Data Processing Agreement
Effective date: 5 June 2026
Entity: Axys Analysis LLC (“Axys Analysis”, “Processor”)
Contact: contact@axysanalysis.com
Section 1 — Definitions
“Controller” means the customer entity that has signed up to use the Axys Analysis platform and determines the purposes and means of processing personal data.
“Processor” means Axys Analysis LLC, which processes personal data on behalf of the Controller.
“Personal Data” means any information relating to an identified or identifiable natural person processed through the Axys Analysis platform.
“Services” means the cognitive screening and candidate assessment platform provided by Axys Analysis LLC.
“Sub-processor” means any third party engaged by the Processor to process Personal Data in connection with the Services.
Section 2 — Scope and role
2.1
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Controller and Axys Analysis LLC and governs the processing of Personal Data by Axys Analysis LLC on behalf of the Controller.
2.2
The Controller is the data controller for all candidate Personal Data collected through the platform. Axys Analysis LLC acts solely as a data processor for such data, processing it only on the documented instructions of the Controller.
2.3
This DPA applies to all Personal Data processed through the platform, including candidate names, email addresses, assessment responses, and behavioural signals captured during assessments.
Section 3 — Processor obligations
Axys Analysis LLC agrees to:
3.1
Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries.
3.2
Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
3.3
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, and rate limiting.
3.4
Not engage any Sub-processor without informing the Controller. The current list of Sub-processors is maintained at /legal/sub-processors. Controllers will be notified at least 30 days before any new Sub-processor is engaged.
3.5
Assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law.
3.6
Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
3.7
At the choice of the Controller, delete or return all Personal Data on termination of the Services, and delete existing copies unless applicable law requires their retention.
3.8
Make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA.
Section 4 — Controller obligations
The Controller agrees to:
4.1
Ensure it has a lawful basis for processing candidate Personal Data and for instructing Axys Analysis LLC to process it on its behalf.
4.2
Obtain all necessary consents and provide all required notices to candidates before administering assessments through the platform.
4.3
Ensure candidates are informed that an automated assessment tool is used and how their data will be processed.
4.4
Not instruct Axys Analysis LLC to process Personal Data in a manner that would violate applicable law.
Section 5 — Data retention and deletion
5.1
Candidate Personal Data is retained for up to 24 months from the date of collection, after which it is anonymised.
5.2
Declined candidates' data is deleted after 60 days, or immediately upon job closure, whichever is earlier.
5.3
On termination of the Controller's account, Personal Data will be deleted within 30 days unless the Controller requests earlier deletion or applicable law requires longer retention.
Section 6 — Security incidents
6.1
Axys Analysis LLC will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's data.
6.2
Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
6.3
The Controller is responsible for notifying supervisory authorities and affected data subjects where required by applicable law.
Section 7 — Sub-processors
7.1
The Controller provides general authorisation for Axys Analysis LLC to engage Sub-processors for the delivery of the Services.
7.2
The current list of Sub-processors is available at /legal/sub-processors.
7.3
Axys Analysis LLC will inform the Controller of any intended changes to Sub-processors at least 30 days in advance. The Controller may object to a new Sub-processor by contacting contact@axysanalysis.com within 14 days of notification.
7.4
Axys Analysis LLC ensures that Sub-processors are bound by data protection obligations equivalent to those in this DPA.
Section 8 — International transfers
8.1
All Sub-processors used by Axys Analysis LLC are based in the United States.
8.2
Where Personal Data originating from the European Economic Area or United Kingdom is transferred to the United States, such transfers are subject to appropriate safeguards as required by applicable law.
8.3
Controllers with EEA or UK users should contact contact@axysanalysis.com to discuss appropriate transfer mechanisms before using the platform.
Section 9 — Term and termination
This DPA is effective for the duration of the Controller's subscription to the Services and terminates automatically upon termination of the Terms of Service.
Section 10 — Governing law
This DPA is governed by the laws of the State of Indiana.
Section 11 — Contact
Axys Analysis LLC
Sub-processor list: /legal/sub-processors