Data Processing Agreement
1. Purpose and Applicability
This Data Processing Agreement ("DPA") governs the processing of personal data by ITLOX ("Processor") on behalf of enterprise customers ("Controller") in connection with the provision of ITLOX products and services, including SynthLabTech, AegisWire, AegisWire VPN enterprise plans, CareOSP, and any other ITLOX service where ITLOX processes personal data submitted by or on behalf of the Controller.
This DPA is intended to satisfy the requirements of UK GDPR Article 28 and EU GDPR Article 28 for processor contracts and applies where:
- The Controller is subject to UK GDPR, EU GDPR, or equivalent applicable data protection law
- ITLOX processes personal data on the Controller's behalf in the course of providing services
- No separate, individually negotiated DPA has been executed between ITLOX and the Controller
Where a separately negotiated and executed DPA exists, that document governs to the extent of any inconsistency with this standard DPA.
2. Definitions
"Controller" means the enterprise customer who determines the purposes and means of processing personal data submitted to ITLOX services.
"Processor" means ITLOX, acting on the Controller's instructions in processing personal data.
"Data Subject" means an identified or identifiable natural person whose personal data is processed.
"Personal Data" has the meaning given in UK GDPR / EU GDPR Article 4(1).
"Processing" has the meaning given in UK GDPR / EU GDPR Article 4(2).
"Sub-Processor" means any third party engaged by ITLOX to process personal data on behalf of the Controller.
"Data Protection Law" means UK GDPR, the Data Protection Act 2018, EU GDPR (where applicable), and any other applicable data protection legislation.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by ITLOX.
3. Subject Matter and Nature of Processing
| Subject matter | Processing of personal data in the course of providing ITLOX enterprise services to the Controller |
| Duration | For the duration of the enterprise services agreement between ITLOX and the Controller, plus any post-termination retention period required by law or agreed in writing |
| Nature of processing | Storage, hosting, analysis, transmission, and other processing activities necessary to provide the contracted services |
| Purpose | As specified in the enterprise services agreement and as directed by the Controller |
| Categories of data subjects | Employees, contractors, customers, patients, or other individuals whose data the Controller submits to ITLOX services |
| Types of personal data | As determined by the Controller; may include identity data, contact data, technical data, usage data, and (for CareOSP) health-related data |
4. ITLOX's Obligations as Processor
ITLOX, as Processor, shall:
- Process only on instructions: Process personal data only on documented instructions from the Controller, including with regard to international transfers, except where required to do so by UK or EU law (in which case ITLOX will inform the Controller of that legal requirement before processing, unless prohibited by law)
- Confidentiality: Ensure that persons authorised to process personal data are subject to binding confidentiality obligations (statutory or contractual)
- Technical and organisational security measures: Implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure, as further described in Annex A
- Sub-processor management: Not engage Sub-Processors without prior written authorisation of the Controller (general authorisation is deemed given by the Controller's acceptance of this DPA; see Section 6 for the Sub-Processor list)
- Data subject rights: Assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) taking into account the nature of the processing, by providing reasonable technical and organisational assistance
- Assist with compliance: Assist the Controller in ensuring compliance with its obligations under Data Protection Law regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and information available to ITLOX
- Deletion or return: At the Controller's choice, delete or return all personal data to the Controller at the end of the service relationship, and delete existing copies unless retention is required by law
- Audit cooperation: Make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, with reasonable advance notice and at the Controller's cost
- Notification of unlawful instructions: Immediately inform the Controller if, in ITLOX's opinion, an instruction violates Data Protection Law
5. Controller's Obligations
The Controller warrants and undertakes that:
- It has obtained all necessary consents, provided all required notices, and established all applicable lawful bases for processing under Data Protection Law before submitting personal data to ITLOX services
- Its instructions to ITLOX comply with Data Protection Law and it has the authority to give such instructions
- It will not instruct ITLOX to process personal data in a manner that would violate applicable Data Protection Law
- It accepts sole responsibility for the lawfulness of its processing purposes and the personal data it submits to ITLOX services
- It will, where required, conduct a Data Protection Impact Assessment (DPIA) before submitting high-risk categories of personal data to ITLOX services
6. Sub-Processors
ITLOX engages the following categories of Sub-Processors to assist in delivering services. By accepting this DPA, the Controller grants general prior authorisation for ITLOX to use these Sub-Processor categories:
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure | Hosting, compute, and storage | UK/EEA, US (SCC-protected) |
| Payment processing | Subscription billing and invoicing | UK/US (SCC-protected) |
| Security monitoring | Threat detection and incident response | UK/US (SCC-protected) |
| Customer support tooling | Support ticket management | UK/EEA |
| Email infrastructure | Transactional email delivery | UK/US (SCC-protected) |
ITLOX will notify the Controller of any intended addition or replacement of Sub-Processors with at least 30 days prior notice, providing the Controller with the opportunity to object. If the Controller objects and the parties cannot resolve the objection, either party may terminate the relevant services on written notice. ITLOX ensures all Sub-Processors are bound by data processing agreements that impose equivalent data protection obligations to those in this DPA.
A current list of specific Sub-Processors is available upon written request to dpo@itlox.com.
7. International Data Transfers
Where personal data is transferred outside the UK or EEA, ITLOX will ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V and EU GDPR Chapter V, as applicable. The transfer mechanisms used may include:
- UK International Data Transfer Agreement (UK IDTA) for transfers from the UK
- EU Standard Contractual Clauses (SCCs) for transfers from the EEA
- Adequacy decisions recognised by the UK ICO or European Commission
Copies of the applicable transfer mechanisms are available upon written request to dpo@itlox.com.
8. Security Measures
ITLOX maintains the following technical and organisational measures, which represent our current standard security posture. These measures will be reviewed and updated regularly:
- Access control: Role-based access control (RBAC); least privilege access; multi-factor authentication for privileged access
- Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest on production systems
- Network security: Firewalls, intrusion detection systems, DDoS protection, and network segmentation
- Vulnerability management: Regular security assessments, patch management processes, and dependency scanning
- Incident response: Documented incident response procedures with defined escalation paths
- Data minimisation: Processing limited to what is necessary for the contracted service
- Backup and recovery: Regular encrypted backups with tested restoration procedures
- Personnel security: Security awareness training for staff with access to personal data; background check requirements for relevant roles
- Physical security: Data hosted in ISO 27001-certified or equivalent data centres with physical access controls
ITLOX may update these measures from time to time, provided that updates do not materially reduce the overall security level. A detailed security overview is available upon written request for enterprise due diligence purposes.
9. Security Incident Notification
In the event of a Security Incident involving personal data processed on behalf of the Controller, ITLOX will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the incident (or as soon as reasonably practicable if 72 hours is not achievable), providing information about the nature of the incident, categories and approximate number of data subjects and personal data records affected, likely consequences, and measures taken or proposed to address the incident. ITLOX will cooperate with the Controller in managing the incident and in complying with the Controller's obligations to notify the relevant supervisory authority and affected data subjects. Security incident notifications should be directed to security@itlox.com.
10. Data Return and Deletion
Upon termination or expiry of the services agreement, or upon written request from the Controller, ITLOX will, at the Controller's election: (a) return all personal data to the Controller in a commonly used electronic format; or (b) securely delete and destroy all personal data and certify in writing that deletion has been completed. ITLOX may retain personal data beyond this period only where retention is required by applicable law, for the minimum period required, and will notify the Controller of any such obligation.
11. Audit Rights
ITLOX will make available to the Controller all information necessary to demonstrate compliance with this DPA and will permit audits by the Controller or an authorised third-party auditor upon at least 30 days prior written notice, during normal business hours, at the Controller's cost and without materially disrupting ITLOX's operations. Where a recognised audit standard certification (e.g. ISO 27001, SOC 2) covers the relevant processing, ITLOX may provide the relevant certification and summary report in lieu of a physical audit, unless the Controller has reasonable grounds to require otherwise.
12. Liability
Each party's liability under this DPA is subject to the liability limitations and exclusions set out in the applicable enterprise services agreement or, in the absence of such an agreement, the ITLOX Terms of Service. Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud, or any matter that cannot lawfully be limited.
13. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales, subject to any mandatory requirements of applicable Data Protection Law.
14. Executing a Bespoke DPA
Enterprise customers requiring a signed, individually negotiated DPA — for example, to satisfy their own procurement requirements, to incorporate specific Sub-Processor restrictions, or to document product-specific data flows — should contact our Data Protection team:
Data Protection Officer
Email: dpo@itlox.com
Legal: legal@itlox.com
ITLOX Limited — 167-169 Great Portland Street, London W1W 5PF, England