Data Processing Agreement
Template — Version 1.0 | Effective Date: January 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between CreditAxis (“Processor”) and the customer organization (“Controller”) identified in the applicable order form, pilot SOW, or master services agreement.
1. Definitions
“Customer Data” means any personal data or business data that the Controller submits to the Platform in connection with the contracted services.
“Platform” means the CreditAxis credit infrastructure platform and associated services.
“Subprocessor” means any third-party processor engaged by CreditAxis to process Customer Data.
2. Scope of Processing
CreditAxis processes Customer Data solely on the documented instructions of the Controller, for the purpose of delivering the contracted Platform services. CreditAxis does not process Customer Data for any other purpose without the Controller's written consent.
3. Confidentiality
CreditAxis personnel with access to Customer Data are subject to confidentiality obligations. Access is restricted to personnel who require access for service delivery purposes.
4. Security Measures
CreditAxis implements and maintains technical and organizational measures including:
- Encryption of Customer Data in transit (TLS 1.2 or higher)
- Encryption of Customer Data at rest (AES-256 via infrastructure provider)
- Role-based access controls enforced at the application layer
- Row-level security enforced at the database layer for all customer data tables
- Comprehensive audit logging of all governance events, access, and administrative actions
- Documented incident response procedures with defined notification timeline
5. Subprocessors
CreditAxis currently engages the following subprocessors:
| Subprocessor | Role | Data Processed | Location |
|---|---|---|---|
| Supabase | Hosts the primary application database and manages user authentication. | Customer deal data, user identity, audit logs, governance records | AWS US-West-2 (Oregon) |
| Vercel | Hosts and serves the CreditAxis application. Handles request routing and CDN delivery. | Session metadata, application traffic | Global CDN / AWS |
| Hugging Face | Provides AI model inference for the Intelligence module. Engaged only when Intelligence module is active. | Deal narrative inputs (no PII, no full borrower records) | US / AWS |
Hugging Face is engaged only when the Intelligence module is active for a customer. Input data consists of deal narrative context — no PII or full borrower records are transmitted.
CreditAxis will provide 30 days' advance notice of material changes to its subprocessor list. The Controller may object to a new subprocessor within 15 days of such notice.
6. Data Subject Rights
CreditAxis will provide reasonable assistance to the Controller in responding to data subject requests related to Customer Data processed by CreditAxis.
7. Data Deletion
Upon termination of the agreement, CreditAxis will delete or return Customer Data within 30 days of the Controller's written request, unless retention is required by applicable law. A deletion certificate confirming destruction is available upon request.
8. Incident Notification
CreditAxis will notify the Controller of confirmed incidents affecting Customer Data within 72 hours of confirming the incident. Notification will include incident summary, scope assessment, and mitigation actions taken. Additional terms are governed by the applicable customer agreement.
9. Audit Rights
Upon reasonable written notice, CreditAxis will provide information reasonably necessary to demonstrate compliance with this DPA, including access to relevant documentation and certifications where available.
10. Governing Law
This DPA is governed by the governing law specified in the applicable customer agreement.
Execute a DPA
To request a customer-specific DPA or discuss data handling requirements, contact: legal@creditaxis.org