This Data Processing Agreement ("DPA") forms part of the agreement between the Client (Controller) and Corelix Software Ltd (Processor) and reflects the parties' commitment to the UK GDPR and the EU GDPR. To request a counter-signed copy, please use our /contact form (subject: "DPA Request").
1. Subject matter and duration
Corelix processes personal data on behalf of the Client solely for the duration and purposes of the Engagement and only to the extent necessary to provide the agreed services.
2. Categories of data subjects and personal data
- Data subjects: Client employees, Client end users, third-party contacts as relevant
- Personal data: identification data, contact data, professional information, system logs as required for service delivery
3. Sub-processors
Corelix uses a curated list of sub-processors including AWS, Microsoft Azure, Stripe and Google Workspace. The current list is provided on request. Clients are notified of material changes 30 days in advance.
4. Security measures
- TLS 1.3 in transit, AES-256 at rest
- Role-based access control with MFA
- ISO 27001 aligned controls and SOC 2 Type II practices
- Regular vulnerability scanning and penetration testing
5. Audit rights
Clients may request an audit of Corelix's processing activities once per year on reasonable notice and at the requesting party's reasonable cost.
6. Breach notification
Corelix notifies the Client without undue delay and within 48 hours of becoming aware of a personal data breach.
7. International transfers
Corelix uses UK IDTA, EU SCCs or adequacy decisions for international transfers.
8. Return and deletion of data
Upon termination, Corelix returns or deletes Client personal data within 30 days, unless retention is required by law.