Data Processing Agreement

This Data Processing Agreement (“DPA”) implements Article 28 of the GDPR for organisational customers (the “Controller”) who use Axion to process personal data on behalf of their employees, members, customers, or other data subjects. It supplements and is incorporated into the Terms of Service. Where the Terms and this DPA conflict, this DPA prevails for matters concerning processing of personal data.

For consumer (B2C) use of Axion, processing is governed by the Privacy Policy alone; this DPA is not required.

The Operator (Adil Mustafayev, axionchat.chat) acts as the “Processor” under this DPA. Acceptance occurs (a) when the Controller signs and returns the PDF copy above, or (b) when the Controller’s administrator clicks “I accept” on the organisation onboarding screen of the Service. Either route forms a binding agreement.

1. Definitions

• Terms not defined here have the meaning given in Article 4 GDPR. In particular: “personal data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach”.
• “Service” means the Axion Matrix homeserver, Jitsi instance, and associated apps as defined in the Terms.
• “Subprocessor” means any third party engaged by the Processor to process personal data under this DPA.
• “SCCs” means the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Subject matter, duration, nature and purpose

2.1 Subject matter

The subject matter of the processing is the operation of an end-to-end encrypted messaging and conferencing service for the Controller’s authorised users.

2.2 Duration

This DPA applies for as long as the Processor processes personal data on behalf of the Controller and survives termination as set out in section 9.

2.3 Nature and purpose

Storage, transmission, routing, federation (only to the extent the Controller’s users initiate it), encrypted backup, and deletion of messaging-related personal data, strictly to deliver the Service.

2.4 Categories of data subjects

• The Controller’s authorised end-users (employees, members, customers).
• Third parties that the Controller’s users communicate with through the Service.

2.5 Categories of personal data

• Account identifiers, password hashes, optional recovery email.
• Device identifiers, public end-to-end encryption keys.
• Room membership, event timestamps, presence state.
• Display name and avatar (where the user sets them).
• Push notification tokens and call session metadata.
• Encrypted message ciphertext (the Processor cannot read the plaintext).
• Server access logs (max 14 days).

The Processor does not process special-category data under Art. 9 GDPR, criminal-conviction data under Art. 10 GDPR, or children’s data under 16 unless the Controller specifically configures the Service to do so and bears responsibility for the additional safeguards.

3. Documented instructions

The Processor shall process personal data only on documented instructions from the Controller. The Terms, this DPA, and the configuration that the Controller’s administrators make through the admin interface together constitute the Controller’s standing instructions.

The Processor shall inform the Controller without undue delay if it considers that an instruction infringes the GDPR, the EU Data Protection Directive for law enforcement, or other applicable Union or Member State data-protection law.

4. Confidentiality

The Processor ensures that any person authorised to process the personal data — including the Operator and any contractors — is bound by a written confidentiality obligation that survives termination of their engagement, or by a statutory obligation of confidentiality.

5. Security measures (Art. 32 GDPR)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to data subjects, the Processor implements the following technical and organisational measures.

5.1 Encryption

• End-to-end encryption (Olm/Megolm, MLS where supported) is the default for direct messages and private rooms; the Processor does not hold the message keys.
• TLS 1.3 only for client-server and server-server traffic; HSTS preload; modern cipher suites; perfect forward secrecy.
• Full-disk encryption (LUKS) on the underlying virtual server.
• Backups are encrypted client-side with an independent key (Restic) before being uploaded to Backblaze B2.
• Passwords stored as Argon2id hashes; recovery emails encrypted at rest with a server-held key.

5.2 Access control

• SSH on a non-standard port (5622) with key-only authentication, two-factor (TOTP) for non-home IPs, and fail2ban + recidive jails.
• Least-privilege Docker isolation per service (Synapse, Postgres, Redis, MinIO, Vault, Caddy, Sygnal, Mjolnir, Jitsi).
• Database superuser inaccessible from the network; application user limited by row- and schema-level grants.
• Audit logging via auditd; daily AIDE filesystem integrity checks; log shipping to Grafana Cloud.

5.3 Network and infrastructure

• Cloudflare in front of the Service for DDoS mitigation and WAF; origin reachable only via Cloudflare or via Tailscale management VPN.
• CrowdSec community-blocklist enforcement at the edge.
• Tailscale-based out-of-band administration; no direct public administrative endpoints.
• Hardened ModemManager-disabled, sysctl-tuned kernel; /tmp on tmpfs with noexec,nosuid,nodev.

5.4 Resilience and recovery

• Encrypted off-site backups (Backblaze B2, EU Central) with a 30-day rolling retention and a periodic restore test.
• Database point-in-time recovery via Postgres WAL archiving.
• Documented incident-response runbook; recovery time objective (RTO) of 24 hours and recovery point objective (RPO) of 24 hours under normal conditions.

5.5 Process and governance

• Quarterly review of subprocessors, dependencies, and security headers.
• Public /.well-known/security.txt for vulnerability disclosure.
• Pre-production review of any change touching authentication, key handling, or federation.
• Operator passes a baseline Lynis hardening score of 85/100 and the internet.nl 100% test.

6. Subprocessors

The Controller hereby gives general written authorisation for the engagement of subprocessors. The current list is published at /legal/subprocessors.html and incorporated by reference. The Processor will give the Controller at least 30 days’ advance notice of any intended addition or replacement of a subprocessor by updating that page and emailing the Controller’s registered DPA contact.

The Controller may object to a new subprocessor on reasonable data-protection grounds within the notice period. If the parties cannot reach an accommodation, the Controller may terminate the affected portion of the Service without penalty.

The Processor shall impose, by written contract, the same data-protection obligations as set out in this DPA on each subprocessor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

7. International transfers

Personal data is hosted in Germany. Where a subprocessor is established outside the EU/EEA or where data is otherwise transferred to a third country, the Processor relies on:

• An adequacy decision under Art. 45 GDPR, where one exists (e.g. Switzerland for Migadu);
• The 2021 SCCs (Module 3, processor to sub-processor) for transfers to Cloudflare, Backblaze, Google, and Apple, completed with the relevant Annexes;
• For US transfers, additionally the EU–US Data Privacy Framework certification of the receiving entity, where applicable.

The Processor has carried out a Transfer Impact Assessment for each non-EU subprocessor. Mitigations include encryption in transit and at rest, encryption at the application layer (E2EE for messages, client-side encryption for backups), minimisation of payload (push tokens contain no message body), and contractual challenge of any government access request that conflicts with EU law.

8. Assistance with data-subject requests and security obligations

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests from data subjects under Articles 15–22 GDPR. In particular the Processor provides:

• Self-service data export of an account (Matrix Client-Server API export plus profile/device JSON);
• Self-service rectification of profile data and recovery email;
• Self-service erasure of an account, with completion within 30 days;
• An admin endpoint for the Controller to initiate the same operations on behalf of its users.

The Processor shall also assist the Controller in ensuring compliance with the obligations under Articles 32–36 GDPR — security of processing, breach notification, data-protection impact assessments, and prior consultation — taking into account the nature of processing and the information available to the Processor.

8.1 Personal data breach notification

The Processor shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware, of a personal data breach affecting the Controller’s data. The notification shall describe the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach and mitigate its adverse effects.

9. Audits and inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or a mutually-agreed independent third-party auditor bound by confidentiality, subject to the following:

• The Controller gives at least 30 days’ written notice;
• Audits take place at most once per calendar year, except in the event of a personal data breach or a binding regulatory instruction;
• Audits are conducted during business hours and must not unreasonably interfere with the Service;
• The Controller bears the costs of the audit unless the audit reveals material non-compliance, in which case the Processor bears the documented costs.

The Processor may satisfy the audit obligation by providing recent third-party audit reports (e.g. of Hetzner, Cloudflare, Backblaze, Google, Apple) for its subprocessors, together with the Processor’s own most recent Lynis report and security-headers attestation.

10. Termination and return or deletion of data

On termination of the Terms or this DPA, the Processor shall, at the Controller’s written choice, return all personal data to the Controller (in the form of a Matrix Client-Server export and a JSON dump of profile/device records) and delete the existing copies, or delete all personal data and certify deletion. Backups containing the data will be overwritten on the rolling 30-day cycle described in section 5.4 and a final certificate of deletion will be issued at the end of that period.

The Processor may retain personal data only to the extent and for as long as required by Union or Member State law, in which case the Processor shall ensure the confidentiality of that data and shall not actively process it for any other purpose.

11. Liability

Each party is liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller, in accordance with Art. 82 GDPR. The Processor’s liability under this DPA is subject to the aggregate liability cap set out in section 8 of the Terms, except for liability that cannot be limited under applicable law (in particular under Art. 82 GDPR towards data subjects).

12. Miscellaneous

This DPA is governed by the same law and jurisdiction as the Terms. If any conflict arises between this DPA and any other agreement between the parties (including the Terms), this DPA prevails for matters concerning processing of personal data.

13. Contact

DPA and rights requests: trust@aevrix.org
Security incidents and breach notifications: security@aevrix.org