Aiva.
How it worksPricingSupportSign inStart free

Legal

Terms of ServicePrivacy PolicyData Processing Agreement

Data Processing Agreement

Version 1.0 | Effective 2026-06-30

Archived version link

Carina Aiva - Data Processing Agreement

Version: 1.0 Effective date: 2026-06-30 Last updated: 2026-06-30

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Verlox Limited and the Customer. It governs the processing of personal data by Verlox Ltd on behalf of the Customer in connection with the Carina Aiva service.

This DPA applies where the Customer uses Carina Aiva to process personal data relating to the Customer's own customers, employees, or other data subjects. In that context, the Customer is the data controller and Verlox Ltd is the data processor.

This DPA is incorporated into the Terms of Service and takes effect on the date the Customer accepts the Terms of Service.


1. Definitions

In this DPA, the following terms have the meanings given below. Capitalised terms not defined here have the meanings given in the Terms of Service.

"Applicable Data Protection Law" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other data protection legislation applicable to the processing of personal data under this DPA.

"Controller" means the Customer, who determines the purposes and means of processing personal data.

"Data Subject" means the individual to whom personal data relates.

"Personal Data" has the meaning given in the UK GDPR: any information relating to an identified or identifiable natural person.

"Processing" has the meaning given in the UK GDPR: any operation performed on personal data.

"Processor" means Verlox Ltd, who processes personal data on behalf of the Controller.

"Security Incident" means any actual or reasonably suspected unauthorised access to, disclosure of, alteration of, or destruction of personal data.

"Sub-processor" means any third party engaged by Verlox Ltd to process personal data in connection with the Service.

"Technical and Organisational Measures" or "TOMs" means the security measures described in Schedule 2 of this DPA.


2. Scope and Role of the Parties

2.1 This DPA applies to personal data that the Customer uploads to, generates within, or processes through the Service. Verlox Ltd processes such data as a data processor acting on the instructions of the Customer as data controller.

2.2 The details of the processing (subject matter, duration, nature, purpose, type of personal data, and categories of data subjects) are set out in Schedule 1.

2.3 Each party agrees to comply with its respective obligations under Applicable Data Protection Law.


3. Processing Instructions

3.1 Verlox Ltd will process personal data only on documented instructions from the Customer. The Customer's instructions are: (a) the terms of this DPA; (b) the Terms of Service; and (c) the Customer's configuration and use of the Service.

3.2 If Verlox Ltd is required by law to process personal data in a manner other than on the Customer's instructions, it will inform the Customer before carrying out such processing, unless the law prohibits notification.

3.3 If Verlox Ltd reasonably believes that an instruction infringes Applicable Data Protection Law, it will promptly notify the Customer. Verlox Ltd may suspend compliance with the relevant instruction until the Customer provides a lawful alternative.


4. Confidentiality

4.1 Verlox Ltd ensures that all personnel authorised to process personal data under this DPA are subject to appropriate confidentiality obligations, whether by contract or professional duty.

4.2 Verlox Ltd will not disclose personal data to any third party except as permitted by this DPA or required by law.


5. Security

5.1 Verlox Ltd will implement and maintain the Technical and Organisational Measures set out in Schedule 2 to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

5.2 Verlox Ltd will take reasonable steps to ensure that only authorised personnel have access to personal data, and that such access is limited to what is necessary for the purpose of providing the Service.

5.3 Verlox Ltd may update the TOMs from time to time to reflect improvements in security practice, provided that no update will materially reduce the overall level of protection for personal data.


6. Sub-processors

6.1 The Customer grants Verlox Ltd general written authorisation to engage sub-processors to assist in providing the Service. The current list of sub-processors is set out in Schedule 3.

6.2 Verlox Ltd will impose data protection obligations on any sub-processor that are substantially equivalent to those set out in this DPA, by written contract.

6.3 Verlox Ltd will remain liable to the Customer for the acts and omissions of its sub-processors to the same extent as if Verlox Ltd performed those activities directly.

6.4 Verlox Ltd will notify the Customer at least 14 days before adding or replacing a sub-processor. If the Customer reasonably objects to a new sub-processor on data protection grounds, the Customer must notify Verlox Ltd in writing within 14 days of receiving the notification. The parties will work together in good faith to resolve the objection. If the parties cannot agree, the Customer may terminate the Agreement on 30 days' written notice without liability for early termination fees.


7. Assistance with Data Subject Rights

7.1 Verlox Ltd will provide reasonable assistance to the Customer to fulfil its obligations to respond to Data Subject rights requests under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

7.2 Where a Data Subject makes a request directly to Verlox Ltd, Verlox Ltd will forward the request to the Customer within 5 business days without responding to it directly, unless instructed otherwise by the Customer.

7.3 The Customer is responsible for determining whether and how to respond to Data Subject requests. Verlox Ltd's assistance is limited to providing the Customer with the technical means to retrieve, correct, or delete personal data within the Service.


8. Data Protection Impact Assessments

Where the Customer is required to conduct a Data Protection Impact Assessment (DPIA) under Applicable Data Protection Law, Verlox Ltd will provide reasonable assistance to the Customer, including making available information about the TOMs.


9. Security Incidents

9.1 Verlox Ltd will notify the Customer without undue delay, and in any event within 48 hours, of becoming aware of a Security Incident involving personal data processed under this DPA.

9.2 Notification will include, to the extent available at the time: (a) a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and personal data records affected; (b) the likely consequences of the Security Incident; (c) the measures taken or proposed to address the Security Incident.

9.3 Verlox Ltd will provide further information as it becomes available and will cooperate with the Customer in managing the Security Incident and meeting the Customer's reporting obligations under Applicable Data Protection Law.

9.4 The Customer is responsible for determining whether to notify the ICO and affected Data Subjects and for making such notifications.


10. Audit Rights

10.1 Verlox Ltd will make available to the Customer, on reasonable written request, all information reasonably necessary to demonstrate compliance with this DPA.

10.2 Verlox Ltd will permit the Customer (or an auditor appointed by the Customer) to conduct an audit of Verlox Ltd's data processing activities at no more than once per calendar year, with at least 30 days' prior written notice. Audits must be conducted during normal business hours and in a manner that minimises disruption to Verlox Ltd's operations. The Customer will bear the cost of any audit.

10.3 As an alternative to an on-site audit, Verlox Ltd may provide the Customer with a current third-party security audit report or certification (such as ISO 27001 or SOC2 Type II), where available, which the Customer agrees to treat as sufficient evidence of compliance for that audit period.


11. Return and Deletion of Data

11.1 On termination of the Terms of Service, Verlox Ltd will, at the Customer's election, either delete or return all personal data processed under this DPA within 30 days, unless Verlox Ltd is required by law to retain it.

11.2 The Customer may request an export of personal data at any time during the Subscription term via the account export function or by contacting [email protected].

11.3 Where Verlox Ltd retains personal data after termination under a legal obligation, it will notify the Customer and continue to protect that data in accordance with this DPA.


12. Governing Law

This DPA is governed by the laws of England and Wales. Disputes arising under this DPA will be resolved in accordance with the dispute resolution provisions of the Terms of Service.


Schedule 1: Details of Processing

FieldDetails
Subject matterProcessing of personal data in connection with the Customer's use of the Carina Aiva platform.
DurationFor the term of the Customer's Subscription, plus 30 days following termination.
Nature of processingStorage, retrieval, analysis, AI-assisted processing, and deletion of personal data as directed by the Customer.
PurposeProviding the Carina Aiva Service as described in the Terms of Service.
Types of personal dataAs determined by the Customer. May include: name, email address, contact details, business information, communications, documents, and any other personal data the Customer chooses to process through the Service.
Categories of data subjectsAs determined by the Customer. May include: the Customer's employees, contractors, clients, prospects, and other individuals whose personal data the Customer processes through the Service.
Special category dataVerlox Ltd does not knowingly process special category personal data (as defined in UK GDPR Article 9) unless the Customer explicitly enables this and provides appropriate instructions and safeguards.

Schedule 2: Technical and Organisational Measures

Verlox Ltd implements the following Technical and Organisational Measures to protect personal data:

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Sensitive data at rest (credentials, keys, tokens) is encrypted using AES-256.
  • Database backups are encrypted.

Access Controls

  • Access to production systems is restricted to authorised personnel via SSH key-based authentication and multi-factor authentication.
  • Role-based access control limits access to personal data to personnel who need it to perform their duties.
  • Access is reviewed and revoked promptly when no longer required.

Network Security

  • Production systems are protected by firewalls configured to allow only necessary traffic.
  • Internal services communicate over private network interfaces.
  • Regular vulnerability scanning of external-facing services.

Data Minimisation and Isolation

  • Customer data is logically isolated between tenants. Each tenant's data is accessible only via that tenant's authenticated session.
  • Personal data is not used for purposes other than providing the Service.

Incident Response

  • A documented incident response procedure is in place.
  • Security events are logged and monitored.
  • Post-incident reviews are conducted and learnings applied.

Staff and Organisational Controls

  • Personnel with access to personal data are subject to confidentiality obligations.
  • Staff receive data protection and security awareness training.
  • Verlox Ltd maintains a record of processing activities as required by UK GDPR Article 30.

Resilience and Recovery

  • Daily automated backups are taken and stored securely.
  • Backup restoration is tested periodically.
  • Documented business continuity procedures are in place.

Schedule 3: Approved Sub-processors

Sub-processorRoleLocationBasis for transfer
Contabo GmbHInfrastructure hosting (VPS)UK regionNo international transfer
Stripe, Inc.Payment processing (billing data only; no Customer workspace data)UK/EUICO adequacy / UK IDTA
Resend, Inc. (primary) / Postmark by ActiveCampaign (fallback)Transactional email (account notifications, approval alerts, receipts)United StatesStandard Contractual Clauses (SCCs) under UK IDTA

Current list maintained at: carinaai.uk/legal/sub-processors


This Data Processing Agreement requires legal review by a qualified UK solicitor before publication. In particular, the adequacy of the Technical and Organisational Measures and the sub-processor list should be reviewed and updated before enterprise contracts are signed. Version 1.0 draft prepared 2026-06-30.

Aiva.
PricingSupportStart free

Aiva is built on Carina from VERLOX.

© 2026 VERLOX Ltd