Data Processing Agreement

AxiomCausal provides a Data Processing Agreement (DPA) compliant with GDPR Article 28 and the Swiss Federal Act on Data Protection to every client institution before any production deployment. This page summarizes the key commitments of the DPA and explains how to obtain the full template.

1. Architectural foundation

The AxiomCausal platform is designed to be deployed inside the client's own environment — on-premise, private cloud dedicated to the client, or air-gapped isolated network. This architectural choice is a prerequisite to the DPA: in a client-deployed installation, AxiomCausal does not act as a processor of debtor data in the normal sense of the term, because debtor data never leaves the client perimeter. The role of AxiomCausal is limited to providing the software, the decisioning modules, and the operational support agreed in the Master Services Agreement.

2. Key DPA commitments

• Purpose limitation. AxiomCausal processes personal data only for the purposes explicitly set out in the Master Services Agreement and the DPA. No secondary use, no aggregation for commercial analytics, no training of third-party models on client data.
• Confidentiality. All personnel with access to client systems are bound by written confidentiality obligations.
• Technical and organizational measures. Encryption at rest and in transit, append-only audit spine for sensitive operations, role-based access control, multi-factor authentication on administrative surfaces, documented incident response procedures.
• Sub-processors. AxiomCausal maintains a list of authorized sub-processors (if any) and notifies the client before any change.
• International transfers. Because deployment is on-premise in the client's jurisdiction, there is normally no international transfer of client data attributable to AxiomCausal.
• Data subject rights. AxiomCausal assists the client in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) through documented technical interfaces in the platform.
• Breach notification. Documented incident notification procedures with defined service-level objectives.
• Return and deletion. At the end of the engagement, AxiomCausal assists the client in exporting or securely deleting client data according to the client's instructions.
• Audit rights. The client may audit AxiomCausal's compliance with the DPA through documented procedures, including independent third-party audits where warranted.

3. How to obtain the full DPA

The complete DPA template is provided to qualified prospects after the procurement review process and before signature of the Master Services Agreement. To request an early copy for legal review, contact contact@axiomcausal.com with the subject line "DPA template request" and specify the jurisdiction of the requesting entity.

4. Regulatory alignment

The DPA is designed to satisfy GDPR Article 28 (processor obligations), the Swiss Federal Act on Data Protection Article 9 (processor duties), and the applicable obligations under the European Banking Authority Guidelines on Outsourcing Arrangements where AxiomCausal is deployed in a regulated financial institution. Specific adjustments for sector-specific obligations (e.g., banking secrecy, professional confidentiality) are negotiated at signature.

5. Contact

For any DPA-related question, contact contact@axiomcausal.com.