Data Processing Agreement

Effective: April 29, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Axolotl Army(“Processor”) and the Customer (“Controller”). It applies whenever Customer Personal Data (as defined below) is processed by Axolotl Army in the course of providing the Service. By using the Service, Customer enters into this DPA. Customers requiring a counter-signed copy may email legal@axolotlarmy.net to receive a DocuSign envelope.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Terms of Service. The following definitions apply:

“Data Protection Laws”means all laws applicable to the processing of personal data under this DPA, including: (a) Regulation (EU) 2016/679 (the “GDPR”); (b) the Data Protection Act 2018 and the GDPR as it forms part of retained EU law in the United Kingdom (the “UK GDPR”); (c) the Swiss Federal Act on Data Protection (the “FADP”); (d) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”); (e) the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Texas Data Privacy and Security Act (“TDPSA”); and (f) any other applicable data protection or privacy law, in each case as updated, amended, or replaced from time to time.
“Customer Personal Data” means any personal data (as defined in Article 4(1) GDPR) that Axolotl Army processes on behalf of the Customer in the course of providing the Service, as further described in Annex I.A.
“Controller”, “Processor”, “Sub-processor”, “Data Subject”, and “Personal Data Breach” have the meanings given to them in Article 4 GDPR.
“Service” means the Axolotl Army Portal provided at https://portal.axolotlarmy.net and any related products, APIs, integrations, or features, as defined in the Terms of Service.
“SCCs”means the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR, set out in Implementing Decision (EU) 2021/914 of 4 June 2021.
“UK IDTA”means the International Data Transfer Addendum to the SCCs issued by the United Kingdom Information Commissioner's Office under section 119A of the Data Protection Act 2018, in force from 21 March 2022.
“Third Country” means a country outside the European Economic Area, the United Kingdom, or Switzerland that is not the subject of an adequacy decision under the relevant Data Protection Law.

2. Roles and scope

With respect to Customer Personal Data, the Customer is the Controller and Axolotl Army is the Processor. Axolotl Army processes Customer Personal Data only on behalf of, and under the documented instructions of, the Customer.

With respect to Customer Account Data — the data Axolotl Armycollects directly from the Customer's administrators to create and maintain the Customer's account (including name, billing email, login timestamps, and audit-log metadata of administrator actions) — Axolotl Army acts as an independent Controller. As an independent Controller, Axolotl Army determines the means and purposes (including retention, security measures, and lawful basis) for processing Customer Account Data, and publishes those determinations in its Privacy Policy at https://portal.axolotlarmy.net/legal/privacy.

The processing activities, types of personal data, and categories of Data Subjects are described in Annex I.A below (rendered dynamically from Axolotl Army's current Service configuration).

3. Processor obligations

Axolotl Army shall, in connection with all Customer Personal Data:

Process only on documented instructions. Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of Customer Personal Data to a Third Country, unless required to do otherwise by Union or Member State law to which Axolotl Army is subject (in which case Axolotl Armywill inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Customer's use of the Service constitutes its standing instruction; out-of-band instructions may be sent to legal@axolotlarmy.net.
Confidentiality. Ensure that persons authorized to process the Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and have received appropriate data protection training.
Security (Article 32 GDPR). Implement and maintain the appropriate technical and organizational measures described in Annex II to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Sub-processors (Article 28(2)–(4) GDPR). Engage Sub-processors only in accordance with Section 5 of this DPA, and impose on every Sub-processor data protection obligations substantially equivalent to those imposed on Axolotl Army under this DPA. Axolotl Army remains fully liable to the Customer for the performance of every Sub-processor.
Assistance with Articles 32–36. Taking into account the nature of the processing and the information available to Axolotl Army, assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 (security), 33 (Personal Data Breach notification to the supervisory authority), 34 (Personal Data Breach communication to Data Subjects), 35 (data protection impact assessments), and 36 (prior consultation) of the GDPR.
Assistance with Data Subject requests.Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligation to respond to requests for exercising the Data Subject rights laid down in Chapter III GDPR. Axolotl Army provides self-service tools — including the data export endpoint at https://portal.axolotlarmy.net/api/account/export and the deletion request endpoint at https://portal.axolotlarmy.net/api/account/delete-request — that the Customer may use directly or expose to its own Data Subjects. Axolotl Army will forward to the Customer any Data Subject request it receives directly relating to Customer Personal Data, and will not respond to such requests except as instructed by the Customer or as required by applicable law.
Deletion or return at end of contract. At the choice of the Customer, delete or return all Customer Personal Data to the Customer at the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data. Per the Terms of Service termination clause, the Customer has a 30-day grace period after termination to export Customer Personal Data via the export endpoint; after the grace period, Axolotl Army will delete Customer Personal Data from active production systems within a further 30 days, and purge it from rolling encrypted backups within 90 days. Audit logs of security-sensitive administrator actions may be retained on a pseudonymized basis as required to demonstrate compliance.
Audit support. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, on the terms set out in Section 8 of this DPA.
Notification of unlawful instructions. Immediately inform the Customer if, in Axolotl Army's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

4. Data Subject Rights

The Customer is responsible for handling Data Subject requests (including requests for access, rectification, erasure, restriction, portability, and objection) as the Controller of the Customer Personal Data. Axolotl Army provides the following assistance:

Self-service tools. The data export endpoint (machine-readable JSON) and the deletion request endpoint allow the Customer to fulfil access, portability, and erasure requests without contacting Axolotl Army support.
Direct requests. If a Data Subject contacts Axolotl Army directly to exercise a right, Axolotl Army will, within seven (7) business days, forward the request to the Customer and direct the Data Subject to the Customer for substantive response.
Bespoke assistance. Axolotl Army will respond to bespoke assistance requests from the Customer (for example, locating or producing data not surfaced by the export endpoint) within seven (7) business days. The first five (5) bespoke assistance requests per calendar quarter are provided at no charge. For excessive or manifestly unfounded requests, Axolotl Army may charge a reasonable fee at its then-current professional services rate, with a written estimate provided in advance.

5. Sub-processors

The Customer authorizes Axolotl Army to engage the Sub-processors listed in Annex III below for the processing of Customer Personal Data. The list in Annex III is rendered dynamically from Axolotl Army's current configuration and is also published at https://portal.axolotlarmy.net/legal/subprocessors.

The Customer grants Axolotl Army general written authorization to engage further Sub-processors. Axolotl Armywill provide at least thirty (30) days' notice of any addition or replacement of a Sub-processor that processes Customer Personal Data, by (a) updating the published Sub-processor list, (b) sending email notice to the primary administrator on the Customer's account, and (c) displaying an in-portal banner.

During the notice period the Customer may object to the proposed change on reasonable data protection grounds by emailing legal@axolotlarmy.net. The parties will work in good faith to resolve the objection. If the objection cannot be resolved within the notice period, the Customer may, as its sole and exclusive remedy, terminate the affected Service component on written notice to Axolotl Army and receive a pro-rata refund of prepaid fees attributable to the unused portion of the affected Service component.

Axolotl Army imposes on every Sub-processor — by written contract — data protection obligations substantially equivalent to those imposed on Axolotl Army under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of the GDPR.Axolotl Army remains fully liable to the Customer for any failure by a Sub-processor to fulfil its data protection obligations.

6. International transfers

Where the provision of the Service involves the transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a Third Country (including the United States, where Axolotl Army and many Sub-processors are located), the parties agree the following transfer mechanisms apply:

EEA transfers. The SCCs are incorporated into this DPA by reference and apply to such transfers. Module Two (Controller-to-Processor) applies between the Customer (data exporter) and Axolotl Army (data importer). The optional docking clause in Clause 7 is not used. Clause 9(a) Option 2 (general written authorization) applies, with the time period set by Section 5 of this DPA. Clause 11(a) — the optional independent dispute resolution body — is not used. Clause 17 Option 2 applies (the SCCs are governed by the law of the EU Member State in which the Customer is established, or, where the Customer is not established in an EU Member State, by the law of Ireland). Clause 18(b) — the courts of that Member State (or Ireland) have exclusive jurisdiction. Annex I.A, Annex I.B, Annex II, and Annex III of the SCCs are populated by Annex I.A, Annex I.B, Annex II, and Annex III of this DPA respectively.
Onward transfers to Sub-processors in Third Countries. Module Three (Processor-to-Processor) of the SCCs applies between Axolotl Army (data exporter) and the relevant Sub-processor (data importer). The Customer authorizes Axolotl Army to enter into Module Three SCCs with each such Sub-processor on the Customer's behalf.
UK transfers. The UK IDTA is incorporated into this DPA by reference and applies to transfers from the United Kingdom. Table 1 (parties): the Customer is the data exporter and Axolotl Army is the data importer. Table 2 (selected SCCs, modules, selected clauses): Module Two of the SCCs as set out above. Table 3 (Appendix Information): populated by the Annexes to this DPA. Table 4 (ending the IDTA): both parties may end the IDTA in accordance with Section 19 of the IDTA.
Swiss transfers.The SCCs apply with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner (FDPIC), namely: (a) references to the GDPR are read as references to the FADP; (b) references to EU Member State courts are read as references to the courts of Switzerland; (c) the FDPIC is the competent supervisory authority; and (d) references to “EU”, “Union”, or “Member State” law include FADP and Swiss law as applicable.

Where the Sub-processor has executed the SCCs (or an equivalent adequacy mechanism such as Binding Corporate Rules or an adequacy decision) directly with Axolotl Army, that mechanism applies in addition to the onward transfer arrangements above. Axolotl Army performs a transfer impact assessment before onboarding any new Sub-processor that receives Customer Personal Data in a Third Country and applies supplementary technical measures (including encryption in transit, encryption at rest, and key separation) where required by the risk assessment.

7. Personal Data Breach

Axolotl Armywill notify the Customer without undue delay, and where feasible within seventy-two (72) hours of confirmation of a Personal Data Breach affecting Customer Personal Data. Notification will be sent by (a) email to the primary administrator on the Customer's account and (b) an in-portal banner. The notification will, taking into account the nature of the processing and the information available, include at least:

the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
the likely consequences of the Personal Data Breach;
the measures taken or proposed to be taken by Axolotl Army to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
the name and contact details of the Axolotl Army security contact (security@axolotlarmy.net) from whom more information can be obtained.

Where it is not possible to provide all the information at the same time, the information may be provided in phases without further undue delay. Axolotl Armywill cooperate in good faith with the Customer's remediation, regulator communication, and Article 33–34 GDPR notification obligations. A Axolotl Army notification of, or response to, a Personal Data Breach is not an acknowledgement of fault or liability.

8. Audit rights

Axolotl Army maintains, and provides to the Customer on request, evidence of its security and privacy compliance program, which includes (i) ongoing SOC 2 readiness work targeting a Type II attestation by 2027, (ii) an annual third-party penetration test of the production environment, (iii) continuous vulnerability scanning of application dependencies, and (iv) the technical and organizational measures described in Annex II.

On at least thirty (30) days' prior written notice, the Customer may audit Axolotl Army's compliance with this DPA, no more than once per twelve (12) month period, subject to the following:

The audit is conducted at the Customer's expense.
The audit is subject to a written non-disclosure agreement protectingAxolotl Army's and other customers' confidential information.
The scope of the audit is limited to verifying Axolotl Army's compliance with this DPA and applicable Data Protection Laws.
Axolotl Army will provide reasonable access to relevant records, processes, and personnel during normal business hours.
The audit must not unreasonably disrupt the Service, must not compromise the security or confidentiality of any other customer's data, and must not include penetration testing of the production environment without Axolotl Army's prior written consent.

The Customer may satisfy its audit rights through Axolotl Army's most recent third-party audit reports, attestations, and penetration test summaries (subject to NDA), and only conduct on-site or questionnaire-based audits where the available reports are not sufficient. For Enterprise customers with a contract of fifty thousand US dollars (US $50,000) or more in annual recurring revenue, one (1) on-site audit per twelve (12) month period is provided at Axolotl Army's reasonable expense.

Where required by Data Protection Laws, the Customer's competent supervisory authority has the same audit rights as the Customer under this Section 8.

9. Liability

Each party's liability under or in connection with this DPA (including the SCCs, the UK IDTA, and the Swiss adaptations) is subject to and counts toward the limitations and exclusions of liability set out in the Terms of Service. For the avoidance of doubt, the parties' aggregate liability for all claims arising out of or related to this DPA, the SCCs, and the UK IDTA, taken together with all claims under the Terms of Service, is subject to the same aggregate cap stated in the Terms of Service.

Where regulatory fines under Data Protection Laws are imposed on the parties as a result of a breach of this DPA, the parties will allocate responsibility for those fines in proportion to each party's respective fault, save that nothing in this DPA limits or excludes liability that cannot be limited or excluded by applicable law (for example, liability of a data importer to a Data Subject under Clause 12 of the SCCs).

10. Term and termination

This DPA takes effect on the date the Customer accepts the Terms of Service (or such earlier date on which the Customer began using the Service) and continues for the duration of the Terms of Service. On termination of the Terms of Service for any reason, Axolotl Army will return or delete Customer Personal Data in accordance with the last paragraph of Section 3 of this DPA.

The following Sections survive termination of this DPA: Section 4 (Data Subject Rights, with respect to requests received before termination), Section 7 (Personal Data Breach, with respect to breaches affecting Customer Personal Data still held by Axolotl Army), Section 8 (Audit rights, for twelve (12) months after termination), Section 9 (Liability), and Section 11 (Governing law).

11. Governing law

This DPA is governed by the laws of the State of Delaware, United States, without regard to its conflict of laws principles.

For Customer Personal Data subject to the GDPR or UK GDPR, the SCCs and UK IDTA are governed as follows:

SCCs: per Module Two, Clause 17 Option 2 — the law of the EU Member State where the Customer (data exporter) is established. Where the Customer is not established in an EU Member State, the SCCs are governed by the law of Ireland.
UK IDTA: the laws of England and Wales, with the courts of England and Wales having exclusive jurisdiction.
Swiss adaptation: Swiss law, with the FDPIC as the competent supervisory authority and the courts of Switzerland having jurisdiction.

12. Order of precedence

In the event of any conflict or inconsistency between the documents governing the relationship between the parties, the following order of precedence applies (highest first): (1) the SCCs and UK IDTA, where they apply; (2) this DPA; (3) the Terms of Service. A document lower in the order of precedence applies only to the extent it does not conflict with a higher-ranked document.

13. Counterparts and signatures

This DPA is incorporated by reference into the Terms of Service. By clicking “I agree” (or any equivalent affirmative acceptance) during signup, by continuing to use the Service after this DPA takes effect, or by any other means by which the Customer accepts the Terms of Service, the Customer is bound by this DPA without the need for a wet-ink or electronic signature. Where this DPA is incorporated into an enterprise order form or master services agreement that itself is signed, that signature also binds the Customer to this DPA.

Customers requiring a counter-signed copy of this DPA — for example, for procurement records or vendor risk management — may email legal@axolotlarmy.net requesting a DocuSign envelope. Axolotl Army will return a counter-signed copy within five (5) business days at no charge.

14. Contact

Privacy questions and Data Subject requests: privacy@axolotlarmy.net.
Legal and DPA execution: legal@axolotlarmy.net.
Security incidents and breach notification: security@axolotlarmy.net.

Postal address (service of legal process):

Axolotl ArmyAttn: Legal[Street address — fill in via env or update this constant][City, State, ZIP, Country]

EU representative (GDPR Article 27). Axolotl Army has not currently appointed an Article 27 representative in the European Union or United Kingdom. Until a representative is appointed, EU/EEA and UK Data Subjects may exercise every right under the GDPR or UK GDPR by contacting privacy@axolotlarmy.net directly.

Annex I.A — Description of Processing

Subject matter: The provision of the Service by Axolotl Army to the Customer under the Terms of Service.
Duration: For the term of the Terms of Service, plus the post-termination retention periods set out in Section 3 of this DPA (a 30-day export grace period, followed by deletion from production systems within a further 30 days, and purge from rolling encrypted backups within 90 days).
Nature and purpose of processing: Hosting, transmitting, and storing Customer Personal Data in order to deliver the Service's features, including: AI video generation; social-media publishing and scheduling; lead generation, enrichment, and outreach; email and calendar synchronization; invoicing and payment processing; in-portal AI assistants (AXY, Axo) for customer support and content generation; analytics and error monitoring; and the related operational, security, and compliance activities described in Axolotl Army's Privacy Policy.
Categories of Data Subjects: The Customer's authorized users (administrators, team members, agents, contractors).
The Customer's end-recipients — including lead targets, cold-email recipients, calendar booking attendees, contact records, and other natural persons whose personal data the Customer uploads to or processes through the Service.
Other natural persons whose personal data is incidentally included in content the Customer generates or uploads (for example, persons depicted in or referenced by user-supplied video prompts).
Categories of Personal Data: The following categories of Customer Personal Data are processed, corresponding to the data categories disclosed in Axolotl Army's Privacy Policy:
Special categories of data: Special categories of personal data (Article 9 GDPR) are not intentionally processed by the Service. If the Customer uploads or submits special category data through prompts, content, lead lists, or contact records, the Customer is responsible for ensuring that it has a lawful basis for that processing under Article 9(2) GDPR and any applicable Member State law.
Frequency of processing: Continuous, for the duration of the Customer's use of the Service.

Category	What it includes
Account data	Email address, display name, hashed password (never plaintext), portal role, login timestamps.
Billing data	Stripe customer ID, subscription tier, invoice history, payment status. We do not store full card numbers — Stripe holds them under PCI-DSS.
Generated and uploaded content	Prompts you write, videos you generate, images you upload, social captions, brand profile, lead lists, contact records, outbound emails sent through connected mailboxes.
Operational logs	Request logs, error reports, audit trails (who did what when), rate-limit counters, security events.
Google Workspace data (when connected)	OAuth refresh tokens (encrypted at rest with AES-256-GCM), calendar events you create through the portal, outreach email metadata, Drive folder IDs.

Annex I.B — Competent Supervisory Authority

Pursuant to Clause 13 of the SCCs, the competent supervisory authority is identified by reference to the Customer's establishment, as follows:

Where the Customer is established in an EU Member State, the competent supervisory authority is the data protection authority of that Member State.
Where the Customer is not established in an EU Member State but has appointed a representative under Article 27 GDPR, the competent supervisory authority is the authority of the Member State in which the representative is established.
Where the Customer is not established in an EU Member State and has not appointed an Article 27 representative, but Data Subjects whose personal data is transferred under the SCCs are in an EU Member State, the competent supervisory authority is the authority of that Member State.
For UK transfers under the UK IDTA, the competent supervisory authority is the United Kingdom Information Commissioner's Office (ICO).
For Swiss transfers, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex II — Technical and Organizational Measures (TOMs)

Axolotl Army implements and maintains the following technical and organizational measures, in accordance with Article 32 GDPR. The measures are reviewed at least annually and updated to reflect the state of the art and the risk profile of the Service.

Encryption

In transit:TLS 1.3 (or later) for every connection between the user's browser, the portal, our APIs, and our Sub-processors. HTTP Strict Transport Security (HSTS) is enforced with preload.
At rest — application secrets: AES-256-GCM for OAuth refresh tokens, mailbox credentials, and other sensitive application secrets. Encryption keys are held outside the database and rotated; a dual-key rotation mechanism (APP_ENCRYPTION_KEY + APP_ENCRYPTION_KEY_OLD) supports zero-downtime key rotation.
At rest — passwords: bcrypt (with appropriate cost factor); plaintext passwords are never stored or logged.
At rest — database: the production PostgreSQL database (Neon) provides encryption at rest at the storage layer.

Access control

Role-based access control (RBAC) at the application layer (OWNER, ADMIN, MEMBER tiers) with least-privilege defaults.
Engineering production access is restricted to named individuals, gated by single sign-on, and granted on a least-privilege basis with time-bound elevation.
Multi-factor authentication. Production-engineering access at our cloud providers (Vercel, Neon, Cloudflare, Stripe) is gated by 2FA enforced by those providers. Customer-facing 2FA on the Portal application is on the product roadmap; until shipped, we mitigate credential-stuffing with a 5-failure / 15-minute login-attempt lockout per email address.
Audit logs. Privileged administrator actions and security-sensitive events (logins, password changes, role changes, billing actions, manual data deletions, OAuth grants and revocations) are recorded in an AuditLog table stored in our managed Postgres database with continuous point-in-time recovery. Logs are append-only in operation but are not cryptographically tamper-evident.

Network security

Production traffic is served over the Vercel edge network. Edge rate-limiting (Upstash) protects the application from credential-stuffing, scraping, and brute-force attacks.
DDoS mitigation is provided by Cloudflare in front of the edge network.
A login-attempt lockout mechanism (5 failures per 15 minutes, per-email, case-insensitive) protects the credentials provider.

Application security

Static analysis, type checking (TypeScript strict mode), and dependency vulnerability scanning (npm audit) on every change.
Secret-scanning hooks and pre-commit checks prevent credentials from being committed to source control.
Software composition analysis (SCA) flags known-vulnerable packages before they reach production.
A Content Security Policy (CSP) is enforced; mixed-content is blocked; cookies are Secure, HttpOnly, and SameSite=Lax by default.
All client-controlled HTML is escaped through htmlEscape() before rendering in email templates and PDFs to prevent injection attacks. All outbound URLs are validated via a scheme allowlist (safeExternalUrl()), and server-to-server calls use constant-time secret comparison (internalAuth).
Input from third-party LLM tool calls and other untrusted sources is Zod-validated against authoritative schemas before reaching business logic.

Data minimization and pseudonymization

We collect only the data needed to operate the Service. New data flows pass a data-minimization review before launch.
User identifiers are hashed (one-way) before being sent to error monitoring tools where the raw identifier is not required.
Personally identifiable data is redacted from verbose application logs.
Aggregate, de-identified analytics are used for product decision-making in preference to individual-level analytics.

Backups and resilience

Continuous point-in-time recovery (PITR) is provided by the database host (Neon). Backup encryption is inherited from the underlying storage layer.
Restore drills are performed at least quarterly to verify recoverability.
Business continuity targets: Recovery Time Objective (RTO) of four (4) hours; Recovery Point Objective (RPO) of fifteen (15) minutes — as published in the Service Level Agreement at https://portal.axolotlarmy.net/legal/sla.

Logging and monitoring

Structured application logs centralized in a query-able store; PII is redacted at the source.
Native error monitor (with optional Sentry alongside) aggregates exceptions for triage; stack traces are retained, payloads are sanitized.
Uptime checks (synthetic transactions) run continuously against production endpoints and trigger paging on failure.
Security events (failed logins, privilege escalations, sensitive actions) are written to a tamper-evident audit log.

Incident response

A documented incident response runbook with defined severity tiers, escalation paths, on-call rotation, and a 72-hour Personal Data Breach notification commitment (Section 7).
Post-incident reviews are conducted for every Severity 1 incident and material near-miss; corrective actions are tracked to closure.
Vulnerability reports are accepted at security@axolotlarmy.net; we honor coordinated disclosure timelines.

Personnel

Background checks (where lawful) before granting production access.
Written confidentiality and acceptable-use commitments for every person with access to Customer Personal Data.
Annual security and privacy training for all engineering and customer-facing staff.
Quarterly phishing simulations with remedial training for any failure.

Vendor management

Every Sub-processor is reviewed against Axolotl Army's vendor risk standard before onboarding. The minimum baseline is: a published privacy policy; a GDPR-compliant DPA available; encryption at rest and in transit; a documented incident response process; and (where applicable) a recent SOC 2 Type II or ISO 27001 attestation.
Sub-processors are reviewed at least annually and on any material change to their processing activities.

Physical security

Customer Personal Data is hosted in tier-1 cloud data centers operated by Sub-processors that maintain SOC 2 Type II, ISO 27001, or equivalent attestations covering physical access control, environmental safeguards, and media destruction.

Business continuity and disaster recovery

Production architecture is multi-region (or multi-AZ as applicable) for high availability of stateless components.
Documented failover procedures exist for the database and primary object store.
RTO 4 hours, RPO 15 minutes, as published in the SLA.

Annex III — List of Sub-processors

The Sub-processors below are engaged by Axolotl Army to process Customer Personal Data on behalf of the Customer. The list is rendered from Axolotl Army's current Service configuration and reflects the state of processing on the effective date at the top of this DPA.

Name	Purpose	Location	Categories of Personal Data	Privacy policy
Neon	Managed PostgreSQL hosting (primary database).	United States (AWS us-east region).	Account data, Billing metadata, Generated content metadata, Audit logs	Link
Vercel	Application hosting, edge runtime, and CDN.	United States and global edge network.	Request logs, IP addresses, Account session cookies	Link
Cloudflare (R2 + Workers)	Object storage for generated media and uploaded assets.	United States and global edge network.	Generated videos, Uploaded images, Generated audio	Link
Stripe	Payment processing, subscription billing, invoicing.	United States, Ireland.	Name, Billing email, Card last-4 / brand, Transaction history	Link
Resend	Transactional email delivery (account, billing, security notifications).	United States.	Recipient email, Email content, Delivery logs	Link
Anthropic	Large-language-model inference for AXY, Axo, and content generation features (Claude API).	United States.	Prompts you submit, Content you ask the assistants to draft, Brand profile context	Link
OpenAI	Fallback text-to-speech for AXY voice and slideshow narration when ElevenLabs is unavailable.	United States.	Text to be spoken (no audio retention beyond synthesis)	Link
ElevenLabs	Primary text-to-speech provider for AXY chat voice and slideshow narration.	United States, United Kingdom.	Text to be spoken, Voice ID selection	Link
Kie.ai	Veo 3 video generation (8-second portrait clips with native audio).	United States.	Generation prompts, Generated video output	Link
Runway ML	Gen-4.5 video generation (multi-clip stories up to 60 seconds).	United States.	Generation prompts, Reference images you upload, Generated video output	Link
Deepgram	Speech-to-text for auto-captions on generated and uploaded video.	United States.	Audio you submit for transcription, Resulting transcripts	Link
Google (Workspace APIs)	OAuth login, Google Calendar bidirectional sync, Gmail send (outreach), Drive upload (assets), Google Maps geocoding (Lead Finder).	United States, European Union (per Google's regional data centers).	Account email + display name, Calendar events you create on the portal (when sync is enabled), Outreach emails sent through your connected mailbox, Free/busy availability for booking links, Place lookups for Lead Finder (no end-user data leaves your client account)	Link
Microsoft (Graph)	Outlook calendar read sync (free/busy lookup) when an Outlook account is connected.	United States, European Union (per Microsoft's regional data centers).	Calendar event subjects, start/end, attendees, busy/free status	Link
Blotato	Cross-posting helper for Threads + Instagram (other platforms publish via direct platform APIs).	United States.	Social post text + media, Linked social account identifiers	Link
Upstash	Rate-limit counters and ephemeral session/cache state.	United States, European Union.	Hashed account identifiers, Counter values	Link
Sentry (optional)	Error tracking and exception aggregation. Native error monitor is preferred; Sentry runs alongside.	United States, European Union.	Stack traces, Hashed user IDs, Request URLs (sanitized)	Link
Cloudinary	Legacy media-asset CDN used as a fallback path during the Phase 71 migration to native Cloudflare R2 storage. New uploads go to R2; Cloudinary still hosts some historical assets and is consulted when an R2 fetch fails.	United States, European Union.	Generated and uploaded media (images, video frames)	Link
Creatomate	Server-side video rendering fallback. New rendering jobs prefer the native Remotion-based renderer; Creatomate is the documented fallback when the native worker is unavailable.	United States, European Union.	Source video clips, Render templates, Rendered output	Link

We will provide at least thirty (30) days' notice of any addition or material change to this list via email to the primary administrator on the Customer's account and an in-portal banner. The current list above is also published as a stand-alone page at https://portal.axolotlarmy.net/legal/subprocessors for ease of reference and procurement review.