Coresix
Sign in
Legal

Data Processing Addendum

Last updated: 24 April 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Ctrl-N Ltd. ("Coresix", "Processor"), a company registered in England and Wales under company number 16375438, with registered office at 128 City Road, London, EC1V 2NX, United Kingdom, and the Customer ("Controller") that has accepted our Terms of Service or signed an order form referencing the Service. This DPA reflects the parties' agreement on the processing of personal data in accordance with the UK GDPR, the EU GDPR, and applicable Middle East data protection laws (including the UAE Federal Decree-Law No. 45 of 2021, the DIFC Data Protection Law, the ADGM Data Protection Regulations, and the Saudi PDPL).

1. Definitions

Capitalised terms not defined in this DPA have the meanings given in the underlying agreement or in the UK/EU GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Data Subject" have the meanings given in the UK/EU GDPR.

2. Roles and scope

The Customer is the Controller of Customer Personal Data and Coresix is the Processor. Coresix will process Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do so by applicable law.

3. Subject matter and duration

Subject matter: provision of the Coresix Service.
Duration: the term of the underlying agreement plus any post-termination period required to return or delete Customer Personal Data.
Nature and purpose: hosting, storage, processing, and provision of an AI-enabled intelligence platform for the Customer's internal business use.
Categories of Data Subjects: Customer's employees, contractors, customers, and other individuals whose data is submitted to the Service.
Categories of Personal Data: identity and contact data, professional data, content and communications submitted to the Service, usage and log data.

4. Processor obligations

  • Process Customer Personal Data only on documented instructions, including this DPA.
  • Ensure that personnel authorised to process the data are bound by confidentiality.
  • Implement and maintain the technical and organisational measures described in Section 8.
  • Engage Sub-processors only as permitted in Section 5.
  • Assist the Controller, taking into account the nature of processing, in responding to Data Subject requests.
  • Assist the Controller with data protection impact assessments and prior consultations.
  • Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data.
  • Make available all information necessary to demonstrate compliance and allow for audits as described in Section 9.

5. Sub-processors

The Customer authorises Coresix to engage Sub-processors to process Customer Personal Data, provided that Coresix: (a) maintains an up-to-date list of Sub-processors available on request; (b) imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA; and (c) remains liable for the acts and omissions of its Sub-processors. We will give the Customer notice of any intended changes to Sub-processors and allow a reasonable period to object on legitimate data protection grounds.

6. International transfers

The default hosting region for Customer Personal Data is the European Union. Where Coresix transfers Customer Personal Data outside the UK, EEA, or the Customer's local jurisdiction, the parties agree that the following safeguards apply, as relevant:

  • UK transfers: the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (2021/914), incorporated by reference.
  • EEA transfers: the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), incorporated by reference.
  • UAE / DIFC / ADGM / Saudi Arabia transfers: the equivalent contractual clauses or recognised transfer mechanisms under local law (including, where applicable, the DIFC Standard Contractual Clauses and SDAIA-approved transfer instruments).

The parties will complete the relevant annexes using the information in this DPA.

7. Data Subject rights and assistance

Coresix will, to the extent legally permitted, promptly notify the Customer of any request received from a Data Subject and will not respond to such requests directly except on the Customer's instruction or as required by law. Coresix will provide reasonable assistance to enable the Customer to respond to such requests within applicable statutory timeframes.

8. Security

Coresix maintains a written information security programme with technical and organisational measures appropriate to the risk, including:

  • Encryption of Customer Personal Data in transit (TLS) and at rest.
  • Role-based access controls, least-privilege, and multi-factor authentication for administrative access.
  • Network segregation, firewalling, and intrusion detection.
  • Logging, monitoring, and alerting on production systems.
  • Vulnerability management, secure software development lifecycle, and regular penetration testing.
  • Personnel security: background checks where lawful, training, and confidentiality obligations.
  • Business continuity and disaster recovery procedures.
  • Incident response procedures aligned with UK/EU GDPR breach-notification requirements.

9. Audits

Coresix will make available to the Customer information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g. SOC 2, ISO 27001) where available. The Customer may, on reasonable prior written notice and no more than once per 12-month period (except where required by a regulator or following a Personal Data Breach), conduct an audit, subject to confidentiality and reasonable security and operational requirements.

10. Return and deletion of data

On termination or expiry of the underlying agreement, Coresix will, at the Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless retention is required by applicable law. Backup copies will be deleted in accordance with our backup cycle.

11. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement.

12. Conflict

In the event of a conflict between this DPA and the underlying agreement, this DPA prevails with respect to the processing of Customer Personal Data.

13. Governing law

This DPA is governed by the laws of England and Wales, except where mandatory data protection law of another jurisdiction (including EEA Member States, UAE, DIFC, ADGM, or Saudi Arabia) requires otherwise.

14. Contact

Ctrl-N Ltd., 128 City Road, London, EC1V 2NX, United Kingdom. Company number: 16375438. Email: privacy@coresix.eu.