Legal

Data Processing Addendum

Last updated: 6 July 2026. This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (the “Customer”) and Akede. It applies where Akede processes personal data on your behalf and supplements our Privacy Policy. It is designed to satisfy UK GDPR / EU GDPR Article 28 and equivalent laws.

1. Roles

For personal data contained in your workspace (Customer Content — brand data, content you assess, your team, and third-party information you direct us to analyse), you are the controller and Akede is the processor. For Akede’s own account and billing data, Akede is the controller (see the Privacy Policy).

2. Scope & instructions

Akede processes personal data only (a) to provide the Service under the Terms, and (b) on your documented instructions (including your configuration and use of the product). Akede will tell you if an instruction appears to breach applicable data-protection law.

3. Confidentiality & security

Personnel authorised to process Customer Content are bound by confidentiality. Akede maintains technical and organisational measures appropriate to the risk — including encryption in transit (HTTPS/HSTS), hashed credentials, per-tenant isolation, signed httpOnly sessions, security headers, rate limiting, and server-side handling of secrets (Article 32).

4. Sub-processors

You authorise Akede to engage the sub-processors listed at akede.co/subprocessors to help deliver the Service. Akede imposes data-protection obligations on each and remains responsible for their performance. We’ll give notice of new sub-processors and let you object on reasonable data-protection grounds.

5. No training on your data

Customer Content is sent to our AI sub-processor solely to generate your outputs under enterprise terms and is not used to train shared or public models. Workspace data is isolated per organisation and never shared across tenants.

6. International transfers

Where personal data is transferred outside the UK/EEA (or your local jurisdiction), Akede relies on appropriate safeguards such as the Standard Contractual Clauses and the UK International Data Transfer Addendum, together with the relevant sub-processor’s data-processing terms.

7. Assisting you

Taking account of the nature of processing, Akede will assist you in responding to data-subject requests and in meeting your obligations on security, breach notification and data-protection impact assessments. Akede’s self-serve tools (Settings → Privacy & data) let you export and delete workspace data directly.

8. Breach notification

Akede will notify you without undue delay after becoming aware of a personal-data breach affecting your Customer Content, with the information you reasonably need to meet your own notification duties.

9. Deletion & return

On termination, or on your request, Akede will delete Customer Content (backups age out on our provider’s cycle), except where retention is required by law — including the 6-year retention of your promotions/audit register described in the Privacy Policy.

10. Audits

Akede will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable notice and confidentiality terms, support audits appropriate to the Service.

To countersign a copy for your records, or with questions: legal@akede.co.