Data Processing Agreement
Last updated: 16 June 2026 · Effective for all paid customers
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Controller: the customer entity that has executed the Anthyx Subscription Agreement or Terms of Service (“Customer”); and
- Processor: Anthyx Ltd., operator of the Anthyx platform (“Anthyx”, “we”, “us”).
This DPA supplements and is incorporated into the Anthyx Terms of Service. In the event of conflict, this DPA takes precedence with respect to data protection obligations.
2. Definitions
Terms not defined here take the meaning given in the GDPR (Regulation (EU) 2016/679) or, where applicable, the UK GDPR.
- Personal Data — any information relating to an identified or identifiable natural person processed by Anthyx on behalf of the Customer.
- Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- Sub-processor — any third party engaged by Anthyx to process Personal Data on behalf of the Customer.
- Data Subject — an individual whose Personal Data is processed.
3. Scope and Purpose of Processing
Anthyx processes Personal Data solely to provide the services described in the Subscription Agreement, including:
- Storing and processing user-submitted brand data, form responses, and contact information;
- Generating AI-assisted marketing content based on Customer-provided context;
- Publishing content to connected social platforms on the Customer's behalf;
- Sending email campaigns to the Customer's mailing list subscribers;
- Providing analytics and performance reporting;
- Authenticating users and enforcing access controls.
Processing is carried out on documented instructions from the Customer. Anthyx will not process Personal Data for any other purpose unless required by applicable law.
4. Customer Obligations
As Controller, the Customer:
- Ensures it has a valid lawful basis (e.g. consent, legitimate interest, contract) for all Personal Data submitted to the platform;
- Is responsible for ensuring that Data Subjects receive appropriate transparency notices;
- Will not submit special category data (as defined in Article 9 GDPR) unless expressly agreed in writing;
- Will promptly notify Anthyx if any Customer instructions would violate applicable data protection law.
5. {PRODUCT_NAME} Obligations as Processor
Anthyx will:
- Process Personal Data only on documented Customer instructions, except where required to do so by law (in which case Anthyx will notify the Customer unless prohibited);
- Ensure all personnel authorised to process Personal Data are bound by confidentiality obligations;
- Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, or destruction (see §7);
- Assist the Customer in responding to Data Subject requests (access, rectification, erasure, portability, objection) within reasonable timeframes;
- Assist the Customer in meeting obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
- At the Customer's choice, delete or return all Personal Data upon termination of services, and delete copies unless storage is required by law;
- Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.
6. Sub-processors
Anthyx uses the following categories of sub-processors to provide the service. The current list is maintained at useanthyx.com/privacy/sub-processors.
Anthyx will give the Customer at least 30 days' prior notice of any intended change to sub-processors. The Customer may object within that period on reasonable grounds related to data protection. Where the Customer legitimately objects and Anthyx cannot accommodate the objection, either party may terminate the affected services on written notice.
Anthyx imposes contractually equivalent data protection obligations on all sub-processors and remains fully liable to the Customer for sub-processor performance.
7. Security Measures
Anthyx maintains the following technical and organisational measures:
- Encryption in transit: All data transmitted between clients and the platform uses TLS 1.2+ (HTTPS enforced).
- Encryption at rest: Database volumes and backups are encrypted using AES-256.
- Access controls: Role-based access control (RBAC), principle of least privilege, and MFA required for infrastructure access.
- Audit logging: All administrative actions are logged with user, timestamp, and IP.
- Vulnerability management: Regular dependency scanning, security patching, and penetration testing.
- Backups: Daily automated backups with point-in-time recovery retained for 30 days.
- Incident response: Documented security incident response plan; breach notification per §8.
8. Personal Data Breach Notification
In the event of a Personal Data breach (as defined in Article 4(12) GDPR), Anthyx will notify the Customer without undue delay and, where feasible, no later than 72 hours of becoming aware of the breach.
Notification will include (to the extent known at the time): the nature of the breach; categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed.
The Customer is responsible for determining whether notification to a supervisory authority or affected Data Subjects is required, and for making such notifications.
9. International Data Transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) by Anthyx or its sub-processors. Where such transfers occur, Anthyx ensures an adequate level of protection through one of the following mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- An adequacy decision by the European Commission; or
- Another lawful transfer mechanism under Chapter V GDPR.
Details of transfer mechanisms for specific sub-processors are available on request.
10. Data Subject Rights
Anthyx will assist the Customer in fulfilling Data Subject requests within 30 days of receipt. This includes rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).
Data Subjects may submit requests directly to the Customer. The Customer may then instruct Anthyx via legal@useanthyx.com. Anthyx will not respond to Data Subjects directly on the Customer's behalf except where instructed.
11. Audits
Anthyx will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer (or a mandated independent auditor) may conduct audits of Anthyx's data processing activities, subject to:
- 30 days' prior written notice;
- Reasonable restrictions to protect confidential information of other customers;
- Audits occurring no more than once per calendar year unless a breach has occurred.
Anthyx may satisfy audit requests by providing relevant third-party audit reports (e.g. SOC 2 Type II, ISO 27001) in lieu of an on-site audit.
12. Term and Termination
This DPA is effective for the duration of the Subscription Agreement and terminates automatically upon expiry or termination of that agreement. Obligations regarding data return, deletion, and confidentiality survive termination.
13. Liability
Each party's liability under this DPA is subject to the limitations set out in the Subscription Agreement. Nothing in this DPA limits a party's liability to a Data Subject or supervisory authority as required by applicable law.
14. Governing Law
This DPA is governed by the same law as the Subscription Agreement. Where the Customer is established in the EU/EEA, this DPA is additionally governed by applicable EU data protection law.
15. Contact
Data protection queries: legal@useanthyx.com
To execute this DPA, email legal@useanthyx.com with your company details and the name/title of your authorised signatory. We will return a countersigned copy within 5 business days.