DATA PROTECTION ADDENDUM (DPA)

This Data Protection Addendum ("Addendum") supplements and forms part of the FamilyAxis Terms of Service (the "Agreement").

This Addendum sets out the data protection terms applicable when FamilyAxis processes Personal Data on behalf of Controller, and describes FamilyAxis’s role as data controller for FamilyAxis website cookies and marketing communications.

1. Definitions

For the purposes of this Addendum (unless the context otherwise requires):

1.1 Applicable Law means data protection and privacy laws applicable to the processing including, where relevant, the UK Data Protection Act 2018, the UK GDPR, and any other national implementing legislation and guidance of the supervisory authority.

1.2 Controller means the natural or legal person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.3 Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

1.4 Personal Data means any information relating to an identified or identifiable natural person as defined under Applicable Law.

1.5 Protected Data or Special Category Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation, or any other category of data defined as special under Applicable Law.

1.6 Processing (and "processes") means any operation or set of operations which is performed on Personal Data as defined in Applicable Law, whether or not by automated means.

1.7 Processing Instructions mean Controller's documented instructions (including the Agreement and this Addendum) issued to FamilyAxis describing the subject matter, duration, nature and purpose of Processing and the types of Personal Data and Data Subjects.

1.8 Data Subject means the identified or identifiable natural person to whom the Personal Data relates.

1.9 Data Subject Request (or "DSR") means any request from a Data Subject to exercise rights under Applicable Law (including access, rectification, erasure, restriction, objection, portability and related rights).

1.10 Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

1.11 Sub-processor means any Processor engaged by FamilyAxis to process Personal Data on behalf of the Controller.

1.12 International Recipient or Transfer means any transfer or onward transfer of Personal Data to any country or international organisation outside of the UK/EEA region.

1.13 Lawful Safeguards means appropriate transfer mechanisms required by Applicable Law for International Transfers (for example: adequacy decisions, standard contractual clauses, binding corporate rules, or other permitted safeguards).

1.14 GDPR means, as applicable, the EU General Data Protection Regulation (EU) 2016/679 and/or the UK GDPR (as implemented into UK law) as applicable to the Parties.

1.15 Data Protection Losses means any loss, liability, damage, costs, fines, penalties, expenses and reasonable professional fees resulting from a breach of this Addendum or Applicable Law related to Processing.

1.16 Supervisory Authority means the data protection authority with jurisdiction in respect of the Controller or FamilyAxis (for example the UK Information Commissioner's Office).

1.17 List of Sub-processors means the register of current and future Sub-processors maintained by FamilyAxis and published on request.

1.18 Transfer means the movement of Personal Data from the UK/EEA to a jurisdiction outside those territories.

2. Purpose and scope

2.1 This Addendum describes:

(a) the subject matter, duration, nature and purpose of Processing performed by FamilyAxis on behalf of Controller; and

(b) the types of Personal Data and categories of Data Subjects processed; and

(c) the obligations and rights of the Parties, including security, Sub-processor use, transfers, breach notification, audit rights, and retention and deletion.

2.2 This Addendum applies where FamilyAxis acts as Processor on behalf of Controller for the Services. For clarity, when FamilyAxis processes Personal Data relating to FamilyAxis website visitors (cookies, analytics) or marketing contacts, FamilyAxis acts as Controller for those processing activities and those activities are governed by FamilyAxis's Privacy Notice.

3. Processing of Controller data (Processor role)

3.1 Subject matter & purpose. FamilyAxis will process Personal Data on behalf of Controller to provide the Services (case management for residential family assessment centres) including resident profiles, observations, direct work notes, safeguarding logs, live risk assessment logs, reports, user accounts, audit logs and staff logs.

3.2 Duration. Processing is for the duration of the Agreement and thereafter only as set out in clause 8 (Retention, subscription states, exports and deletion) or as otherwise agreed in writing.

3.3 Categories of Personal Data & Data Subjects. See clause 4 below.

3.4 Instructions. FamilyAxis will process Personal Data only on documented instructions from Controller and in accordance with the Agreement and this Addendum unless required by Applicable Law to do otherwise. If FamilyAxis believes an instruction from Controller infringes Applicable Law, it shall promptly notify the Controller.

4. Types of Personal Data and Data Subjects

4.1 Examples of Personal Data Processed on behalf of Controller (non-exhaustive):

(a) Identifiers: names, aliases, pseudonyms, dates of birth, contact details (email, telephone), relationship details;

(b) Case records: observations, session notes, assessments, tasks, safeguarding records, risk assessments, reports;

(c) Sensitive / Special Category Data where provided: health information, medical notes, mental health, disabilities, safeguarding details (processed only where lawful and necessary);

(d) System and administrative data: user account information, role/permissions, audit and access logs, metadata, staff logs (operational logging may be processed via authorised Sub-processors).

4.2 Categories of Data Subjects (non-exhaustive): residents (parents and children), family contacts, organisation staff and users, third parties referenced in case records.

5. FamilyAxis obligations as Processor

5.1 FamilyAxis shall:

(a) Process Personal Data only on Controller’s documented Processing Instructions (including this Addendum and the Agreement), unless required to do otherwise by Applicable Law;

(b) Ensure persons authorised to process Personal Data are bound by confidentiality obligations;

(c) Implement appropriate technical and organisational measures to protect Personal Data as described in clause 7 and elsewhere in this Addendum;

(d) Assist Controller with Data Subject Requests, breach notifications and regulatory cooperation as reasonably required (see clause 12). Such assistance shall be limited to what is technically and operationally feasible for FamilyAxis. For assistance that requires a disproportionate effort, FamilyAxis reserves the right to charge Controller reasonable fees;

(e) Notify Controller without undue delay of any Personal Data Breach affecting Controller’s Personal Data and provide reasonable information to enable Controller to comply with its obligations (see clause 13);

(f) Maintain a register of Sub-processors and ensure Sub-processors are contractually bound to equivalent data protection obligations;

(g) Provide reasonable information and assistance to Controller in relation to audits and inspections in accordance with clause 11;

(h) Return or delete Personal Data at Controller’s choice on termination, subject to retention, export and backup provisions in clause 8 and clause 9.

6. FamilyAxis role as Controller for website & marketing

6.1 Website cookies & analytics. FamilyAxis is the Controller for data collected via FamilyAxis websites (including cookies, analytics and visitor contact forms). FamilyAxis will process such data in line with its Privacy & Cookie Policy and Applicable Law.

6.2 Newsletter & marketing sign-ups. FamilyAxis is the Controller for email addresses and related contact details that individuals provide to receive FamilyAxis marketing communications (newsletter). FamilyAxis’s lawful basis for marketing communications is consent where required. Recipients may unsubscribe at any time via clear unsubscribe links or by contacting [email protected].

6.3 Data subject rights (website/marketing). FamilyAxis will respond to Data Subject Requests relating to its website and marketing processing as Controller in accordance with Applicable Law.

7. Security measures

7.1 FamilyAxis shall implement and maintain appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of Processing and the risk to Data Subjects. Measures shall include, as appropriate:

(a) encryption in transit (TLS 1.2+) and encryption at rest (AES‑256 where feasible);

(b) role-based access control, principle of least privilege and segregation of duties;

(c) multi-factor authentication for password and email changes;

(d) logging, monitoring and alerting for suspicious or anomalous activity;

(e) timely vulnerability management, patching and secure coding practices;

(f) secure backups, disaster recovery procedures and documented RTO/RPO targets;

(g) personnel security measures including confidentiality obligations and periodic security training;

(h) data minimisation and controls to prevent unauthorised exports of identifying data;
(i) incident response plan and regular testing of security controls.

7.2 FamilyAxis will provide reasonable information on security measures on request from Controller, subject to protection of FamilyAxis’s confidential security materials and redaction of specific operational details where necessary.

8. Retention, subscription states, exports and deletion (Processor duties)

8.1 Platform defaults (unless Controller instructs otherwise in writing):

(a) Active storage: editable, full access for three (3) years from record creation;

(b) Archive storage: read-only for seven (7) additional years (i.e. up to ten (10) years total from creation);

(c) Deletion: after ten (10) years from creation, records and related archives are permanently deleted, subject to backup cycles.

8.2 Subscription states:

(a) Active: full read/write access;

(b) Paused: read-only. Controller may view and export data but cannot add or edit records. Maximum pause duration: six (6) months (configurable by contract). FamilyAxis will provide reminders at thirty (30) and seven (7) days before pause expiry. If the Controller does not reactivate within the pause window, the subscription converts to Cancelled;

(c) Cancelled: FamilyAxis will prepare a secure export and provide a time-limited download link. Default export window: sixty (60) days. If Controller does not download the archive within this window, FamilyAxis will permanently delete the data and purge temporary exports and related backups in accordance with backup rotation policies.

8.3 Exports: FamilyAxis will provide structured exports (ZIP bundles with CSVs and PDFs) on request or as part of cancellation flow. Export links will be secure, time-limited and logged. Export formats will be machine-readable and aligned to modules exported (residents, children, observations, direct work, safeguarding, audit logs, reports).

8.4 Controller instruction for alternate retention: If Controller requires a different retention schedule, such schedule must be agreed in writing and appended to this Addendum.

9. Backups & disaster recovery

9.1 Backup schedule and retention (example):

(a) Daily backups retained for 30 days;

(b) Weekly backups retained for 90 days;

(c) Monthly backups retained for 12 months.

9.2 Deleted Personal Data may persist in backups until the next backup rotation. FamilyAxis will ensure deleted records are not accessible via the live system and will remove backup copies in accordance with the retention windows above. Controller acknowledges that complete physical removal from backups may be subject to backup rotation schedules.

9.3 Disaster recovery: FamilyAxis documents recovery time objectives (RTO) and recovery point objectives (RPO) and will disclose targets on request, subject to confidentiality protections. Example targets: RTO 2 hours (best effort); RPO ~24 hours.

10. Sub-processors

10.1 Authorised Sub-processors. Controller authorises FamilyAxis to engage Sub-processors to perform specific Processing activities. FamilyAxis will maintain a List of Sub-processors and provide it to Controller on request.

10.2 Current Sub-processors and purposes (non-exhaustive):

(a) Better Stack — operational and staff logging (UK/EU hosting as applicable);

(b) Paddle — payments and subscription management (EU/UK region);

(c) Gemini for Google Cloud (via Vertex AI) — AI features: Smart Text Editor and Weekly Digest generation (processing is subject to the AI safeguards in clause 15);

(d) Fly.io — backend hosting (London region);

(e) Cloudflare — CDN, WAF and frontend delivery (edge network; UK configuration where available);

(f) NeonDB — managed Postgres database (UK region);

(g) Other providers engaged to support the Services in UK/EU regions.

10.3 Sub-processor obligations. FamilyAxis will ensure Sub-processors are contractually bound to data protection obligations no less protective than those in this Addendum, including confidentiality, security, breach notification and cooperation with audits where appropriate.

10.4 Notification & objection. FamilyAxis will notify Controller in writing at least thirty (30) days in advance of any intended addition or replacement of Sub-processors. Controller may object to a new Sub-processor in writing and on reasonable data protection grounds within fourteen (14) days after notification. If an objection is raised and cannot be resolved, Controller may terminate the Services that solely rely on the objected Sub-processor where an alternative cannot be provided by FamilyAxis.

11. Audit & inspections

11.1 Controller (or an independent auditor mandated by Controller) may audit FamilyAxis’s compliance once per year upon reasonable notice (not less than twenty (20) business days) and at Controller’s expense. Such audits may include a review of relevant system logs, including those pertaining to AI feature transmissions as referenced in Clause 15.3(d).

11.2 Any audit shall be conducted in a manner that does not unreasonably disrupt FamilyAxis’s business operations. Controller and its auditors shall be bound by confidentiality obligations. FamilyAxis may satisfy the audit right by providing a summary copy of a relevant, recent independent third-party audit report (e.g., SOC 2 Type II) in lieu of permitting a physical audit, provided such report reasonably addresses the scope of the audit request.

12. Data subject requests

12.1 FamilyAxis shall, taking into account the nature of the Processing, provide reasonable assistance to Controller for fulfilling Controller’s obligations in relation to Data Subject Requests and for responding within Applicable Law timeframes. Such assistance is subject to the limitations set out in Clause 5.1(d).

12.2 If FamilyAxis receives a Data Subject Request directly relating to Controller Personal Data, FamilyAxis will promptly notify Controller and follow Controller’s documented instructions, except where FamilyAxis is required to respond by Applicable Law.

13. Personal Data breaches

13.1 FamilyAxis will notify Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Controller Personal Data. Notification will include known facts, plausible consequences and remedial measures and will be supplemented as further information becomes available.

13.2 FamilyAxis will take reasonable steps to contain, investigate and remediate breaches and will cooperate with Controller and Supervisory Authorities as required. FamilyAxis will document corrective actions and provide reasonable assistance to Controller for regulatory reporting or remedial actions. Such cooperation is subject to confidentiality obligations and shall not require FamilyAxis to make any admissions of liability on behalf of the Controller.

14. International transfers

14.1 Personal Data will be stored in and processed from the United Kingdom by default (or EU where agreed in writing).

14.2 FamilyAxis shall ensure that any Transfer of Personal Data outside the UK for which it is responsible as Processor is governed by UK ICO-approved transfer mechanisms (such as the International Data Transfer Addendum to the EU SCCs) or another Lawful Safeguard. Transfers outside the UK/EU/EEA will only occur on Controller’s prior written instruction and with appropriate Lawful Safeguards (for example adequacy, Standard Contractual Clauses or binding corporate rules). FamilyAxis will inform Controller of the intended Transfers and the safeguards applied and shall, upon request, provide a copy of the relevant transfer agreement.

15. AI features, Google Gemini sub-processor and AI-specific safeguards

15.1 Overview. FamilyAxis offers optional AI-enabled features (Smart Text Editor, Weekly Digest generation and future AI capabilities) to assist users. FamilyAxis uses Gemini for Google Cloud (via Vertex AI) as an authorised Sub-processor for certain AI capabilities.

15.2 Purpose limitation and control. AI Features are optional and may be enabled or disabled by Controller at an organisation level or by individual users where per-feature controls exist. Controller may elect to disable AI Features for its organisation; where disabled FamilyAxis will not transmit Controller data to Gemini for AI processing.

15.3 AI-specific safeguards. For any content transmitted to Gemini or other AI Sub-processors, FamilyAxis will apply safeguards including:

(a) Data minimisation: only the minimal text required for the AI function will be transmitted (for example, user-selected text for writing assistance);

(b) No raw case file transfers: FamilyAxis will not send raw, unredacted resident files or complete case records to AI Sub-processors;

(c) No training of public models: FamilyAxis will transmit data to AI providers only under enterprise contracts and configurations that prohibit use of submitted data to train public models;

(d) Logging and audit: transmissions to Gemini will be logged with purpose, timestamp and identifiers for compliance purposes;

(e) User review: AI-generated suggestions and digests are presented to users for review and must be accepted by the user before being committed to official case records;

(f) Retention & provider controls: FamilyAxis will contractually limit provider retention of input data in line with enterprise terms;

(g) Retention of AI-Generated Content: AI-generated content (e.g., Weekly Digests) stored within the FamilyAxis platform is subject to automated retention rules. For example, Weekly Digests are automatically retained for a rolling 4-week period before deletion;

(h) Transparency: FamilyAxis will document which AI provider is used, the purpose of Processing and the safeguards applied in product documentation and within this Addendum.

16. Confidentiality & personnel

16.1 FamilyAxis will ensure persons authorised to process Personal Data are subject to confidentiality obligations and appropriate background checks where lawful. Access to Controller data by FamilyAxis staff will be limited to those with a business need and will be logged, monitored and reviewed.

17. Termination, return & deletion

17.1 On termination or expiry of the Agreement Controller may request return of Personal Data in a structured, commonly used machine-readable format or instruct FamilyAxis to delete Personal Data. FamilyAxis will comply subject to export windows, backup cycles and Controller’s written instructions.

17.2 FamilyAxis will provide written certification of deletion or secure return on request once deletion tasks are complete, subject to reasonable verification and confidentiality limitations.

18. Liability & legal compliance

18.1 Liability under this Addendum is subject to the limitations and exclusions in the Agreement. Nothing in this Addendum shall limit liability for death or personal injury resulting from negligence, fraud, wilful misconduct, or any other liability that cannot be excluded under Applicable Law.

18.2 Controller remains responsible for determining and documenting the lawful basis for Processing of Personal Data and for compliance with controller obligations under Applicable Law. Controller warrants that the Personal Data it provides, and its instructions, are lawful and shall indemnify FamilyAxis against any Data Protection Losses arising from Controller’s breach of this warranty or its controller obligations, except where such losses result from FamilyAxis’s breach of this Addendum.

19. Changes to this Addendum

19.1 FamilyAxis may update this Addendum from time to time to reflect changes in applicable Data Protection Laws, regulatory guidance, security practices, or Sub-processors.

19.2 Where changes are material and affect Controller’s rights or obligations, FamilyAxis shall provide reasonable advance notice to the Controller, including details of the change.

19.3 The Controller may object to a material change on reasonable grounds related to data protection within fourteen (14) days of notification. The Parties shall discuss such objections in good faith with a view to resolution.

19.4 Continued use of the Services after the effective date of an updated Addendum constitutes acceptance of the updated terms, unless otherwise agreed in writing.

20. Governing law and jurisdiction

20.1 This Addendum and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.

20.2 The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Addendum.

21. Data protection contact

All data protection enquires should go to [email protected]