The DPA, in plain prose.
When a customer entrusts us with personal data of their own users, Aevrix Group acts as a processor. The terms below describe how. They are designed to satisfy GDPR Art. 28 and the UK-GDPR equivalent without requiring a redline.
Parties & roles.
The customer (a legal entity that has signed up to an Aevrix service) is the Controller. Aevrix Group OJSC, a legal entity registered in Baku, Azerbaijan, is the Processor. Sub-processors are listed at /sub-processors/.
Scope of processing.
- Subject matter: provision of the Aevrix service the Controller has subscribed to.
- Duration: the term of the underlying subscription, plus a defined retention period not exceeding 30 days after termination.
- Nature and purpose: hosting, storage, transmission, support, billing, abuse monitoring, security incident response.
- Personal data categories: identifiers, contact data, content the Controller submits, technical metadata.
- Data subjects: the Controller's end users, staff, and other persons whose data the Controller chooses to submit.
Processor obligations.
- Process only on documented instructions from the Controller, unless required by law.
- Ensure confidentiality: staff with access are bound by written confidentiality terms.
- Implement appropriate security measures — see /controls/ for the current catalogue.
- Use sub-processors only with general written authorisation; add or replace sub-processors only after public update at /sub-processors/.
- Assist the Controller in responding to data-subject requests, DPIAs, prior consultations, and breach notifications.
- Notify the Controller without undue delay upon becoming aware of a personal data breach affecting their data — within 72 hours where reasonably possible.
- Return or delete personal data at the end of the service at the Controller's choice, save where law requires retention.
- Make available all information necessary to demonstrate compliance, including audit reports we hold and reasonable cooperation with the Controller's audits.
International transfers.
Aevrix Group is established in Azerbaijan. Where personal data is transferred outside of the data subject's jurisdiction, we use Standard Contractual Clauses (Commission Decision 2021/914) and, where the data subject is in the UK, the UK International Data Transfer Addendum. We perform a transfer-impact assessment before relying on either.
Security measures.
The technical and organisational measures are listed and dated at /controls/. These are minimums — we revise them upward over time and never downward without notice to the Controller.
Sub-processors.
The Controller authorises the sub-processors listed at /sub-processors/. The Controller may object in writing to a new sub-processor within 30 days of notification; if the parties cannot agree, the Controller may terminate the affected service with pro-rata refund.
Liability.
Liability under this DPA is the liability under the underlying subscription agreement. Nothing here limits liability under mandatory law (including under Art. 82 GDPR for damages to data subjects).
Need a signed DPA?
Enterprise customers can request a counter-signed copy under their entity name.