Data Processing Addendum
Effective Date: April 23, 2026 | Last Updated: April 23, 2026
This Data Processing Addendum ("DPA") supplements and forms part of the askFinz Commercial Terms of Service between askFinz (an entity under Paul V | Holdings, "Data Processor") and the customer entity ("Data Controller") that has accepted the Commercial Terms. This DPA applies where askFinz processes Personal Data on behalf of the Data Controller in the course of providing the Services. Capitalised terms not defined here have the meaning given in the Commercial Terms.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
- "Data Protection Laws" means the GDPR, UK GDPR, CCPA/CPRA, and any other applicable data protection legislation.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Sub-processor" means any third party engaged by askFinz to process Personal Data on behalf of the Data Controller.
- "Processing" has the meaning given under applicable Data Protection Laws.
2. Roles & Responsibilities
The parties acknowledge that the Data Controller determines the purposes and means of processing Personal Data ("Controller") and askFinz processes Personal Data on behalf of the Controller as a "Processor" within the meaning of applicable Data Protection Laws.
3. Processing Instructions
askFinz shall process Personal Data only on the documented instructions of the Data Controller, as set out in the Commercial Terms and this DPA, unless required to do so by applicable law. askFinz will promptly inform the Data Controller if it believes any instruction infringes applicable Data Protection Laws.
4. Scope of Processing
| Field | Details |
|---|---|
| Subject matter | Provision of the askFinz Services as described in the Commercial Terms |
| Duration | For the duration of the Commercial Terms, plus any applicable retention period |
| Nature of processing | Collection, storage, retrieval, indexing, analysis, and deletion of data |
| Type of Personal Data | As determined by the Data Controller; may include contact details, usage data, and user-generated content |
| Categories of data subjects | Employees, customers, or end users of the Data Controller |
5. Security Measures
askFinz shall implement and maintain appropriate technical and organisational security measures as described in our Security Policy (askfinz.ai/legal/security), including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Access controls, authentication, and role-based permissions.
- Regular vulnerability assessments and penetration testing.
- Incident detection and response procedures.
- Staff training on data protection and security practices.
6. Sub-processors
askFinz may engage sub-processors to support the provision of Services. askFinz shall: (i) enter into written agreements with sub-processors imposing equivalent data-protection obligations; (ii) remain liable to the Data Controller for sub-processor acts or omissions. A current list of sub-processors is available at askfinz.ai/legal/sub-processors and will be updated with 30 days' notice of any changes.
7. Data Breach Notification
In the event of a Personal Data breach, askFinz shall notify the Data Controller without undue delay and in any event within 72 hours of becoming aware of the breach, providing sufficient information to enable the Controller to meet its own notification obligations.
8. Data Subject Rights Assistance
askFinz shall provide reasonable assistance to the Data Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, objection) within applicable timeframes.
9. International Data Transfers
Where Personal Data is transferred outside the European Economic Area or UK, askFinz shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, or any successor mechanism.
10. Audits
Upon reasonable prior written notice and no more than once per calendar year (unless a regulatory requirement or incident necessitates otherwise), the Data Controller may audit askFinz's compliance with this DPA, at the Controller's cost, subject to reasonable confidentiality obligations.
11. Return & Deletion of Data
Upon termination of the Commercial Terms, askFinz shall, at the Data Controller's option, return or securely delete all Personal Data processed on behalf of the Controller, unless retention is required by applicable law.
12. Limitation of Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Commercial Terms of Service.
13. Contact
- Data Protection inquiries: privacy@askfinz.ai
- Legal: legal@askfinz.ai