Loading content...
1.1 This Data Processing Agreement (the "DPA") applies to the processing of Personal Data by Taxxa AI or its Affiliates (“Taxxa AI”) as Processor in connection with the provision of Services to the Subscriber and is incorporated into and governed by the Terms and Conditions available at https://www.taxxa.ai/legal/terms (the “Agreement”), entered into between you (“Subscriber”) and Taxxa AI.
1.2 This DPA defines the Subscriber's rights and obligations in its capacity as Controller or Processor, alongside Taxxa AI's rights and obligations in its capacity as Processor or sub-processor when Processing Personal Data on the Subscriber's behalf pursuant to the Agreement.
1.5 Definitions:
All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement.
"Applicable Data Protection Laws" means applicable data protection laws and regulations, such as the EU General Data Protection Regulation 2016/679 (“GDPR”) and the United Kingdom General Data Protection Regulation, and all other privacy and data protection laws of the European Economic Area and the United Kingdom as amended and updated from time to time;
"Data Protection Authority" means a regulatory authority, supervisory authority, or other governmental agency empowered to enforce Applicable Data Protection Laws.
"Personal Data" means any Subscriber Content that relates to an identified or identifiable natural person and constitutes "Personal Data" within the meaning of Applicable Data Protection Laws.
“Controller”, “Processor”, “Process/Processing”, “Data Subject”, “Data Protection Impact Assessment” and “Personal Data Breach”, shall bear the meanings assigned to them under the GDPR .
1.3 All concepts, terms, and expressions employed in this DPA shall be interpreted in alignment with Applicable Data Protection Laws.
1.4 In the event of any conflict between the provisions of the Agreement and this DPA with respect to the scope of this DPA set out above in Section 1.1, the terms of this DPA shall prevail.
2.1 Taxxa AI undertakes to Process Personal Data for the purposes set out in this DPA and only on documented instructions from the Subscriber, unless required to do so by law to which the processor is subject. In such a case, the Taxxa AI shall inform the Subscriber of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Subscriber's instructions to Taxxa AI regarding the subject-matter and duration of Processing, the nature and purpose of Processing, the categories of Personal Data and Data Subjects, and the rights and obligations of both Parties are detailed in this DPA (including Annex 1).
2.2 Acting as Processor, Taxxa AI undertakes to:
a) Adhere to all Applicable Data Protection Laws that apply to it as a Processor of Personal Data;
b) Inform the Subscriber promptly upon determining that in its opinion an instruction from the Subscriber infringes Applicable Data Protection Laws;
c) Make available to the Subscriber all information reasonably necessary to demonstrate compliance with this DPA as required by Applicable Data Protection Laws within a reasonable time upon request by the Subscriber;
d) Taking into account the nature of Processing and the information available to Taxxa AI, provide reasonable assistance to the Subscriber, where applicable, related to performing Data Protection Impact Assessments and related prior consultations with the Data Protection Authority;
e) Taking into account nature of Processing, provide reasonable assistance to the Subscriber, insofar as this is possible and required under the Applicable Data Protection Laws, in responding to requests from Data Subjects exercising their rights related to their Personal Data under Applicable Data Protection Laws;
f) Taking into account the nature of the Processing and the information available to it, provide reasonable assistance to the Subscriber related to the Subscriber’s obligations regarding security of Processing and notifying/communicating Personal Data Breaches to Data Protection Authorities or Data Subjects.
2.3 Assistance shall be provided at the Subscriber’s reasonable expense, unless the need for such assistance results from Taxxa AI’s failure to comply with this DPA or Applicable Data Protection Laws.
3.1 The Subscriber shall ensure that:
4.1 The Subscriber grants Taxxa AI a general authorization to engage other Processors ("Sub-processors") in connection with the provision of the Services.
4.2 Taxxa AI shall maintain an up-to-date list of its Sub-processors on its website at https://www.taxxa.ai/legal/data-processing-agreement and may update this list from time to time to reflect the addition or replacement of Sub-processors. Updates shall be deemed notified to the Subscriber when published, and the Subscriber shall be deemed to have accepted the updated list unless it objects to an addition or replacement of Sub-processor on reasonable data protection grounds within 30 days of publication. If the Subscriber objects and the parties cannot resolve the objection, Taxxa AI may terminate the Agreement with 30 days’ prior written notice. Taxxa AI shall ensure that each Sub-processor is bound by written terms imposing data protection obligations no less protective than those in this DPA, and shall remain responsible for the Sub-processor’s performance of its contractual obligations.
5.1 Taxxa AI may transfer Personal Data within the United Kingdom (“UK”) and the European Economic Area (“EEA”). Transfers to any other country are permitted only where the destination country is subject to (i) a valid adequacy decision by the European Commission, in respect of EEA Personal Data, or (ii) a valid UK adequacy decision, in respect of UK Personal Data. For the avoidance of doubt, transfers to recipients in the United States are permitted where the recipient participates in and maintains a valid certification under the EU–U.S. Data Privacy Framework or, where applicable, the UK Extension to the Data Privacy Framework.
6.2 Taxxa AI shall implement appropriate technical and organizational measures to protect Personal Data against any unauthorized or unlawful Processing (i.e. accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data). The security measures are described in Annex 3.
6.3 Taxxa AI shall ensure that all persons authorized to process Personal Data are subject to confidentiality commitments or are under an appropriate statutory obligation of confidentiality.
7.1 Taxxa AI shall inform the Subscriber without undue delay and no later than 48 hours after becoming aware of a Personal Data Breach.
7.2 In the event of a Personal Data Breach, Taxxa AI shall assist the Subscriber with any information reasonably necessary for the Subscriber to comply with its Personal Data Breach notification obligations under Applicable Data Protection Laws, where applicable, taking into account the nature of processing and the information available to Taxxa AI.
9. Audit Rights
9.1 The Subscriber has the right to conduct audits of Taxxa AI's processing of the Subscriber's Personal Data to confirm Taxxa AI's compliance with this DPA and Applicable Data Protection Laws. This audit right is restricted to once per 12-month period unless the Subscriber possesses clear grounds to believe that Taxxa AI has materially violated its obligations under this DPA.
9.2 Taxxa AI undertakes to permit and contribute to audits, including on-site inspections, conducted by an authorized and reputable auditor designated by the Subscriber, provided that individuals conducting the audits enter into confidentiality agreements or are subject to statutory obligations of confidentiality. Subscriber acknowledges that audits under this DPA shall exclude access to information pertaining to or belonging to Taxxa AI's other customers.
9.4 The Subscriber bears responsibility for all costs incurred in connection with audits, save for instances where an audit determines a material breach of Taxxa AI's undertakings constituting a violation of the DPA. In such instances, Taxxa AI shall reimburse the Subscriber for reasonable and documented costs incurred in connection with the audit.
10.1 The provisions of this DPA shall remain in effect for as long as Taxxa AI processes Personal Data on behalf of the Subscriber or until such time this DPA is superseded by another data processing agreement.
10.2 Taxxa AI shall at the choice of the Subscriber, delete or return all Personal Data to the Subscriber upon the termination or expiration of the Agreement and this DPA, unless applicable law requires storage of the Personal Data.
12.1 Any amendments to this DPA shall, to be valid, be mutually agreed in writing and duly executed by authorized representatives of both Parties.
12.2 Taxxa AI shall be entitled to compensation for any reasonable additional costs incurred by Taxxa AI as a consequence of the Subscriber having made amendments to its written instructions concerning Processing. Notwithstanding the foregoing, no compensation shall be payable for amendments in written instructions that arise directly from, or are directly predicated on, regulatory requirements.
The liability provisions and limitations specified in the Agreement shall apply to this DPA.
14.1 Unless otherwise required by Applicable Data Protection Laws, this DPA shall be governed by and interpreted in accordance with the governing law provision contained in the Agreement.
14.2 Any dispute, controversy, or claim arising from or in connection with this DPA, or the breach, termination, or invalidity thereof, shall be conclusively settled in accordance with the dispute resolution provision specified in the Agreement.
15. Annexes
The Following annexes shall form a part of the DPA:
Last updated: 20th November 2025
Taxxa AI provides an AI workspace for financial knowledge work via a SaaS solution. The Services are delineated in the Agreement and encompass an AI chat interface to interact with public data, together with organizational and Subscriber data. Taxxa AI shall process Personal Data on the Subscriber's behalf for the purpose of delivering the Services pursuant to the Agreement.
Individuals included in Subscriber Content, specifically natural persons who are referenced or otherwise incorporated in the Subscriber's input data submitted to the Taxxa AI Platform.
Name, title, email, or other Personal Data submitted in search queries, prompt queries, or documents uploaded to the Services.
Taxxa AI's processing of Personal Data on the Subscriber's behalf shall persist until the expiration or termination of the Agreement or as otherwise mutually agreed between the Parties.
Sub-processor
Purpose
Data Categories Processed
Data Residency
Legal Entity/Data Residency
Microsoft
Hosting, infrastructure, and AI models
Personal data included in Subscriber Content
EU/EEA
Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Dublin 18, Ireland
Provision of AI models, processing public data
Personal data included in Subscriber Content
EU/EEA
Google Cloud EMEA Ltd, 70 Sir John Rogerson's Quay, D02 R296, Dublin 2, Ireland
Anthropic
Provision of AI models
Personal data included in Subscriber Content
EU/EEA
9th floor, 107 Cheapside, London, United Kingdom
Langfuse
Traces of AI usage
Personal data included in Subscriber Content
EU/EEA
Gethsemanestraße 4, 10437 Berlin, Germany
Posthog
Analytics
Product usage analytics
EU/EEA
Vercel
Hosting
Personal data included in Subscriber Content
EU/EEA
Stockholm, Sweden ARN1
LlamaIndex
Data extraction
Personal data included in Subscriber Content
EU/EEA
Trigger.dev
Background tasks
Personal data included in Subscriber Content
EU/EEA
Frankfurt, Germany
Sub-processor
Purpose
Data Categories Processed
Data Residency
Legal Entity/Data Residency
Clerk
Authentication
Personal data included in Subscriber Content
US
660 King Street, Unit 345, San Francisco, CA 94107, United States
Last updated: 20th November 2025
This document outlines the technical and organizational security measures and controls deployed by Taxxa AI to safeguard Personal Data and ensure the continuous confidentiality, integrity, and availability of Taxxa AI's products and services. Additional details on the measures we deploy are available upon request. Taxxa AI reserves the right to modify these technical and organizational measures at any time, without prior notice, provided that any such modifications will not materially diminish or compromise the protection given to Personal Data that Taxxa AI processes in delivering its products and services.
The Taxxa AI Platform is a financial AI workspace comprising a cloud service accessible through a web interface via a browser and any supplementary documentation and modules provided by Taxxa AI and its Affiliates. The Taxxa AI Platform is utilized for streamlining financial and accounting work built upon public legal information and the Subscriber's proprietary documents. The platform serves as an all-in-one solution for teams to handle accounting and financial inquiries and streamline certain processes.
Taxxa AI engages vetted sub-processors for designated purposes.
Data backup constitutes one of the cornerstones of Taxxa AI's IT continuity plan. Personnel oversee and monitor backup execution to guarantee the integrity, confidentiality, and accuracy of backup data. Backups are executed every 24 hours.
Taxxa AI ensures that established security requirements are satisfied by external suppliers. A contract with a selected supplier specifies the demands on the supplier's IT environment and information security measures. The supplier shall present and justify their technology, routines, and processes, along with IT and information security policies.
Measures preventing unauthorized persons from using IT systems and processes:
a) When granting access, Taxxa AI follows the principle of least privilege and role-based permissions, meaning our employees are solely authorized to access data they reasonably must handle to fulfill their work responsibilities.
b) Taxxa AI implements multi-factor authentication for access to systems holding highly confidential data, including our production environment housing Personal Data.
Measures preventing physical access by unauthorized persons to IT systems handling Personal Data:
a) Taxxa AI collaborates with industry-leading data center and cloud infrastructure providers. Access to all data centers is rigorously controlled. All data centers are provided with 24x7x365 surveillance and biometric access control systems.
b) Data centers are outfitted with at least N+1 redundancy for power, networking, and cooling infrastructure.
c) Taxxa AI replicates data across distinct, physically independent, and highly secure Microsoft Azure locations, guaranteeing high availability and protection from localized failures such as power outages and fires.
d) Measures preventing physical access by unauthorized persons to physical office locations:
e) Taxxa AI ensures that exclusively authorized persons can access physical office locations via comprehensive access management comprising redundant key-card access points. This is administered by third-party office providers.
f) Taxxa AI ensures efficient and prompt onboarding and offboarding of employees, contractors, and third parties, including immediate return or destruction of sensitive documents and access cards upon termination.
Measures ensuring that persons authorized to utilize Taxxa AI possess access solely to Personal Data consistent with their access rights:
a) Taxxa AI enforces password complexity aligned with OWASP password recommendations to guarantee strong passwords are employed.
b) Recovery of forgotten passwords is accomplished by requesting a signed link to the user's email account, no passwords are transmitted in plain text via email, chat, phone, or any other communication channel.
c) Taxxa AI ensures passwords are hashed (and salted) securely utilizing bcrypt in accordance with best practices, and, upon the Subscriber's request, offers single sign-on (SSO) powered by SAML 2.0 for secure user authentication.
d) Taxxa AI employs best-practice tools for vulnerability scanning, malicious activity detection, and automatically blocks suspicious behavior.
Measures ensuring that Personal Data cannot be read, copied, altered, or removed by unauthorized persons during electronic transmission or during transport or storage on data media, and that those locations can be monitored and identified where transmission of Personal Data is to be performed via data transmission systems:
a) Subscriber data at rest is encrypted utilizing AES-256 or other algorithms with comparable encryption strength, and data in transit is encrypted with at minimum TLS 1.3.
b) Taxxa AI is notified of encryption issues via periodic risk assessments.
Measures ensuring that it can be retrospectively verified and ascertained whether and by whom Personal Data was entered, modified, or removed in the IT system:
a) Systems are monitored for security events to guarantee prompt resolution.
b) Logs are centrally stored and indexed. Logs can be traced back to individual unique usernames with timestamps to investigate nonconformities or security events.
Measures ensuring that Personal Data are safeguarded against accidental destruction or loss:
a) Taxxa AI preserves a complete backup copy of production data every 24 hours to guarantee rapid recovery in the event of a large-scale disaster. Incremental/point-in-time recovery is accessible for all primary databases. Backups are encrypted in-transit and at rest utilizing strong encryption.
b) Taxxa AI's patch management process guarantees that systems are patched promptly according to threat level. Monitoring, alerting, and routine vulnerability scanning takes place to guarantee that all product infrastructure is patched uniformly.
c) When required, Taxxa AI patches infrastructure in an expedited fashion in response to the disclosure of critical vulnerabilities to guarantee system uptime is maintained.
d) Subscriber environments are logically isolated at all times. The Subscriber cannot access accounts beyond those provided with authorization credentials.
Measures ensuring that Personal Data collected for distinct purposes can be processed independently:
a) Taxxa AI utilizes separate data processing systems for distinct purposes. These systems are architecturally (logically and physically) isolated. All systems necessitate valid authorization for access.
b) To guard against the unintended amalgamation of data, Taxxa AI maintains separation between development, staging, and production environments.
Measures ensuring that appropriate operations security safeguards against malicious code are established include, but are not limited to:
a) Taxxa AI maintains various systems and methodologies to shield the IT infrastructure against malicious code, including diverse antivirus scanners, spam filters, and security updates.
b) Taxxa AI employs active monitoring to verify that antivirus scanners and spam filters are operational and updated.
c) Taxxa AI proactively installs the most recent security updates on systems and applications to minimize the risk of exploitation of vulnerabilities.
Measures ensuring that appropriate operations security safeguards for email are established include, but are not limited to:
a) Taxxa AI utilizes Google's world-class email security to shield all inbound and outbound emails from malware.
b) Taxxa AI leverages Google's email spam filtering services to defend against spam, virus, and phishing attacks.
Throughout the term of the DPA, Personal Data processed by Taxxa AI will be subject to the retention requirements instructed periodically by the Subscriber.