AXL Data Processing Addendum

Effective date: 5 May 2026 Last updated: 5 May 2026 Version: 1.0

This Data Processing Addendum (the "DPA") is incorporated into the AXL End-User License Agreement available at https://admin.accelonline.io/docs/terms/en (the "Principal Agreement") and applies whenever AXL EdTech Booster LLC ("AXL") Processes Personal Data on behalf of a customer in connection with the AXL educational SaaS platform.

This DPA automatically applies to every customer of the Services who is established in, or whose use of the Services involves Personal Data of Data Subjects located in, the European Economic Area, the United Kingdom or any other jurisdiction whose data-protection law requires a written agreement between a controller and a processor.

By accepting the Principal Agreement, accessing or using the Services, you (the "Customer") accept the terms of this DPA. No additional signature is required for this DPA to take effect.

If you require a counter-signed copy of this DPA on a separate executable form, contact privacy@axl.tech.

Quick reference

Topic Where in this DPA
Roles of the Parties (Customer = Controller; AXL = Processor) Section 2
Customer warranties and lawful basis Section 2.4
Processing of minors' data Section 2.5
AXL's processing instructions Section 3
Confidentiality Section 4
Security measures Section 5; Annex II
Sub-Processors Section 6; Annex III
International transfers (EU SCCs Module Two, UK Addendum) Section 7; Annex IV
Data Subject rights Section 8
Personal Data Breach (72-hour notification) Section 9
DPIA assistance Section 10
Audit rights Section 11
Deletion / return of data Section 12
Liability cap Section 13
Governing law (Republic of Ireland) Section 16
Notices and EU Representative (Prighter) Section 17

Hosting and data residency

  • Customer Data is hosted in Amazon Web Services data centres in Frankfurt, Germany (eu-central-1) within the European Economic Area.
  • Backups are retained in the same AWS region.
  • Operational and support access by AXL personnel is restricted to the United States, the United Kingdom and Canada.

Contact

DATA PROCESSING ADDENDUM

This Data Processing Addendum (the "DPA") forms part of, and is incorporated into, the End-User License Agreement available at https://admin.accelonline.io/docs/terms/en (or any other written or electronic agreement governing access to and use of the Services) (the "Principal Agreement") between:

  • AXL EdTech Booster LLC, a limited liability company organised under the laws of the State of Delaware, United States of America, with its registered office at 16192 Coastal Highway, Lewes, Delaware 19958, County of Sussex (the "Processor", "AXL", "we" or "us"); and
  • the legal entity identified as the customer in the Principal Agreement (the "Controller", "Customer" or "you").

(each a "Party" and together the "Parties").

This DPA reflects the Parties' agreement on the Processing of Personal Data in accordance with Applicable Data Protection Laws.

This DPA enters into force on the date the Customer accepts the Principal Agreement, on the date Customer first accesses or uses the Services, or on the date this DPA is otherwise accepted, whichever is earliest.

1. Definitions

1.1 Capitalised terms used but not defined in this DPA have the meanings given in the Principal Agreement or in Applicable Data Protection Laws.

1.2 In this DPA:

"Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to a Party in its role under this DPA, including, where applicable: (i) Regulation (EU) 2016/679 ("GDPR"); (ii) the United Kingdom General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (iii) the Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights ("LOPDGDD"); and (iv) any other equivalent data protection law applicable to the Parties.

"Customer Data" means any Personal Data that AXL Processes on behalf of Customer in connection with the Services.

"EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

"Personal Data Breach", "Personal Data", "Data Subject", "Process" / "Processing", "Controller", "Processor", "Sub-Processor" and "Supervisory Authority" have the meanings given in GDPR.

"Services" means the AXL educational SaaS platform and related services as described in the Principal Agreement.

"Sub-Processor" means any third party engaged by AXL to Process Customer Data on AXL's behalf.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

2. Scope and Roles of the Parties

2.1 With respect to the Processing of Customer Data under this DPA, the Parties agree that Customer is the Controller and AXL is the Processor.

2.2 Where Customer is itself a Processor for an underlying Controller (for example, where Customer's own end-customers are the Controllers of certain data uploaded to the Services), Customer warrants that it has all required authorisations and instructions from such underlying Controllers to enter into this DPA on their behalf and to permit AXL to act as a Sub-Processor.

2.3 Customer is solely responsible for the lawfulness of its use of the Services, including establishing a valid legal basis for Processing, providing the notices required under Applicable Data Protection Laws to Data Subjects, obtaining any required consents, and configuring the Services lawfully (including the configuration and use of integrations, marketing tools, recordings, tracking, telephony, and any other features that affect Data Subjects).

2.4 Customer warranties. Customer represents and warrants that, with respect to all Customer Data submitted to the Services:

(a) Customer has all rights and authorisations necessary to Process the Customer Data and to instruct AXL to Process the Customer Data on Customer's behalf;

(b) Customer has provided all notices required by Applicable Data Protection Laws to its Data Subjects, including notices regarding international transfers, sub-processing and the use of integrations;

(c) Customer has obtained all consents required by Applicable Data Protection Laws, including, where applicable, consent for marketing communications, cookies, web analytics, conversion tracking, recordings, telephony, and the use of third-party messaging or social-network channels;

(d) Customer has implemented appropriate measures to ensure that Customer Data is accurate and is minimised to what is necessary for the purposes for which it is Processed; and

(e) Customer's instructions to AXL comply with Applicable Data Protection Laws.

2.5 Processing of minors' data. The Services are not specifically designed for the collection of Personal Data from minors. If Customer Processes Personal Data relating to minors through the Services, Customer represents and warrants that:

(a) Customer has identified the relevant age of digital consent under the laws of the Data Subjects' jurisdiction (which, for example, is fourteen (14) years under Spanish LOPDGDD and sixteen (16) years under default GDPR rules, but varies between EU Member States);

(b) where required by such laws, Customer has obtained verified consent from the holder of parental responsibility for any Data Subject below the relevant age threshold; and

(c) Customer maintains appropriate records of such consent and will provide them to AXL or to a Supervisory Authority on request.

Customer agrees to indemnify AXL against any third-party claims, fines or penalties arising from Customer's failure to comply with this Section 2.5.

2.6 Special-category and high-risk data. Customer must not submit Personal Data falling within Articles 9 or 10 GDPR (special-category or criminal-conviction data) through the Services unless Customer has notified AXL in writing in advance and the Parties have agreed any additional measures required.

3. Details of Processing

3.1 The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, the categories of Data Subjects, and the Processor's obligations and rights are set out in Annex I (Description of Processing) and Annex II (Technical and Organisational Measures).

3.2 Customer hereby instructs AXL to Process Customer Data:

(a) to provide, secure, maintain, support, monitor and improve the Services in accordance with the Principal Agreement, this DPA, and Customer's lawful and documented use of the Services through the platform interface, configuration settings, integrations and APIs;

(b) to comply with applicable law or binding requests of public authorities; and

(c) as further documented and agreed by the Parties in writing.

3.3 AXL will Process Customer Data only on the documented instructions referred to in Section 3.2, including with regard to transfers of Customer Data to a third country or an international organisation, unless required to do so by Union or Member State law to which AXL is subject. In such a case, AXL will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3.4 If, in AXL's opinion, an instruction infringes Applicable Data Protection Laws, AXL will promptly inform Customer. AXL is not obliged to make a legal assessment of Customer's instructions and may suspend Processing of the affected Customer Data until the matter is resolved.

4. Confidentiality

4.1 AXL will ensure that any person authorised to Process Customer Data is subject to a contractual or statutory obligation of confidentiality.

4.2 AXL will limit access to Customer Data to those of its personnel and contractors who require such access to perform AXL's obligations under the Principal Agreement and this DPA, on a need-to-know basis. As of the date of this DPA, such authorised personnel and contractors are located in the United States of America, the United Kingdom and Canada.

5. Security

5.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, AXL will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk. The measures applied as of the effective date of this DPA are described in Annex II.

5.2 AXL may update the measures from time to time in line with industry best practice, provided that any update does not materially diminish the overall level of protection of Customer Data.

6. Sub-Processors

6.1 Customer grants AXL general written authorisation to engage Sub-Processors for the Processing of Customer Data, subject to the requirements of this Section 6.

6.2 The Sub-Processors authorised as of the effective date of this DPA are listed in Annex III (Authorised Sub-Processors). The current list is also published at https://admin.accelonline.io/docs/subprocessors/en and is updated from time to time in accordance with this Section 6.

6.3 AXL will:

(a) enter into a written agreement with each Sub-Processor imposing data-protection obligations no less protective than those set out in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processor; and

(b) remain liable to Customer for the performance of each Sub-Processor's obligations relating to Customer Data, to the extent required by Applicable Data Protection Laws.

6.4 AXL will give Customer at least thirty (30) days' prior notice of the addition or replacement of a Sub-Processor, by updating the list at https://admin.accelonline.io/docs/subprocessors/en and by sending an email notification to Customer's notice contact, where Customer has subscribed to such updates.

6.5 Customer may, on reasonable data-protection grounds, object to a new Sub-Processor in writing within fifteen (15) days of the notice referred to in Section 6.4. The Parties will discuss Customer's concerns in good faith. If the Parties cannot agree on a resolution, Customer's sole remedy is to terminate the affected portion of the Services in accordance with the Principal Agreement; in that case, AXL will refund any pre-paid fees corresponding to the unused, terminated portion of the Services.

7. International Transfers

7.1 As of the date of this DPA, Customer Data is hosted by AXL in Amazon Web Services data centres located in Frankfurt, Germany (eu-central-1) within the European Economic Area ("EEA"). Backups of Customer Data are retained in the same AWS region.

7.2 Operational and support access to systems containing Customer Data is restricted to authorised AXL personnel and contractors located in the United States of America, the United Kingdom and Canada. Such access constitutes a transfer of Customer Data to a third country within the meaning of Chapter V GDPR.

7.3 The United Kingdom and Canada hold adequacy decisions issued by the European Commission. With respect to such transfers, no further transfer mechanism is required.

7.4 With respect to transfers to AXL personnel, contractors and Sub-Processors located in the United States or any other country which has not received an adequacy decision, the Parties agree that:

(a) the EU SCCs, Module Two (Controller to Processor), are hereby incorporated by reference and form an integral part of this DPA;

(b) Clause 7 (Docking Clause) is included;

(c) under Clause 9, Option 2 (general written authorisation) applies, with thirty (30) days' notice for Sub-Processor changes;

(d) the optional language in Clause 11(a) is not included;

(e) under Clause 17, the EU SCCs are governed by the law of the Republic of Ireland;

(f) under Clause 18(b), the courts of the Republic of Ireland are designated as the competent forum;

(g) Annex I.A (List of Parties), Annex I.B (Description of Transfer) and Annex I.C (Competent Supervisory Authority) of the EU SCCs are completed by reference to Annex I of this DPA;

(h) Annex II of the EU SCCs (Technical and Organisational Measures) is completed by reference to Annex II of this DPA;

(i) Annex III of the EU SCCs (List of Sub-Processors) is completed by reference to Annex III of this DPA.

7.5 To the extent that AXL Processes Customer Data subject to UK GDPR, the UK Addendum is hereby incorporated by reference, with the EU SCCs as the underlying clauses and with Tables 1 to 4 of the UK Addendum completed by reference to the relevant sections of this DPA. Either Party may end the UK Addendum as set out in Section 19 thereof.

7.6 If the European Commission, the UK Government, or a relevant Supervisory Authority subsequently issues an adequacy decision, a successor mechanism, or revised standard contractual clauses, the Parties will, in good faith, replace the transfer mechanism applied under this DPA with such adequacy decision or successor instrument.

7.7 In the event of a conflict between this DPA and the EU SCCs or the UK Addendum, the EU SCCs or the UK Addendum (as applicable) prevail with respect to the matters covered by them.

7.8 AXL has implemented supplementary measures, both technical and organisational, intended to ensure a level of protection of Customer Data essentially equivalent to that guaranteed within the EEA, taking into account the assessment described in the Transfer Impact Assessment set out in Annex IV.

8. Data Subject Rights

8.1 Taking into account the nature of the Processing, AXL will provide reasonable assistance to Customer, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction of processing, data portability, objection and the right not to be subject to automated decision-making).

8.2 If AXL receives a request from a Data Subject in respect of Customer Data, AXL will, without undue delay, inform Customer of the request and will not respond to the request directly other than to advise the Data Subject to address the request to Customer, unless legally prohibited from doing so.

8.3 The Services include features that enable Customer to access, correct, export and delete Customer Data. Customer is responsible for using these features to respond to Data Subject requests. To the extent that Customer cannot reasonably address a request through the available features, AXL will, at Customer's reasonable written request, provide additional commercially reasonable assistance.

9. Personal Data Breach

9.1 AXL will notify Customer of a confirmed Personal Data Breach affecting Customer Data without undue delay and in any event within seventy-two (72) hours after AXL becomes aware of such Personal Data Breach.

9.2 The notification will include, to the extent then known and reasonably available to AXL:

(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) the name and contact details of AXL's incident contact;

(c) a description of the likely consequences of the Personal Data Breach; and

(d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 AXL will provide further information to Customer in phases as it becomes available. AXL's notification of, or response to, a Personal Data Breach under this Section 9 will not be construed as an acknowledgement by AXL of any fault or liability with respect to the Personal Data Breach.

10. Data Protection Impact Assessments and Prior Consultation

10.1 Taking into account the nature of the Processing and the information available to AXL, AXL will provide reasonable assistance to Customer in connection with Customer's data-protection impact assessments and prior consultations with Supervisory Authorities, to the extent required by Applicable Data Protection Laws.

10.2 AXL may charge Customer reasonable fees for assistance under this Section 10 to the extent it goes beyond what AXL is required to provide under Applicable Data Protection Laws.

11. Audit

11.1 AXL will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA.

11.2 AXL will satisfy Customer's audit rights primarily through the provision of:

(a) the description of technical and organisational measures set out in Annex II;

(b) AXL's most recent internal security review summary, where available;

(c) summaries of vulnerability assessments and remediation status; and

(d) responses to reasonable security questionnaires, subject to a confidentiality undertaking.

11.3 If, in Customer's reasonable judgment, the materials referred to in Section 11.2 are insufficient to demonstrate compliance, Customer may, no more than once per twelve (12) month period (except where required by a Supervisory Authority or following a confirmed Personal Data Breach affecting Customer Data), upon at least thirty (30) days' prior written notice, conduct or have conducted on its behalf an audit of AXL's relevant Processing activities, subject to the following conditions:

(a) the audit must be conducted by Customer or by a mutually agreed independent third-party auditor that is not a competitor of AXL;

(b) the auditor must enter into a confidentiality agreement reasonably acceptable to AXL;

(c) the audit must be conducted during normal business hours and must not unreasonably interfere with AXL's business operations;

(d) the audit must not include access to (i) data of any other AXL customer, (ii) AXL source code, or (iii) information of any other AXL customer, employee or contractor that is not strictly necessary for the audit;

(e) Customer will bear its own costs and AXL's reasonable costs of cooperating with the audit, unless the audit reveals material non-compliance by AXL with this DPA, in which case AXL will bear its own costs.

12. Deletion or Return of Customer Data

12.1 Upon termination or expiry of the Principal Agreement, or earlier upon Customer's written request, AXL will, at Customer's choice, delete or return all Customer Data and delete existing copies, unless applicable law requires storage of the Customer Data.

12.2 Prior to termination or expiry, Customer may export Customer Data through the data-export features made available in the Services.

12.3 AXL will:

(a) delete operational copies of Customer Data within thirty (30) days of termination or expiry;

(b) delete or overwrite backup copies through the ordinary backup-rotation process, with full deletion within ninety (90) days of termination or expiry; and

(c) delete logs and security telemetry containing Customer Data within twelve (12) months, except where a longer period is required for security, abuse-prevention or legal compliance.

12.4 AXL may retain Customer Data to the extent and for the period required by applicable law (including for tax, accounting and dispute-resolution purposes), provided that such retained data remains subject to the protections of this DPA and is Processed only as necessary for compliance with such legal requirements.

12.5 On Customer's written request, AXL will provide written confirmation that it has complied with this Section 12.

13. Liability

13.1 Notwithstanding any limitation of liability set out in the Principal Agreement, each Party's aggregate liability arising out of or in connection with breaches of this DPA (including breaches arising from infringements of Applicable Data Protection Laws by such Party in its role under this DPA) is limited to an amount equal to the total fees paid or payable by Customer to AXL under the Principal Agreement during the twelve (12) months preceding the event giving rise to the liability.

13.2 The limitation in Section 13.1 does not apply to:

(a) liability that cannot be excluded or limited under Applicable Data Protection Laws, including the rights of Data Subjects under the EU SCCs and Article 82 GDPR;

(b) a Party's wilful misconduct or gross negligence;

(c) breaches of confidentiality;

(d) infringement of the other Party's intellectual property rights; or

(e) a Party's indemnification obligations under the Principal Agreement.

13.3 Each Party acknowledges that the limitation in Section 13.1 is separate from, and supersedes for the purpose of breaches of this DPA, any aggregate liability cap set out in the Principal Agreement that would otherwise apply at a lower amount. Where the Principal Agreement provides for a higher aggregate liability cap, that higher cap applies.

13.4 In no event will either Party be liable for indirect, incidental, special, consequential or punitive damages, or for loss of profits, revenue, business, goodwill or anticipated savings, except to the extent such limitation is not permitted by Applicable Data Protection Laws.

14. Term and Termination

14.1 This DPA enters into force on the effective date of the Principal Agreement (or, if later, the date of acceptance of this DPA) and remains in force as long as AXL Processes Customer Data on behalf of Customer.

14.2 Provisions which by their nature should survive termination (including Sections 9, 11, 12, 13, 16 and this Section 14.2) survive termination of this DPA.

15. Order of Precedence

In the event of any conflict among (i) the EU SCCs or UK Addendum, (ii) this DPA, and (iii) the Principal Agreement: the EU SCCs and UK Addendum prevail with respect to the matters covered by them; this DPA prevails with respect to all other data-protection matters; and in all other respects the Principal Agreement applies.

16. Governing Law and Jurisdiction

16.1 Without prejudice to Section 7.4(e) and Section 16.2, this DPA is governed by, and will be construed in accordance with, the law of the Republic of Ireland. The courts of the Republic of Ireland have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

16.2 Where Applicable Data Protection Laws require disputes between the Parties or with Data Subjects to be heard before a different court or to be governed by a different law, that requirement prevails.

17. Notices

17.1 Notices to Customer will be given to the address or email specified in the Principal Agreement or registered in Customer's AXL account.

17.2 Notices to AXL will be given to:

17.3 EU Representative pursuant to Article 27 GDPR. AXL has appointed Prighter Group as its representative in the European Union pursuant to Article 27 GDPR. Data Subjects and Supervisory Authorities may contact the EU Representative at:

Prighter Group Schellinggasse 3/10 1010 Vienna, Austria Online contact: https://app.prighter.com/portal/18576877104

18. General

18.1 This DPA, together with the Principal Agreement and the Annexes referred to herein, constitutes the entire agreement of the Parties with respect to its subject matter.

18.2 No variation of this DPA is effective unless in writing and signed by both Parties, or unless AXL publishes an updated version of this DPA at https://admin.accelonline.io/docs/dpa/en in accordance with the change-management provisions of the Principal Agreement.

18.3 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

18.4 Neither Party may assign this DPA without the other Party's prior written consent, except that AXL may assign this DPA to an affiliate or in connection with a merger, acquisition, corporate reorganisation or sale of all or substantially all of its assets.

Annex I — Description of Processing

A. List of Parties

Data Exporter (Controller) — Customer

For purposes of this Annex I.A, Customer's identification details — including legal name, registered address and primary administrator contact — are those provided by Customer at registration in its AXL account, as may be updated by Customer from time to time. Customer may provide alternative or additional details (including a Data Protection Officer contact, where appointed) by emailing privacy@axl.tech, and such details will be treated as part of this Annex I.A.
Role Controller
Activities relevant to the data transferred Use of the AXL educational SaaS platform for managing students, courses, content, marketing, payments, communications and analytics.

Data Importer (Processor) — AXL
Name AXL EdTech Booster LLC
Address 16192 Coastal Highway, Lewes, Delaware 19958, County of Sussex, USA
Contact Privacy Lead, AXL EdTech Booster LLC
Email privacy@axl.tech
Activities relevant to the data transferred Provision of the AXL educational SaaS platform and related services to Customer, on Customer's documented instructions.
Role Processor

EU Representative of Data Importer (Article 27 GDPR)
Name Prighter Group
Address Schellinggasse 3/10, 1010 Vienna, Austria
Online contact https://app.prighter.com/portal/18576877104

B. Description of Transfer

Hosting location

Customer Data is hosted in Amazon Web Services data centres in Frankfurt, Germany (eu-central-1), within the European Economic Area. Backups of Customer Data are retained in the same AWS region.

Operational access from third countries

Operational and support access by AXL personnel and contractors is permitted only from the United States of America, the United Kingdom and Canada. The United Kingdom and Canada hold European Commission adequacy decisions.

Categories of Data Subjects whose personal data is transferred

The Personal Data transferred concerns the following categories of Data Subjects:

  • Customer's administrators, managers, staff, instructors, support users and account owners;
  • students, learners, course participants, webinar attendees, community members, forum users and chat users;
  • leads, prospective students, site visitors, form respondents, quiz respondents, subscribers, purchasers, payers and recipients of Customer communications;
  • partners, affiliates, responsible managers and sales-pipeline participants;
  • end-users of social networks, messengers, chat channels and telephony channels, where Customer enables such integrations;
  • individuals appearing in user-uploaded files, images, documents, videos, audio, recordings, task submissions, comments, messages or support materials.

Categories of Personal Data transferred

Depending on Customer's configuration and use of the Services, the following categories of Personal Data may be transferred:

  • Identity and contact data: name, email address, phone number, language, country, region, city, time zone, IP address, avatar, and (where collected) gender and date of birth;
  • Account and authentication data: password hashes, access/refresh/session tokens, reset and confirmation tokens, invitation tokens, last-seen and last-activity timestamps, session records, web-push tokens;
  • Educational data: course access, lesson progress, task and quiz answers, comments, ratings, certificates, group/role/tag assignments, student licenses and subscriptions, achievements and gamification balances;
  • CRM and marketing data: leads, pipeline fields, tags, segmentation, broadcast metadata, email opens and clicks, unsubscribe and suppression status, UTM parameters, attribution data;
  • Payment and order data: purchase orders, payment status, amounts, currency, fees, discounts, promo codes, payment-gateway references, billing and shipping data, custom checkout fields. Payment-card data is processed by the relevant payment Sub-Processor and is not stored by AXL except as gateway tokens or references where required;
  • Communication data: email templates and content, chat conversations, message templates, messenger webhook payloads, SMS/phone-verification events, call sessions and metadata (where applicable);
  • File and media data: Customer-uploaded files, task and completion files, product/course/library files, images, documents, video and audio files, including derived metadata;
  • Analytics and technical data: site sessions, page views, form submissions, video and webinar analytics, conversion events, device- and browser-derived technical data, application logs, error and performance telemetry;
  • Integration credentials: Customer-provided keys, tokens and configuration values for integrations, stored encrypted at the application layer;
  • Support and administrative data: audit and history events, change history, import/export sessions, operational logs and support interactions.

Sensitive data transferred (if applicable)

The Services are not intended to Process special categories of personal data within the meaning of Article 9 GDPR or data relating to criminal convictions and offences within the meaning of Article 10 GDPR.

Customer must not submit such data unless: (i) Customer has a valid legal basis for doing so; (ii) Customer has notified AXL in writing in advance; and (iii) the Parties have agreed any additional measures required.

Customer acknowledges that, depending on its configuration and use of the Services, content uploaded by Customer or its end-users (for example, in user-uploaded files, video, audio, support tickets or chat content) may incidentally contain elements of special-category data. Customer is responsible for the lawful Processing of such content.

Frequency of the transfer

Continuous, for the duration of the Principal Agreement.

Nature of the Processing

Hosted SaaS provision: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction of Personal Data, as required to provide the Services in accordance with Customer's documented instructions.

Purpose(s) of the data transfer and further processing

Provision of the AXL educational SaaS platform and related services, including:

  • tenant administration and customer support;
  • LMS / student portal, course delivery, progress tracking and certificates;
  • public sites, landing pages, forms, quizzes, checkout flows and widgets;
  • webinars and webinar-related features;
  • chat, chatbot, messenger, social-network, SMS and telephony integrations (where Customer enables them);
  • transactional and marketing email;
  • file storage, media processing, video hosting and CDN delivery;
  • automations, scenarios, imports/exports, scheduled tasks and background processing;
  • analytics, dashboards, conversion tracking and video/webinar statistics;
  • authentication, authorisation, tenant isolation, logging, monitoring, security, abuse prevention and fraud prevention.

Period for which the personal data will be retained

For the duration of the Principal Agreement and as further set out in Section 12 of the DPA. In summary:

  • operational copies: deleted within thirty (30) days of termination or expiry;
  • backup copies: deleted or overwritten within ninety (90) days of termination or expiry;
  • security logs and telemetry: up to twelve (12) months, except as required by law;
  • aggregated/anonymised data: may be retained without time limit;
  • financial and tax records: retained as required by applicable law.

For transfers to (Sub-)Processors, also specify subject matter, nature and duration of the processing

See Annex III for the list of Sub-Processors and the relevant subject matter, nature and duration of their Processing.

C. Competent Supervisory Authority

Where the Data Exporter is established in Spain, the competent Supervisory Authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos, "AEPD"), c/ Jorge Juan, 6, 28001 Madrid, Spain (https://www.aepd.es).

For Data Exporters established in other EU/EEA Member States, the competent Supervisory Authority is the lead Supervisory Authority of the Data Exporter, as determined under Articles 51–55 GDPR.

For Data Exporters not established in the EU/EEA but whose Processing falls within the territorial scope of GDPR pursuant to Article 3(2), the competent Supervisory Authority is the Supervisory Authority of the Member State in which the EU Representative is established (in AXL's case: the Austrian Data Protection Authority — Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, Austria, https://www.dsb.gv.at).

Annex II — Technical and Organisational Measures

This Annex describes the technical and organisational measures implemented by AXL to ensure the security of Customer Data, in accordance with Article 32 GDPR. AXL may update these measures from time to time, provided that any such update does not materially diminish the overall level of protection of Customer Data.

1. Governance and policies

  • AXL maintains an information-security programme aligned with industry-recognised practices, including elements of the ISO 27001 control framework and the CIS Critical Security Controls.
  • Information-security policies are documented, approved by management, communicated to personnel and reviewed at least annually.
  • All personnel and contractors with access to Customer Data are subject to written confidentiality obligations and complete data-protection and security awareness training on engagement, with refresher training delivered at least annually.
  • A privacy and security lead is designated as the central point of contact for data-protection and security matters.

2. Tenant isolation and access architecture

  • The platform is multi-tenant. Each customer (school) is identified by a tenant identifier (SchoolId).
  • Tenant-aware data-access layers automatically attribute records to the relevant tenant on creation and filter reads by the current tenant context across the platform's relational and analytical data stores.
  • Cross-tenant access is restricted to AXL personnel acting in their authorised support, security or operations capacity, on a need-to-know basis and subject to logging.

3. Identity and access management

  • Access to administrative and student-facing applications is authenticated using JWT-based tokens, with short-lived access tokens and refresh-token rotation.
  • Administrative permissions follow a role- and policy-based access-control model.
  • Internal access by AXL personnel and contractors to production environments is restricted to authorised individuals on a need-to-know basis and is geographically restricted to the United States of America, the United Kingdom and Canada.
  • Multi-factor authentication is enforced for all AXL personnel accessing production systems containing Customer Data, using either a hardware security key (e.g., FIDO2/WebAuthn) or single sign-on combined with an additional authentication factor.
  • Access rights are reviewed on a periodic basis and revoked promptly upon role change or termination.

4. Encryption and key management

  • Personal Data in transit between Customer (or its end-users) and the Services is encrypted using TLS 1.2 or higher.
  • Personal Data at rest in the platform's primary data stores is encrypted using AWS-managed encryption with AWS Key Management Service ("AWS KMS"), specifically:
  • Amazon RDS for PostgreSQL — encryption at rest enabled with AWS KMS;
  • Amazon S3 — server-side encryption (SSE) with AWS KMS;
  • Amazon ElastiCache for Redis — encryption at rest and in transit enabled;
  • ClickHouse on Amazon EC2 — encrypted EBS volumes managed via AWS KMS;
  • Amazon RDS automated backups and snapshots — encrypted at rest with AWS KMS.
  • Customer-supplied integration credentials (e.g., payment-gateway keys, messenger tokens) are stored encrypted at the application layer using a dedicated encryption key.
  • Passwords are stored as salted hashes using a modern password-hashing algorithm. Plaintext passwords are not stored.
  • Cryptographic keys are managed using AWS KMS. Key rotation is performed in accordance with AWS-recommended defaults.

5. Network and infrastructure security

  • Backend services are containerised and deployed on Amazon Elastic Container Service ("Amazon ECS") in the AWS region eu-central-1 (Frankfurt, Germany).
  • Public ingress is fronted by managed load balancers and a content-delivery network (Amazon CloudFront).
  • Network access between application tiers is restricted using AWS security groups and private subnets within an Amazon VPC. Production data stores (PostgreSQL, Redis, ClickHouse) are not directly exposed to the public internet.
  • Static assets and customer-uploaded media are served from Amazon S3 (eu-central-1) and delivered through Amazon CloudFront.
  • Asynchronous processing is performed using Amazon Simple Queue Service ("Amazon SQS") and Redis for caching, sessions and pub/sub.
  • Operational data is stored in:
  • Amazon RDS for PostgreSQL (relational, primary operational database);
  • Amazon ElastiCache for Redis (in-memory cache, sessions and queues);
  • ClickHouse on Amazon EC2 (analytical and reporting data).

6. Logging, monitoring and incident response

  • Application and infrastructure logs are collected, retained and monitored using Amazon CloudWatch Logs and structured logging (Serilog).
  • Application performance and error monitoring is provided by New Relic.
  • Security-relevant events (authentication failures, privilege changes, configuration changes, infrastructure changes) are logged.
  • AXL maintains a documented incident-response procedure. Incidents are triaged, escalated and tracked through to remediation. Personal Data Breaches are managed in accordance with Section 9 of the DPA.

7. Availability, resilience and backup

  • Backend services are designed for horizontal scalability. Real-time services (chat, webinars) use sticky sessions where required.
  • Background processing is performed asynchronously through Amazon SQS, allowing the primary user-facing path to remain responsive under load.
  • Amazon RDS automated backups are retained for ninety (90) days within the AWS region eu-central-1. Backups are encrypted at rest with AWS KMS.
  • AXL operates with commercially reasonable recovery objectives consistent with the nature of a SaaS platform of this type, and maintains documented recovery procedures.
  • Recovery procedures are tested on a periodic basis.

8. Data lifecycle management

  • The platform uses logical (soft) deletion as the default for most operational entities, followed by background cleanup processes that perform physical deletion after a configured retention window.
  • Video assets that have been deleted from the platform are removed from the underlying video-hosting Sub-Processor (Kinescope) within thirty (30) days of soft-deletion, where the Kinescope integration is enabled.
  • Aggregated and analytical data may be retained for longer periods in the analytical data store, subject to anonymisation or pseudonymisation where appropriate.
  • On termination or expiry of the Principal Agreement, Customer Data is deleted in accordance with Section 12 of the DPA.

9. Secure development and change management

  • AXL follows a structured software-development lifecycle with version control, code review and automated build/deploy pipelines.
  • Production deployments use container images stored in Amazon Elastic Container Registry ("Amazon ECR") and deployed to Amazon ECS. Frontend deployments use build pipelines with CDN cache invalidation.
  • Source code, configuration and secrets are managed through controlled repositories. The introduction of plaintext secrets into source-controlled files is prohibited by policy.
  • Dependencies are reviewed and updated; vulnerability scanning is performed on container images and dependencies.
  • Pre-production environments are used for testing material changes prior to production deployment.

10. Supplier management

  • Sub-Processors are evaluated for security and data-protection capability prior to engagement.
  • Contractual data-protection obligations are imposed on Sub-Processors as required by Section 6 of the DPA.
  • The list of authorised Sub-Processors is maintained and updated in Annex III and at https://admin.accelonline.io/docs/subprocessors/en.

11. Physical security

  • Data centres used by AWS and other infrastructure Sub-Processors are operated by the relevant providers and certified to recognised standards (e.g., ISO 27001, SOC 2). AXL relies on the providers' physical-security controls and does not itself operate data centres housing Customer Data.

12. Audit and assurance

  • AXL conducts internal security reviews of its information-security programme on a periodic basis, including review of access logs, configuration baselines, vulnerability scan results and incident records.
  • Vulnerability assessments of the Services are conducted on a regular basis using automated tooling against application code, dependencies and infrastructure.
  • Where requested by Customer, AXL will share, under a confidentiality undertaking, the most recent internal security review summary, vulnerability-assessment summary or other documentation reasonably available.
  • AXL is committed to expanding its assurance programme over time and will, where applicable, share independent third-party reports as they become available.

Annex III — Authorised Sub-Processors

Customer authorises the engagement of the following Sub-Processors. Sub-Processors are categorised as:

  • Core infrastructure: used for all customers as part of the platform's standard operation;
  • Optional / customer-enabled: used only where Customer activates a corresponding feature or integration.

The list reflects the position as of the effective date of this DPA and is published at https://admin.accelonline.io/docs/subprocessors/en. AXL will update the list in accordance with Section 6 of the DPA.

A. Core infrastructure Sub-Processors

Sub-Processor Service / role Categories of data Location of processing
Amazon Web Services EMEA SARL (AWS Europe) Cloud infrastructure: ECS (compute), S3 (object storage), CloudFront (CDN), SQS (queues), CloudWatch (logs), Lambda (event-driven processing), Route 53 (DNS), ECR (container registry), KMS (key management), EC2 (ClickHouse hosting) All categories of Customer Data, in transit and at rest Frankfurt, Germany (eu-central-1)
Amazon Web Services EMEA SARL (Amazon RDS) Managed PostgreSQL — primary operational relational database All operational Customer Data: users, courses, orders, CRM, settings Frankfurt, Germany (eu-central-1)
Amazon Web Services EMEA SARL (Amazon ElastiCache) Managed Redis — caching, sessions, pub/sub, queues Session and cache data, event payloads Frankfurt, Germany (eu-central-1)
New Relic, Inc. Application performance and error monitoring Logs, traces, request metadata, error data United States

B. Optional / customer-enabled Sub-Processors

The Sub-Processors below are engaged only where Customer activates the corresponding feature or integration. Where Customer does not activate a feature, the corresponding Sub-Processor does not Process Customer Data.

Email delivery

Sub-Processor Purpose Categories of data
ElasticEmail Inc. Transactional and marketing email delivery; delivery, open, click and unsubscribe webhooks Recipient email, name, merge fields, email content, delivery events
Mailgun Technologies, Inc. Transactional email delivery and webhooks Recipient email, name, merge fields, email content, delivery events
Customer-provided SMTP Customer-configured email sending Recipient email, email content, delivery events where available

Payment processing

The following payment Sub-Processors may be engaged depending on Customer's configured gateways:

Stripe; PayPal; Midtrans; Fondy; Square; Authorize.Net; MercadoPago; CyberSource; BitPay; EcPay; SmartGlocal; Mobbex; ProntoPaga.

Categories of data: payment metadata, payer/order references, payment status. Card data is handled by the relevant gateway and is not retained by AXL outside gateway-issued tokens or references.

Video, media, push and translation

Sub-Processor Purpose Categories of data
Kinescope Video upload, processing, hosting, playback and deletion Video files, video metadata, viewing/access metadata
Google LLC (Translate API) Automatic translation of Customer-supplied text where Customer enables translation features Text submitted for translation
Google LLC (Fonts) Web font delivery (where loaded directly from Google) Visitor IP and user agent, where applicable
Google LLC (Safe Browsing) Unsafe-link/domain checks URLs/domains submitted for evaluation
Google LLC (Calendar / Meet) Creation, update and deletion of Google Calendar events for booking workflows, including a Google Meet conference link, where Customer connects Google Meet Admin OAuth identity (email, profile), event metadata, attendee email addresses, conference data
Zoom Communications, Inc. Creation, update and deletion of Zoom meetings, retrieval of meeting and recording metadata, where Customer connects Zoom Admin OAuth identity (email, profile), meeting metadata, attendee email addresses, recording metadata
Firebase Cloud Messaging (Google LLC) Web/mobile push notifications Push tokens, notification payload metadata
Expo (Exponent, Inc.) Mobile push notifications Push tokens, notification payload metadata

Messaging and social channels (where enabled by Customer)

Telegram (Telegram FZ-LLC / Telegram Messenger Inc.); Viber Media S.à r.l.; Meta Platforms, Inc. (Facebook, Instagram, Messenger, Conversions API); WhatsApp; LINE Corporation.

Categories of data: social-network identifiers, messages, webhook payloads, conversion events.

Analytics and advertising integrations (Customer-enabled)

Google LLC (Google Analytics); Meta Platforms, Inc. (Conversions API).

Categories of data: site events, conversion metadata and identifiers configured by Customer.

Other operational integrations

Sub-Processor Purpose Categories of data
Oopspam Spam detection on inbound data Submitted content/metadata
ipapi.co IP-based geolocation enrichment IP addresses and derived location
ApiLayer (Exchange Rate API) Currency-conversion lookups Typically no Personal Data; order-currency context

Annex IV — Transfer Impact Assessment (TIA)

This Annex documents AXL's assessment under Clause 14 of the EU SCCs.

1. Specific circumstances of the transfer

Item Description
Transfer purpose Provision of the AXL educational SaaS platform to the Data Exporter (Customer)
Categories of data See Annex I.B; primarily account, contact, educational, CRM and operational data
Sensitivity The Services are not intended to Process special categories of personal data
Volume Limited to the data necessary to provide the Services to Customer
Format Stored in databases, object storage and analytical data stores located in the EEA, encrypted at rest with AWS KMS; transmitted over TLS
Parties involved Data Exporter (Controller), Data Importer (Processor), authorised Sub-Processors listed in Annex III
Primary hosting location Amazon Web Services, Frankfurt, Germany (eu-central-1) — within the EEA
Backup location Amazon Web Services, Frankfurt, Germany (eu-central-1) — within the EEA
Locations of operational/support access United States of America, United Kingdom (adequacy decision), Canada (adequacy decision)
Onward transfers Only to authorised Sub-Processors under contractual data-protection obligations equivalent to those of this DPA

2. Importance of EEA data residency

A key feature of AXL's processing architecture is that Customer Data, including all backups, is hosted within the EEA at all times. Onward transfer of Customer Data to the United States or other third countries does not occur in the ordinary course of operations. Such transfer is limited to:

(a) operational and support access by authorised AXL personnel and contractors located in the United States, the United Kingdom and Canada (the latter two countries being subject to European Commission adequacy decisions);

(b) a small number of operational Sub-Processors that may be located outside the EEA, as identified in Annex III; and

(c) Customer-enabled integrations, where Customer's choice of integration may transfer specific categories of data outside the EEA.

This architecture significantly limits the legal and practical exposure of Customer Data to non-EEA jurisdictions compared with a US-hosted SaaS service.

3. Laws and practices of the country of destination (United States)

AXL has assessed the following US laws and practices that may impact the protection of Customer Data accessed from the United States:

  • Section 702 of the Foreign Intelligence Surveillance Act (FISA 702): permits US authorities to compel certain US providers of "electronic communications services" to disclose data of non-US persons located outside the US for foreign-intelligence purposes.
  • Executive Order 12333: governs intelligence-collection activities outside the United States.
  • Executive Order 14086 (October 2022) and the EU-US Data Privacy Framework: introduce safeguards including necessity and proportionality requirements, oversight mechanisms (PCLOB) and a redress mechanism (Data Protection Review Court) for EU individuals.
  • CLOUD Act: enables US authorities to compel US-based providers to disclose data in their custody, irrespective of location.

4. AXL's assessment

In light of the nature of AXL's services and customers:

  • AXL is a SaaS provider of an educational platform to business customers; AXL is not a "telecommunications carrier" under 47 USC §153 nor primarily a provider of "electronic communication services" within the meaning typically targeted under FISA 702 directives addressed to large telecoms or hyperscale communications providers.
  • Customer Data is stored in the EEA and is not located in the United States. While US-based AXL personnel can access the data remotely for operational and support purposes, the underlying storage remains subject to EU jurisdiction.
  • To AXL's knowledge, AXL has not received any order, request or directive issued under FISA 702, Executive Order 12333 or the CLOUD Act in connection with Customer Data.
  • AXL has implemented technical, organisational and contractual measures (described below and in Annex II) to mitigate residual risk arising from US-based operational access.

5. Supplementary measures

  • EEA data residency for storage and backups (see Section 2).
  • Encryption in transit (TLS 1.2+) for all customer-facing endpoints and for replication/backup traffic.
  • Encryption at rest with AWS KMS for primary operational data stores, backups and analytical stores.
  • Strict access control with mandatory multi-factor authentication (hardware security key or SSO with additional factor) for AXL personnel accessing production systems.
  • Need-to-know access by authorised personnel only, with periodic access reviews.
  • Logging and monitoring of access to production systems containing Customer Data.
  • Policy on government access requests: AXL will (i) not voluntarily disclose Customer Data to public authorities; (ii) carefully review the legal basis of any access request received; (iii) challenge any request that appears unlawful or disproportionate, including by seeking interim measures; (iv) where legally permitted, notify Customer of any legally binding access request before responding; and (v) provide Customer with periodic transparency information regarding government access requests, where applicable.
  • Sub-Processor diligence: Sub-Processors are subject to equivalent contractual obligations under Section 6 of the DPA.
  • Customer controls: Customer can limit data minimisation through configuration of the Services, deletion features and choice of integrations.

6. Conclusion

Taking into account:

  • the specific circumstances of the transfer (in particular, the fact that Customer Data is stored in the EEA);
  • the limited and controlled nature of operational access from the United States, the United Kingdom and Canada;
  • the adequacy decisions in force for the United Kingdom and Canada;
  • the supplementary measures implemented by AXL; and
  • the safeguards introduced under Executive Order 14086 and the EU-US Data Privacy Framework,

AXL has concluded that the Processing of Customer Data, including operational access from the United States, can be conducted in accordance with the EU SCCs.

AXL will reassess this conclusion if (i) the legal landscape changes materially; (ii) AXL receives any access request that calls into question the conclusion; or (iii) Customer reasonably requests a re-assessment.

Changes to this DPA

AXL may update this DPA from time to time. When AXL makes material changes, AXL will:

  • update the "Last updated" date at the top of this DPA;
  • post the updated DPA at https://admin.accelonline.io/docs/dpa/en; and
  • where the changes are material and adverse to Customer, notify Customer by reasonable means (for example, by email to the administrator contact registered in Customer's AXL account) at least thirty (30) days before the changes take effect, during which time Customer may object on reasonable data-protection grounds.

Continued use of the Services after the effective date of an updated DPA constitutes acceptance of the updated terms.

Contact

Topic Contact
Privacy enquiries privacy@axl.tech
Security incidents security@axl.tech
Sub-Processor change subscriptions privacy@axl.tech with subject "Subprocessor Updates Subscription"
Counter-signed copy requests privacy@axl.tech
EU Representative (Article 27 GDPR) Prighter Group, Schellinggasse 3/10, 1010 Vienna, Austria — https://app.prighter.com/portal/18576877104
Postal AXL EdTech Booster LLC, 16192 Coastal Highway, Lewes, Delaware 19958, USA