Skip to content
AethosHub
Support
PricingRequest Demo
PricingRequest Demo

Legal documentation

Data Processing Addendum

Version 1.0 · 2 July 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between AethosHub Pvt Ltd and the customer named in that agreement. It applies only where AethosHub processes personal data on the customer's behalf — which, because our products are operated inside the customer's own environment, is limited to support and professional services the customer requests. For a countersigned copy, email privacy@aethoshub.com.
ProductAethosHub
Version1.0
Updated2 July 2026
ContentsBackground & scope1. Definitions2. Roles of the parties3. Processing on instructions4. Confidentiality5. Security measures6. Sub-processors7. Assistance to the customer8. Personal data breach9. Return and deletion10. Audit and demonstration11. International transfers12. Liability and precedence13. TermAnnex 1 — Processing detailsAnnex 2 — Security measures

Background & scope

This DPA is entered into between AethosHub Pvt Ltd (“AethosHub”) and the customer that has executed an agreement with AethosHub for products or services (the “Agreement”), and is incorporated into the Agreement by reference.

AethosHub's products — AgentAccessManager and APIKeyOps — are deployed and operated within infrastructure the customer controls. In the ordinary course, personal data processed by those products does not leave the customer's environment and is not accessible to AethosHub. This DPA therefore governs the exceptional cases in which AethosHub processes customer personal data: principally support, incident assistance, and professional services performed at the customer's request, as described in Annex 1.

1. Definitions

1.1 “Data Protection Laws” means all laws applicable to the processing of personal data under this DPA, including the EU/UK General Data Protection Regulation (“GDPR”) and India's Digital Personal Data Protection Act, 2023 (“DPDP Act”).

1.2 “Customer Personal Data” means personal data contained in the customer's environment or otherwise provided by the customer that AethosHub processes on the customer's behalf in connection with the Agreement.

1.3 “Processing”, “controller”, “processor”, “data subject” and “personal data breach” have the meanings given in the GDPR; “data fiduciary”, “data processor” and “data principal” have the meanings given in the DPDP Act.

2. Roles of the parties

2.1 As between the parties, the customer is the controller (GDPR) and data fiduciary (DPDP Act) of Customer Personal Data, and AethosHub is the processor (GDPR) and data processor (DPDP Act).

2.2 Each party will comply with the Data Protection Laws applicable to it in its respective role. The customer warrants that it has a lawful basis for the processing it instructs and that its instructions will not cause AethosHub to breach Data Protection Laws.

3. Processing on instructions

3.1 AethosHub will process Customer Personal Data only on the customer's documented instructions — as set out in the Agreement, this DPA, a support ticket, or other written instruction — including with regard to international transfers, unless required to do otherwise by law to which AethosHub is subject. In that case AethosHub will inform the customer of the legal requirement before processing, unless the law prohibits doing so.

3.2 AethosHub will immediately inform the customer if, in its opinion, an instruction infringes Data Protection Laws.

3.3 AethosHub will not sell Customer Personal Data, use it for its own purposes (including product analytics, marketing, or the training of machine-learning models), or disclose it except as this DPA permits.

4. Confidentiality

AethosHub will ensure that every person it authorises to process Customer Personal Data is bound by a contractual or statutory duty of confidentiality, and that access is limited to the personnel who need it to perform the services, for as long as they need it.

5. Security measures

AethosHub will implement and maintain the technical and organisational measures described in Annex 2, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, so as to ensure a level of security appropriate to the risk (GDPR Art. 32; DPDP Act s. 8(5)). AethosHub may update those measures from time to time, provided the level of protection is not materially reduced.

6. Sub-processors

6.1 AethosHub does not currently engage any sub-processor to process Customer Personal Data.

6.2 If AethosHub proposes to engage one, it will give the customer at least 30 days' prior written notice, during which the customer may object on reasonable data-protection grounds. AethosHub will not proceed over an unresolved objection; if no alternative is workable, either party may terminate the affected services.

6.3 Any sub-processor engaged will be bound by written terms no less protective than this DPA, and AethosHub remains fully liable to the customer for the sub-processor's performance.

7. Assistance to the customer

Taking into account the nature of the processing, AethosHub will assist the customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the customer's obligations to: respond to requests from data subjects and data principals exercising their rights; ensure security of processing; notify personal data breaches to authorities and affected individuals; and carry out data protection impact assessments and prior consultations (GDPR Arts. 32–36). AethosHub will promptly forward to the customer any rights request it receives directly and will not respond to it except on the customer's instruction.

8. Personal data breach

AethosHub will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event within 48 hours of becoming aware. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. AethosHub will cooperate with the customer and take reasonable steps to mitigate the effects of the breach. Notification is not an admission of fault.

9. Return and deletion

Because processing ordinarily occurs inside the customer's environment, Customer Personal Data generally remains in the customer's possession throughout. Where AethosHub holds any copy — for example diagnostic data shared in a support ticket — it will, at the customer's choice, return or securely delete it at the end of the engagement or within 30 days of a request, and delete remaining copies, unless a law to which AethosHub is subject requires longer storage. On request, AethosHub will confirm deletion in writing.

10. Audit and demonstration

AethosHub will make available to the customer the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the customer or an auditor the customer mandates. Audits require 30 days' written notice, occur no more than once per twelve-month period (except following a personal data breach or where a supervisory authority requires one), take place during business hours, and must not unreasonably disrupt AethosHub's operations. The customer bears its own audit costs.

11. International transfers

AethosHub will not transfer Customer Personal Data across borders except on the customer's documented instructions and with safeguards required by Data Protection Laws: for transfers subject to the GDPR, an adequacy decision or the European Commission's Standard Contractual Clauses (which the parties will execute where required, and which are incorporated by reference where the transfer so requires); for transfers subject to the DPDP Act, in accordance with the transfer restrictions notified by the Government of India.

12. Liability and precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. If there is a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails. If there is a conflict between this DPA and the Standard Contractual Clauses where executed, the Standard Contractual Clauses prevail.

13. Term

This DPA takes effect on the effective date of the Agreement and remains in force for as long as AethosHub processes Customer Personal Data, notwithstanding expiry or termination of the Agreement.

Annex 1 — Details of processing
  • Subject matter: support, incident assistance, and professional services for AgentAccessManager and APIKeyOps performed at the customer's request.
  • Duration: the term of the Agreement, or the duration of the specific engagement if shorter.
  • Nature and purpose: accessing, viewing, and where instructed modifying data within the customer's environment solely to diagnose and resolve issues or deliver the contracted services.
  • Categories of data subjects: the customer's employees, contractors, and end users whose data appears in the customer's deployment.
  • Categories of personal data: business contact details (names, work emails), user identifiers and roles, API usage and audit records, and any personal data the customer includes in support materials. The customer agrees not to share special-category (GDPR Art. 9) data in support channels; the products do not require it.
  • Special categories: none intended or required.
Annex 2 — Technical and organisational security measures
  • Encryption: personal data in transit is protected with TLS; credentials and secrets at rest in AethosHub products are encrypted with AES-256-GCM.
  • Access control: access to customer environments and support materials is granted per engagement on a least-privilege basis, uses individual named accounts, and is revoked when the engagement ends.
  • Auditability: administrative access within AethosHub products is logged; support access is traceable to the individual engineer and the instructing ticket.
  • Personnel: personnel with access are bound by confidentiality obligations and receive data-protection instruction appropriate to their role.
  • Data minimisation: engineers request the minimum data needed to reproduce an issue; customers are asked to redact personal data from logs and screenshots where it is not needed.
  • Incident response: a defined process for identifying, containing, and notifying security incidents, supporting the notification commitment in clause 8.
  • Resilience: systems holding any customer-shared material are backed up, with access to backups restricted in the same way as production access.

Questions about this DPA, requests for a countersigned copy, or requests to execute Standard Contractual Clauses: privacy@aethoshub.com. See also our privacy notice.

AethosHub

AethosHub builds enterprise AI control infrastructure across API key governance, provider routing, virtual access, audit, and guardrails.

CompanyCompany informationSecurityPricingGet a quoteRequest a demo
ProductsAgent Access ManagerAPIKeyOps30-day evaluation
ServicesImplementationSupport requestSupport SLADocumentation
LegalPrivacy NoticeData Processing AddendumWebsite TermsPaid Software AgreementEvaluation Agreement
Social
© 2026 AethosHub Pvt LtdPrivacy · Terms