AnthyxPrivacy Policy →

Data Processing Agreement

Last updated: 16 June 2026 · Effective for all paid customers

How to execute this DPA: Email legal@useanthyx.com with your company name, registered address, and the email address of your DPA signatory. We will return a countersigned copy within 5 business days.

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • Controller: the customer entity that has executed the Anthyx Subscription Agreement or Terms of Service (“Customer”); and
  • Processor: Anthyx Ltd., operator of the Anthyx platform (“Anthyx”, “we”, “us”).

This DPA supplements and is incorporated into the Anthyx Terms of Service. In the event of conflict, this DPA takes precedence with respect to data protection obligations.

2. Definitions

Terms not defined here take the meaning given in the GDPR (Regulation (EU) 2016/679) or, where applicable, the UK GDPR.

  • Personal Data — any information relating to an identified or identifiable natural person processed by Anthyx on behalf of the Customer.
  • Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • Sub-processor — any third party engaged by Anthyx to process Personal Data on behalf of the Customer.
  • Data Subject — an individual whose Personal Data is processed.

3. Scope and Purpose of Processing

Anthyx processes Personal Data solely to provide the services described in the Subscription Agreement, including:

  • Storing and processing user-submitted brand data, form responses, and contact information;
  • Generating AI-assisted marketing content based on Customer-provided context;
  • Publishing content to connected social platforms on the Customer's behalf;
  • Sending email campaigns to the Customer's mailing list subscribers;
  • Providing analytics and performance reporting;
  • Authenticating users and enforcing access controls.

Processing is carried out on documented instructions from the Customer. Anthyx will not process Personal Data for any other purpose unless required by applicable law.

4. Customer Obligations

As Controller, the Customer:

  • Ensures it has a valid lawful basis (e.g. consent, legitimate interest, contract) for all Personal Data submitted to the platform;
  • Is responsible for ensuring that Data Subjects receive appropriate transparency notices;
  • Will not submit special category data (as defined in Article 9 GDPR) unless expressly agreed in writing;
  • Will promptly notify Anthyx if any Customer instructions would violate applicable data protection law.

5. {PRODUCT_NAME} Obligations as Processor

Anthyx will:

  • Process Personal Data only on documented Customer instructions, except where required to do so by law (in which case Anthyx will notify the Customer unless prohibited);
  • Ensure all personnel authorised to process Personal Data are bound by confidentiality obligations;
  • Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, or destruction (see §7);
  • Assist the Customer in responding to Data Subject requests (access, rectification, erasure, portability, objection) within reasonable timeframes;
  • Assist the Customer in meeting obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
  • At the Customer's choice, delete or return all Personal Data upon termination of services, and delete copies unless storage is required by law;
  • Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.

6. Sub-processors

Anthyx uses the following categories of sub-processors to provide the service. The current list is maintained at useanthyx.com/privacy/sub-processors.

Anthyx will give the Customer at least 30 days' prior notice of any intended change to sub-processors. The Customer may object within that period on reasonable grounds related to data protection. Where the Customer legitimately objects and Anthyx cannot accommodate the objection, either party may terminate the affected services on written notice.

Anthyx imposes contractually equivalent data protection obligations on all sub-processors and remains fully liable to the Customer for sub-processor performance.

7. Security Measures

Anthyx maintains the following technical and organisational measures:

  • Encryption in transit: All data transmitted between clients and the platform uses TLS 1.2+ (HTTPS enforced).
  • Encryption at rest: Database volumes and backups are encrypted using AES-256.
  • Access controls: Role-based access control (RBAC), principle of least privilege, and MFA required for infrastructure access.
  • Audit logging: All administrative actions are logged with user, timestamp, and IP.
  • Vulnerability management: Regular dependency scanning, security patching, and penetration testing.
  • Backups: Daily automated backups with point-in-time recovery retained for 30 days.
  • Incident response: Documented security incident response plan; breach notification per §8.

8. Personal Data Breach Notification

In the event of a Personal Data breach (as defined in Article 4(12) GDPR), Anthyx will notify the Customer without undue delay and, where feasible, no later than 72 hours of becoming aware of the breach.

Notification will include (to the extent known at the time): the nature of the breach; categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed.

The Customer is responsible for determining whether notification to a supervisory authority or affected Data Subjects is required, and for making such notifications.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) by Anthyx or its sub-processors. Where such transfers occur, Anthyx ensures an adequate level of protection through one of the following mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • An adequacy decision by the European Commission; or
  • Another lawful transfer mechanism under Chapter V GDPR.

Details of transfer mechanisms for specific sub-processors are available on request.

10. Data Subject Rights

Anthyx will assist the Customer in fulfilling Data Subject requests within 30 days of receipt. This includes rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).

Data Subjects may submit requests directly to the Customer. The Customer may then instruct Anthyx via legal@useanthyx.com. Anthyx will not respond to Data Subjects directly on the Customer's behalf except where instructed.

11. Audits

Anthyx will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer (or a mandated independent auditor) may conduct audits of Anthyx's data processing activities, subject to:

  • 30 days' prior written notice;
  • Reasonable restrictions to protect confidential information of other customers;
  • Audits occurring no more than once per calendar year unless a breach has occurred.

Anthyx may satisfy audit requests by providing relevant third-party audit reports (e.g. SOC 2 Type II, ISO 27001) in lieu of an on-site audit.

12. Term and Termination

This DPA is effective for the duration of the Subscription Agreement and terminates automatically upon expiry or termination of that agreement. Obligations regarding data return, deletion, and confidentiality survive termination.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Subscription Agreement. Nothing in this DPA limits a party's liability to a Data Subject or supervisory authority as required by applicable law.

14. Governing Law

This DPA is governed by the same law as the Subscription Agreement. Where the Customer is established in the EU/EEA, this DPA is additionally governed by applicable EU data protection law.

15. Contact

Data protection queries: legal@useanthyx.com

To execute this DPA, email legal@useanthyx.com with your company details and the name/title of your authorised signatory. We will return a countersigned copy within 5 business days.