Appendix A to the Terms of Service
This Data Processing Agreement governs the processing of personal data in connection with the askDidier.ai Service and forms an integral part of the Terms of Service.
Last updated: 5th November 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Controller") and Azola.tech Ltd (company number: 15994260) ("we," "us," "our," or "Processor") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the askDidier.ai Service.
This DPA applies to the extent that Processor processes personal data on behalf of Controller in the course of providing the Service. Both parties agree to comply with all applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
"Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including the UK GDPR, the Data Protection Act 2018, and any subsequent amendments or replacements.
Terms such as "personal data," "data subject," "processing," "controller," "processor," "sub-processor," and "data breach" have the meanings given in Data Protection Laws. Where this DPA uses these terms, they have the same meaning as in the UK GDPR.
"Customer Personal Data" means any personal data that Processor processes on behalf of Controller in connection with the Service, including personal data contained in questionnaire documents, knowledge base materials, and user account information.
Customer acts as the Controller of Customer Personal Data and determines the purposes and means of processing. Processor acts as a Processor and processes Customer Personal Data only on behalf of and in accordance with Controller's documented instructions.
Nature of Processing:
Purpose of Processing:
Duration of Processing:
For the duration of the Service subscription and 30 days thereafter for data deletion.
Types of Personal Data:
Categories of Data Subjects:
Processor shall process Customer Personal Data only in accordance with Controller's documented instructions, which are:
Processor will inform Controller if, in Processor's opinion, an instruction violates Data Protection Laws.
Processor shall process Customer Personal Data in compliance with Data Protection Laws and only for the purposes set out in this DPA. Processor warrants that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
Processor shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include:
Technical Measures:
Organizational Measures:
Processor will review and update these measures as appropriate to maintain a level of security appropriate to the risk to the rights and freedoms of data subjects.
Controller provides general authorization for Processor to engage sub-processors. Processor shall:
Current Sub-processors:
Controller may object to the appointment of a new sub-processor by notifying Processor in writing within 15 days of receiving notice. If Controller objects, the parties will work together in good faith to find a commercially reasonable solution. If no solution is found, Controller may terminate the affected Service.
Processor shall, to the extent legally permitted and taking into account the nature of the processing, assist Controller in responding to requests from data subjects exercising their rights under Data Protection Laws, including:
Controller shall be responsible for responding to such requests. Processor will provide reasonable assistance, at Controller's expense, to enable Controller to comply with such requests.
Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of any personal data breach affecting Customer Personal Data. The notification shall include:
Processor shall provide reasonable cooperation and assistance to Controller in investigating and remediating the breach, and in meeting Controller's obligations under Data Protection Laws regarding breach notification.
Processor shall, to the extent required by Data Protection Laws and at Controller's request, provide reasonable assistance to Controller in conducting data protection impact assessments and prior consultations with supervisory authorities.
Controller represents and warrants that its instructions to Processor comply with Data Protection Laws and that it has a lawful basis for the processing of Customer Personal Data.
Controller is responsible for ensuring that it has provided all necessary notices to and obtained all necessary consents from data subjects as required by Data Protection Laws for the processing of Customer Personal Data by Processor.
Controller shall ensure that all instructions it gives to Processor regarding the processing of Customer Personal Data comply with Data Protection Laws and this DPA.
Processor shall process and store Customer Personal Data exclusively within the United Kingdom using AWS infrastructure located in UK data centers, except as otherwise agreed in writing or as required for backup and disaster recovery purposes.
To the extent that processing involves transfers of personal data to countries outside the United Kingdom:
Note: While data storage is UK-based, API calls to OpenAI and Anthropic may involve data transmission to the United States. These sub-processors have implemented appropriate safeguards including Standard Contractual Clauses and supplementary measures.
Controller may export Customer Personal Data at any time during the subscription term using the Service's export functionality. It is Controller's responsibility to export data before termination of the Service.
Upon termination or expiration of the Service, Processor shall (at Controller's choice, if technically feasible) delete or return all Customer Personal Data to Controller, unless EU or UK law requires continued storage. Processor shall delete Customer Personal Data within 30 days of termination, except for data retained in backups which shall be deleted in accordance with Processor's standard backup retention policies (maximum 90 days).
Upon Controller's written request, Processor shall provide written certification that Customer Personal Data has been deleted in accordance with this Section.
Processor shall, upon reasonable written notice and no more than once per year (except where required by a supervisory authority or in the event of a suspected breach), allow Controller or an independent third-party auditor appointed by Controller to audit Processor's compliance with this DPA.
Any audit shall be subject to the following conditions:
Instead of an on-site audit, Processor may, at its option, provide Controller with relevant compliance documentation, including security certifications, third-party audit reports, or other evidence of compliance with this DPA and Data Protection Laws.
Each party shall be liable for its respective obligations under Data Protection Laws. Processor shall be liable for damages caused by processing only where it has not complied with obligations specifically directed at processors under Data Protection Laws or where it has acted outside or contrary to lawful instructions from Controller.
Subject to the requirements of Data Protection Laws, the limitation of liability provisions in the Terms of Service shall apply to any claims arising under or in connection with this DPA. Nothing in this DPA shall exclude or limit liability that cannot be excluded or limited under applicable law.
The parties shall cooperate in good faith to address any claims by data subjects or supervisory authorities relating to the processing of Customer Personal Data under this DPA.
This DPA forms part of and is subject to the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail to the extent of the conflict with respect to data protection matters.
The parties agree to review this DPA and make any amendments necessary to comply with changes in Data Protection Laws. Such amendments shall be agreed in writing by both parties.
If there is any conflict between this DPA and any other agreement between the parties relating to data protection, this DPA shall prevail.
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be replaced with a valid provision that most closely matches the intent of the original provision.
This DPA shall be governed by the laws of England and Wales, without regard to conflicts of law principles.
For questions or concerns about data processing or this DPA, please contact:
Email: [email protected] or [email protected]
Phone: +44 1323 335075
Azola.tech Ltd
Company Registration: 15994260
167-169 Great Portland Street, 5th Floor
London, W1W 5PF
United Kingdom
Where required by Data Protection Laws for international data transfers, the parties agree to execute the appropriate Standard Contractual Clauses as approved by the European Commission or UK Information Commissioner's Office. These clauses can be requested from [email protected].
This Data Processing Agreement is effective as of 14 November 2025 and was last updated on the same date.
Version 1.0 | Appendix A to the Terms of Service