Data Processing Addendum

Last Updated: 29 January 2024

This Data Processing Addendum along with the exhibits thereto (collectively referred to as “DPA”) supplements the agreement signed by and between Affix API Ltd., a company incorporated in Ireland under company number 744844 and having its registered offices at Affix API Limited, Dogpatch Labs, Unit 1, The CHQ Building, North Wall Quay, Dublin D01 Y6H7, Ireland (“Affix API”) and the Customer, defined in the (“Agreement”) and is incorporated by reference.

This DPA contains terms to ensure that adequate safeguards are in place with respect to the protection of Personal Data to be processed by Affix API in the delivery of the Service for the Purpose pursuant to the Agreement, as required by the Applicable Data Protection Laws.

Any terms not defined in this DPA shall have the meaning set forth in the Agreement. Except as modified below, this DPA automatically expires upon deletion of all Personal Data as described herein. Affix API reserves the right to modify or update this DPA in its sole discretion. Affix API will give Customer written notice of any changes to the DPA, giving Customer thirty (30) days to object upon reasonable data protection grounds by providing written notice of such objection to Affix API. Customer’s acceptance of such modifications and/or updates shall be indicated by Customer’s continued use of the Service and shall be effective immediately.

THIS DATA PROCESSING ADDENDUM will take effect as of the Effective Date of the Agreement, between Customer and Affix API.

1. Definitions

1.1. The following expressions are used in this DPA:

(a) "Non-Adequate Country" means a country or territory that is not recognized under the GDPR or the UK GDPR, as applicable, as providing adequate protection for personal data;

(b) “CCPA” means including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder;

(b) "Data Protection Laws" means any applicable local, national or international laws, rules and regulations related to privacy, security, data protection, and/or the processing of Personal Information, as amended, replaced or superseded from time to time, including but not limited to EU/UK Data Protection Laws and United States Data Protection Laws;

(c) EU/UK Data Protection Laws” means the GDPR and the UK GDPR and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them;

(d) "GDPR" means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);

(e) "Personal Data" means all data which is defined and regulated as ‘Personal Data’ in the EU Data Protection Laws and that Affix API processes on behalf of Customer in connection with the Service;

(f) "UK GDPR" means the United Kingdom General Data Protection Regulation;

(g) "United States Data Protection Laws" means any United States’ state or federal data protection law as such law may be amended, replaced, or consolidated from time to time, including but not limited to the CCPA;

(h) "processing", "data controller", "data subject", "supervisory authority" and "data processor" will have the meanings ascribed to them in the UK GDPR.

2. Status of the parties

2.1 The Agreement(s) determines the subject matter and the duration of Affix API’s processing of Personal Data, as well as the nature and purpose of any collection, use and other processing of Personal Data (collectively, the “Particulars”) and the rights and obligations of Customer.

2.2 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that (a) for Customer Personal Data, Affix is the Data Controller and Affix API accordingly, (b) for End User Personal Data Affix API is the Data Processor of Customer or subprocessor of End User Personal Data.

2.3  Affix API agrees that it will process all Personal Data in accordance with its obligations pursuant to this DPA and the Applicable Data Protection Laws.

2.4 Each of Affix API and Customer will notify each other of one or more individuals within its organisation authorised to respond from time to time to enquiries regarding Personal Data and each of Affix API and Customer will deal with such enquiries promptly.

3. General Obligations Relating to the Processing of Personal Data

3.1 As between the parties, Customer is solely responsible for obtaining, and represents and covenants that it has obtained and will obtain, all necessary consents, licences and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of any Personal Data as part of the Services (the “Customer Legal Basis Assurance”). Each of Customer and Affix API warrant in relation to Personal Data that it will comply with (and will ensure that any of its staff and/or subcontractors comply with) the instructions and obligations determined in this Agreement and the Data Protection Laws, provided, however, that Affix API’s warranty is subject to Customer Legal Basis Assurance.

3.2 To the extent that it provides its Personal Data to Affix API, Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Affix API including the means by which the Personal Data was obtained.

3.3 Customer undertakes that all instructions for the Processing of Personal Data under the Agreement or this DPA or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not cause Affix API to be in breach of any Data Protection Laws.

3.4 Each of Customer and Affix API agree that it shall notify the other immediately if it determines that it can no longer meet its obligations under applicable Data Protection Laws or this DPA.

3.5 With respect to all Personal Data, Affix API agrees that it will:

(a) only process the Personal Data in order to provide the Services and will act only in accordance with this Agreement and Customer's written instructions. The terms of the Agreement and this DPA constitute the Customer’s written instructions to Affix API in relation to the processing of personal data. For the avoidance of doubt, the Customer can issue further instructions for processing at any time subject to the acknowledgement of Affix API;

(b) in the unlikely event that applicable law requires Affix API to process Personal Data other than pursuant to Customer's instructions, immediately notify Customer (unless prohibited from so doing by applicable law);

(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular, protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in Affix API’s possession or under its control. Such measures include the security measures specified in Affix API’s information security policies which can be accessed at https://affixapi.com/security

(d) ensure that its personnel have access to such Personal Data only as necessary to perform the Service in accordance with the Agreement and this DPA, and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality and will adhere with the Agreement and this DPA;

(e) without delay after becoming aware and in any case within twenty-four (24) hours, notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in Affix API’s possession or under its control (including when transmitted, stored or otherwise processed by Affix API) (a "Security Breach");

(f) taking into account the nature of the processing, promptly provide Customer with reasonable cooperation and assistance in respect of the Security Breach and information in Affix API's possession concerning the Security Breach, including, to the extent known to Affix API, the following: (i) the nature of the Security Breach; (ii) the categories and approximate number of data subjects concerned; (iii) the categories and approximate number of Personal Data records concerned; (iv) the likely consequences of the Security Breach; (v) a summary of the unauthorised recipients of the Personal Data; and (vi) the measures taken or proposed to be taken by Affix API to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects;

(g) Insofar as a Security Breach relates to Customer, Affix API will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Security Breach or disclosure request which directly or indirectly identifies Customer (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Customer’s prior written approval, unless, and solely to the extent that, Affix API is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Affix API shall provide Customer with reasonable prior written notice to provide Customer with the opportunity to object to such disclosure and in any case, Affix API shall limit the disclosure to the minimum scope required.

(h) return or delete, at Customer’s discretion, Customer’s Personal Data within thirty (30) days of termination or expiration of the Term, save where otherwise agreed with the Customer. Affix API shall comply with all reasonable directions provided by Customer with respect to the return or disposal of Personal Data. This requirement shall not apply to the extent Affix API is required by any applicable law to retain some or all of the Personal Data, in which event Affix API shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

(i) assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to: (i) data protection impact assessments (as such term is defined in the applicable Data Protection Laws); (ii) subject access requests; (iii) notifications to the supervisory authority/regulators under applicable Data Protection Laws and/or communications to data subjects by Customer in response to any Security Breach; and (iv) Customer’s compliance with its obligations under applicable Data Protection Laws with respect to the security of processing.

(j) assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under applicable Data Protection Laws. Affix API will notify Customer of requests received by Affix API, unless otherwise required by applicable law. Affix API will not make changes to such Personal Data except as agreed in writing with Customer.

4. Obligations Relating to the Processing of Personal Data subject to EU/UK laws

4.1 With respect to all Personal Data subject to EU/UK Data Protection Laws, Affix API agrees that it will:

(a) as soon as possible after becoming aware, inform Customer if, in Affix API's opinion, any instructions provided by Customer under Clause 3.1(a) infringe the GDPR or UK GDPR;

(b) maintain records of its processing activities as required by EU/UK Data Protection Laws and to demonstrate its compliance with this DPA and make such records available to the applicable supervisory authority and/or the Customer upon request.

5. Obligations Relating to the Processing of Personal Data subject to United States Data Protection Laws

5.1 With respect to all Personal Data subject to United States Data Protection Laws, Affix API agrees that it will:

(a) not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

(b) not retain, use, or disclose Personal Data for any purpose (including any commercial purpose) other than for the specific purpose of Affix API’s provision of Services and in accordance with this DPA.

(c) not combine Personal Data with personal data it receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject.

5.2 Affix API agrees that the terms "Aggregate Consumer Information", “Service Provider”, “Approved Business Purpose” and "De-identified" will have the meanings ascribed to them in Cal. Civ. Code §1798.140, as that code section may be amended or replaced from time to time, and that Affix API will process such Personal Data accordingly.

5.3 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that Affix API is a Service Provider.

5.4 Notwithstanding the foregoing, and for the purpose of addressing other prospective data protection laws, Affix API shall not process any Personal Data (regardless of where that individual resides) other than for a) the specific purpose of Affix API’s performance of its Services or b) an Approved Business Purpose.

5.5 Subject to Affix API’s compliance with this DPA, Customer agrees to make Personal Data of Customer and, where relevant, End Customer available to Affix API for the limited and specified purpose of providing the Services. Customer reserves the right to take reasonable and appropriate steps to help ensure that Affix API processes Personal Data in a manner consistent with Customer’s obligations under United States Data Protection Laws, including without limitation the right, upon notice, to stop and remediate any unauthorized processing of Personal Data.

6. Sub-processing

6.1 Customer authorises Affix API to appoint sub-processors in accordance with this Section 6. Affix API publishes a list of its sub-processors in Appendix III to this Agreement (“Sub-processor List”).

6.2 When any new sub-processor is engaged, Affix API will add them to the Sub-processor List. Affix API will give Customer prior written notice of any changes to the Sub-processor List, including full details of the processing to be undertaken by that respective Sub-processor, giving Customer thirty (30) days to object upon reasonable data protection grounds by providing written notice of such objection to Affix API.

6.3 If Customer objects to the authorisation of any future sub-processor on reasonable data protection grounds within the agreed period of time Affix API will use its reasonable efforts to provide an alternative or workaround to avoid processing of Personal Data by the objected-to sub-processor to the satisfaction of Customer within a reasonable period of time.

6.4 Affix API will require its sub-processors to comply with terms that provide the same level of data protection obligations as those imposed on Affix API in the Agreement and this DPA. Affix API will be responsible for all the acts and omissions of its sub-processors in relation to the Agreement and this DPA.

7. Audit and records

7.1 Affix API will, in accordance with applicable Data Protection Laws, make available to Customer such relevant information in Affix API's possession or control as Customer may reasonably request with a view to demonstrating Affix API's compliance with the obligations of data processors under applicable Data Protection Law in relation to its processing of Personal Data.

7.2 Affix API shall allow for and contribute to audits, including inspections, by Customer, or a third-party auditor mandated by Customer, in order to assess Affix API’s compliance with this DPA and Data Protection Laws. Such audits may be undertaken no more than once in a twelve (12) month period by providing Affix API with reasonable notice, unless Affix API has suffered a personal data security breach in the previous twelve (12) months that has affected personal data processed on behalf of Customer. Customer shall reimburse Affix API for any time expended for any such on-site audit at Affix API’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Affix API shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible.

8. Data transfers

8.1 Customer will ensure that Customer and Customer’s authorised users are entitled to transfer the Personal Data, including Customer Personal Data and End Customer Personal Data, to Affix API so that Affix API, and its sub-processors, may lawfully process the Personal Data in accordance with this DPA.

8.2 The Customer acknowledges that End Customer Personal Data will be processed in the EEA.  The Customer acknowledges that this may involve the use of sub-processors located in the EEA.

8.3 Except as in a country in respect of which a valid adequacy decision has been issued by the European Commission, as the case may be, Affix API shall not process Personal Data outside the European Economic Area.

9. General

9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. This DPA is incorporated into and made a part of the Agreement by this reference. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail so far as the subject matter concerns the processing of Personal Data.

9.2 Customer and Affix API each agree that the governing law and venue provisions in the Agreement apply to this DPA.

ANNEX I- TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Affix API currently abides by the security standards as set out in its security policies which can be found here: https://www.affixapi.com/security. Affix API may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.

Annex II - Subprocessors

Affix API sub processors are third-party entities authorised to process data to support Affix services in accordance with our service agreements. Affix requires the satisfaction of contractual obligations from each subprocessor to ensure the enforcement of security controls and compliance with applicable data protection regulations.

AWS (Amazon Web Services):

Purpose: The Affix API service infrastructure is hosted on Amazon Web Services (AWS).

Amazon API Gateway:

Purpose: Affix uses Amazon API Gateway, a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a gateway for APIs, handling tasks such as request and response transformations, authorization and access control, and API version management.

AWS Lambda:

Purpose: AWS Lambda is a serverless computing service that allows you to run your code without provisioning or managing servers. It is commonly used in conjunction with API Gateway to execute functions in response to API requests.

Amazon DynamoDB:

Purpose: DynamoDB is a fully managed NoSQL database service that can be used to store and retrieve data for your APIs. It offers low-latency performance at any scale, making it suitable for applications with high read and write demands.

AWS Key Management Service (KMS):

Purpose: AWS KMS is a managed service for creating and controlling encryption keys. It can be used to encrypt and decrypt data, providing an additional layer of security for sensitive information transmitted via APIs.

AWS CloudWatch:

Purpose: AWS CloudWatch is a monitoring and observability service that can be used to collect and track metrics, collect and monitor log files, and set alarms. It helps in monitoring the performance and health of your APIs.

Cloudflare Pages:

Purpose: We use Cloudflare pages for our production frontend. Cloudflare Pages is a platform offered by Cloudflare that provides a way to deploy and host websites directly from a GitHub repository. It is a serverless, JAMstack (JavaScript, APIs, and Markup) hosting service designed to simplify the process of building and deploying modern web applications.

Revolut:

Purpose: Revolut is a fintech platform, providing  invoicing and payment infrastructure to Affix.

Wudpecker:

Purpose: Wudpecker is an EU-based meeting note taker, allowing Affix take note of customer needs in a secure fashion.

Gmail:

Purpose: Gmail is used both for internal communications and external communications with Customers.

Vercel:

Purpose: We use Vercel for our developer frontend. Vercel is a cloud platform that provides a variety of services for building, deploying, and managing web applications. It is designed to simplify the process of deploying and hosting web applications, making it easier for developers to focus on writing code rather than dealing with infrastructure and deployment complexities. Vercel is particularly known for its support of serverless functions and its integration with popular frontend frameworks.

Oxylabs.io:

Purpose: We use Oxylabs.io for its residential proxies. Oxylabs.io is a proxy service provider that specialises in offering a global network of residential proxies with a strong presence in the EU and UK.

Sentry:

Purpose: We use Sentry for error logging. Sentry is an error tracking and monitoring platform that helps developers identify, diagnose, and fix issues in their applications. It is designed to capture and report errors, exceptions, and performance issues in real-time, providing developers with insights into the health and stability of their software.activities as required by EU/UK Data Protection Laws and to demonstrate its compliance with this DPA and make such records available to the applicable supervisory authority and/or the Customer upon request.

5. Obligations Relating to the Processing of Personal Data subject to United States Data Protection Laws

5.1 With respect to all Personal Data subject to United States Data Protection Laws, Affix API agrees that it will:

(a) not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

(b) not retain, use, or disclose Personal Data for any purpose (including any commercial purpose) other than for the specific purpose of Affix API’s provision of Services and in accordance with this DPA.

(c) not combine Personal Data with personal data it receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject.

5.2 Affix API agrees that the terms "Aggregate Consumer Information", “Service Provider”, “Approved Business Purpose” and "De-identified" will have the meanings ascribed to them in Cal. Civ. Code §1798.140, as that code section may be amended or replaced from time to time, and that Affix API will process such Personal Data accordingly.

5.3 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that Affix API is a Service Provider.

5.4 Notwithstanding the foregoing, and for the purpose of addressing other prospective data protection laws, Affix API shall not process any Personal Data (regardless of where that individual resides) other than for a) the specific purpose of Affix API’s performance of its Services or b) an Approved Business Purpose.

5.5 Subject to Affix API’s compliance with this DPA, Customer agrees to make Personal Data of Customer and, where relevant, End Customer available to Affix API for the limited and specified purpose of providing the Services. Customer reserves the right to take reasonable and appropriate steps to help ensure that Affix API processes Personal Data in a manner consistent with Customer’s obligations under United States Data Protection Laws, including without limitation the right, upon notice, to stop and remediate any unauthorized processing of Personal Data.

6. Sub-processing

6.1 Customer authorises Affix API to appoint sub-processors in accordance with this Section 6. Affix API publishes a list of its sub-processors in Appendix III to this Agreement (“Sub-processor List”).

6.2 When any new sub-processor is engaged, Affix API will add them to the Sub-processor List. Affix API will give Customer prior written notice of any changes to the Sub-processor List, including full details of the processing to be undertaken by that respective Sub-processor, giving Customer fourteen (14) days to object upon reasonable data protection grounds by providing written notice of such objection to Affix API.

6.3 If Customer objects to the authorisation of any future sub-processor on reasonable data protection grounds within fourteen (14) days of notification of the proposed authorisation, Affix API will use its reasonable efforts to provide an alternative or workaround to avoid processing of Personal Data by the objected-to sub-processor to the satisfaction of Customer within a reasonable period of time.

6.4 Affix API will require its sub-processors to comply with terms that provide substantially the same protection of Personal Data as those imposed on Affix API in the Agreement and this DPA. Affix API will be liable for all the acts and omissions of its sub-processors in relation to the Agreement and this DPA.

7. Audit and records

7.1 Affix API will, in accordance with applicable Data Protection Laws, make available to Customer such relevant information in Affix API's possession or control as Customer may reasonably request with a view to demonstrating Affix API's compliance with the obligations of data processors under applicable Data Protection Law in relation to its processing of Personal Data.

7.2 Affix API shall allow for and contribute to audits, including inspections, by Customer, or a third-party auditor mandated by Customer, in order to assess Affix API’s compliance with this DPA and Data Protection Laws. Such audits may be undertaken no more than once in a twelve (12) month period by providing Affix API with reasonable notice. Customer shall reimburse Affix API for any time expended for any such on-site audit at Affix API’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Affix API shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible.

8. Data transfers

8.1 Customer will ensure that Customer and Customer’s authorised users are entitled to transfer the Personal Data, including Customer Personal Data and End Customer Personal Data, to Affix API so that Affix API, and its sub-processors, may lawfully process the Personal Data in accordance with this DPA.

8.2 The Customer acknowledges that End Customer Personal Data will be processed in the EEA.  The Customer acknowledges that this may involve the use of sub-processors located in the EEA.

8.3 Except as in a country in respect of which a valid adequacy decision has been issued by the European Commission, as the case may be, Affix API shall not process Personal Data outside the European Economic Area.

9. General

9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. This DPA is incorporated into and made a part of the Agreement by this reference. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail so far as the subject matter concerns the processing of Personal Data.

9.2 Customer and Affix API each agree that the governing law and venue provisions in the Agreement apply to this DPA.

ANNEX I

A. LIST OF PARTIES

1. Data exporter(s): Customer 

Signature and date: as per the Agreement

Role (controller/processor): Controller and/or Processor

2. Data importer(s): Affix API Ltd.

Signature and date: Refer to the Agreement

Role (controller/Subprocessor): Controller and/or Subprocessor

B. DESCRIPTION OF TRANSFER

Data subjects: The Personal Data transferred concerns the following categories of data subjects:

Customers, subscribers, prospective customers, and  customers’ end users including, but not limited to: employees, contractors, vendors, customers, prospects.

Categories of Personal Data: Any Personal Data that the Data Controller selects and instructs the Data Processor, or subprocessor to process via the Service including, but not limited to:  Basic personal identifiers, economic and financial data, identification data, and location data.

Special categories of data (if appropriate):

Sensitive data of the Customer transferred to Affix by the Customer, as permitted in this Agreement for the provision of the Service (e.g., religion, medical information, racial or ethnic origin, etc.).

Affix API does not process any Special Categories of data as a processor on behalf of the Controller. It is possible, however, that in Affix API's capacity as a Controller, Customers may in an unsolicited fashion share sensitive data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

On a continuous basis.

Nature of the processing:

The provision of the Service as described in the Agreement(s).

Purpose(s) of the data transfer and further processing:

The provision of the Service as described in the Agreement(s).

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For the duration of the relevant Agreement(s) and Order Form(s).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The same as for the Data Importer.

Processing operations: As described in the Agreement(s)

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13.

Where the data exporter is established in an EU Member State: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established.

Where the data exporter is not established in an EU Member State, it appoints the following representative supervisory authority pursuant to Article 27(1) of Regulation (EU) 2016/679:

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2

D02 RD28

Ireland

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Data Importer currently abides by the security standards as set out in its security policies which can be found here: https://www.affixapi.com/security. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.

Annex III - Subprocessors

Affix API sub processors are third-party entities authorised to process data to support Affix services in accordance with our service agreements. Affix requires the satisfaction of contractual obligations from each subprocessor to ensure the enforcement of security controls and compliance with applicable data protection regulations.


AWS (Amazon Web Services):

Purpose: The Affix API service infrastructure is hosted on Amazon Web Services (AWS).

Amazon API Gateway:

Purpose: Affix uses Amazon API Gateway, a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a gateway for APIs, handling tasks such as request and response transformations, authorization and access control, and API version management.

AWS Lambda:

Purpose: AWS Lambda is a serverless computing service that allows you to run your code without provisioning or managing servers. It is commonly used in conjunction with API Gateway to execute functions in response to API requests.

Amazon DynamoDB:

Purpose: DynamoDB is a fully managed NoSQL database service that can be used to store and retrieve data for your APIs. It offers low-latency performance at any scale, making it suitable for applications with high read and write demands.

AWS Key Management Service (KMS):

Purpose: AWS KMS is a managed service for creating and controlling encryption keys. It can be used to encrypt and decrypt data, providing an additional layer of security for sensitive information transmitted via APIs.

AWS CloudWatch:

Purpose: AWS CloudWatch is a monitoring and observability service that can be used to collect and track metrics, collect and monitor log files, and set alarms. It helps in monitoring the performance and health of your APIs.

Cloudflare Pages

Purpose: We use Cloudflare pages for our production frontend. Cloudflare Pages is a platform offered by Cloudflare that provides a way to deploy and host websites directly from a GitHub repository. It is a serverless, JAMstack (JavaScript, APIs, and Markup) hosting service designed to simplify the process of building and deploying modern web applications.

Revolut:

Purpose: Revolut is a fintech platform, providing  invoicing and payment infrastructure to Affix.

Wudpecker:

Purpose: Wudpecker is an EU-based meeting note taker, allowing Affix take note of customer needs in a secure fashion.

Gmail:

Purpose: Gmail is used both for internal communications and external communications with Customers.

Vercel 

Purpose: We use Vercel for our developer frontend. Vercel is a cloud platform that provides a variety of services for building, deploying, and managing web applications. It is designed to simplify the process of deploying and hosting web applications, making it easier for developers to focus on writing code rather than dealing with infrastructure and deployment complexities. Vercel is particularly known for its support of serverless functions and its integration with popular frontend frameworks.

Oxylabs.io 

Purpose: We use Oxylabs.io for its residential proxies. Oxylabs.io is a proxy service provider that specialises in offering a global network of residential proxies with a strong presence in the EU and UK.

Sentry 

Purpose: We use Sentry for error logging. Sentry is an error tracking and monitoring platform that helps developers identify, diagnose, and fix issues in their applications. It is designed to capture and report errors, exceptions, and performance issues in real-time, providing developers with insights into the health and stability of their software.

Speak to our team
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.