving standards.

6. Continuous Improvement. Regularly evaluate AI/ML governance against updated industry standards and regulatory guidance. Incorporate lessons learned from monitoring and audits into future AI/ML projects. Ensure ongoing training for staff involved in AI/ML development and oversight.

Review and Updates. This policy will be reviewed annually, or upon significant system or regulatory changes, to ensure continued effectiveness and alignment with Axle's risk management framework.

GET STARTED

The standard is set. Schedule your demo.

Join the firms already running on Axle. Let us show you what's possible.
Book a Demo
Talk to the Team
The modern standard for corporate access on Wall Street. Built from the inside out.

PRODUCT

PlatformSolutionsSecurity

COMPANY

AboutContactLinkedIn

GET STARTED

Book a DemoLog In
 © 2026 Axle Tech, Inc.
Privacy Policy Terms and ConditionsDPACookie PolicySub-Processors