Connexis.
Legal · DPA

Data Processing Agreement

Last updated: 1 March 2026·Version 1.0

This Data Processing Agreement ("DPA") supplements and forms part of the principal services agreement between Connexis Group Ltd, company number 17214446 ("Connexis") and its Buyer, Publisher or Affiliate counterparty ("Customer"). It governs the processing of personal data by Connexis on behalf of, or jointly with, the Customer.

1. Definitions

Terms such as "Personal Data", "Processing", "Data Subject", "Controller" and "Processor" have the meanings given to them in the UK GDPR (and where applicable the EU GDPR).

2. Roles of the parties

  • For account data (the Customer's users, billing contacts, support communications), Connexis is the Controller.
  • For Lead data routed from a Publisher to a Buyer, Connexis and the relevant Buyer are Joint Controllers from the point of delivery, each acting under their respective lawful basis.
  • For data processed on the Customer's behalf at the Customer's instruction (e.g. CRM delivery, postback tracking), Connexis acts as a Processor.

3. Subject matter, duration, nature & purpose

  • Subject matter: provision of the Connexis routing and AI infrastructure.
  • Duration: for the duration of the principal agreement.
  • Nature & purpose: matching consumer enquiries to authorised buyers, delivery, billing, payouts, compliance, audit.
  • Categories of Data Subjects: end consumers who submitted an enquiry; Customer's authorised users.
  • Categories of Personal Data: identifiers (name, email, phone), enquiry context, consent metadata, technical metadata (IP, user-agent, timestamp).

4. Connexis obligations

Connexis shall:

  • Process Personal Data only on documented instructions from the Customer (where acting as Processor).
  • Ensure personnel processing Personal Data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures (see Annex 1).
  • Engage sub-processors only with general authorisation (see Annex 2) and provide 14 days notice of changes.
  • Assist the Customer with data-subject-rights requests and DPIAs where reasonable.
  • Notify the Customer of any Personal Data Breach without undue delay (within 72 hours of discovery).
  • On termination, delete or return Personal Data, subject to legal retention obligations.
  • Make available all information necessary to demonstrate compliance, and submit to audits on reasonable notice.

5. International transfers

Personal Data may be transferred outside the UK to sub-processors listed in Annex 2. Such transfers are carried out under (i) UK adequacy regulations, (ii) the UK International Data Transfer Agreement, or (iii) the UK Addendum to the EU Standard Contractual Clauses, as appropriate.

6. Security incident response

  • 24/7 monitoring with alerting on anomalous events.
  • Incident notification email: legal@connex.is.
  • Connexis maintains a written incident response plan, tested at least annually.

7. Liability

Each party's liability under this DPA is subject to the liability provisions of the principal agreement.

Annex 1 — Technical & organisational measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Role-based access control with least-privilege defaults; admin actions audited.
  • Two-factor authentication available on every account; required on admin accounts.
  • Daily automated backups, encrypted, retained 30 days.
  • Continuous vulnerability scanning; quarterly penetration testing.
  • Secrets managed via environment isolation; no secrets in source control.
  • Network: Cloudflare WAF + DDoS, dedicated VPC, no public database endpoints.
  • Personnel: background checks, mandatory security awareness training, formal off-boarding.

Annex 2 — Approved sub-processors

  • MongoDB Atlas (database) — EU-West (Ireland).
  • Stripe Payments UK Ltd — UK / EU.
  • Anthropic, OpenAI, Google (AI inference) — US (UK-IDTA + zero-retention agreements).
  • Cloudflare (CDN/WAF) — global edge.

Connexis may engage additional operational sub-processors (e.g. transactional email and SMS providers) to deliver platform notifications. A current full list, including those operational vendors, is available to Customers on request to legal@connex.is.

This DPA is signed on behalf of Connexis Group Ltd by its appointed director, and is deemed accepted by the Customer when they accept the principal Terms of Service applicable to their account role.