Legal

Data Processing Agreement

Effective date: 2026-05-07 (or on countersignature for executed DPAs) · Last updated: 2026-05-01

In this document

1. Definitions 2. Roles of the parties 3. Scope and purpose of Processing 4. Layer Zero's obligations 5. Security measures (TOMs)6. Sub-processors 7. International data transfers 8. Personal Data Breach notification 9. Data subject requests 10. Term, termination, return, and deletion 11. Audit (GDPR Art. 28(3)(h); POPIA s21)12. Liability and indemnity 13. Governing law and jurisdiction 14. Order of precedence 15. Changes 16. Contact and signature

Version: v1.0

This Data Processing Agreement ("DPA") forms part of the Terms of Service

between Layer Zero Studios, operating the AXIS Business Operating System

("Layer Zero", "Processor", "we"), and you, the customer of AXIS ("Customer",

"Controller", "you"). This DPA governs the processing of Personal Data that

Layer Zero performs on your behalf when you use AXIS.

This DPA is written to comply with the South African **Protection of Personal

Information Act, 2013 (POPIA), the EU General Data Protection Regulation

(Regulation (EU) 2016/679, "GDPR"), and the California Consumer Privacy

Act of 2018 (Cal. Civ. Code §§ 1798.100–1798.199, "CCPA")** as amended by the

California Privacy Rights Act of 2020 ("CPRA"), where applicable. Citations

to primary statute appear inline. **Counterparty legal review is strongly

recommended before countersignature.**

Primary-source references:

POPIA — Act No. 4 of 2013, gov.za PDF
GDPR — Regulation (EU) 2016/679, eur-lex.europa.eu
CCPA / CPRA — California Civil Code §§ 1798.100 et seq., leginfo.legislature.ca.gov
EU Standard Contractual Clauses (2021) — Commission Implementing Decision (EU) 2021/914

1. Definitions

Unless defined here, capitalised terms have the meaning set out in POPIA,

GDPR, or the CCPA, as applicable in context.

"Affiliate" — any entity that controls, is controlled by, or is under

common control with a party.

"Customer Data" — any data, including Personal Data, that you submit to

AXIS or that AXIS generates on your behalf, including business-brain

context, contacts, invoices, receipts, and integration tokens.

"Personal Data" — has the meaning set out in POPIA s1 (read as

"personal information"), GDPR Art. 4(1), and CCPA §1798.140(v) ("personal

information").

"Processing" — has the meaning set out in POPIA s1, GDPR Art. 4(2), and

CCPA §1798.140(ai).

"Controller" / "Responsible Party" — the natural or juristic person who

determines the purpose and means of Processing (GDPR Art. 4(7); POPIA s1

"responsible party").

"Processor" / "Operator" — the natural or juristic person who Processes

Personal Data on behalf of the Controller (GDPR Art. 4(8); POPIA s1

"operator").

"Service Provider" — has the meaning set out in CCPA §1798.140(ag).
"Sub-processor" — any third-party Processor engaged by Layer Zero to

Process Customer Data on Layer Zero's behalf.

"Data Subject" — the natural person to whom Personal Data relates.
"Personal Data Breach" — has the meaning set out in GDPR Art. 4(12) and

the corresponding "Security Compromise" concept in POPIA s22.

"Standard Contractual Clauses" or "SCCs" — the Module Two ("Controller-to-Processor")

clauses set out in Commission Implementing Decision (EU) 2021/914.

2. Roles of the parties

For the purposes of POPIA, GDPR, and CCPA:

You are the Controller / Responsible Party / Business of all Customer

Data you submit to AXIS, including data of your own customers, employees,

and contacts.

Layer Zero is the Processor / Operator / Service Provider, Processing

Customer Data only on your documented instructions and for the purposes

set out in §3.

When you use AXIS to send communications to your own customers (e.g. email

campaigns, invoice chases), the email addresses, names, opens, clicks, and

delivery states of those customers are Customer Data; **you remain the

Controller and Layer Zero is the Processor** for that data (GDPR Art. 28(1);

POPIA s20).

3. Scope and purpose of Processing

3.1 Subject matter

Processing of Customer Data necessary to provide the AXIS Service, including:

business-brain context Processing, finance ledger Processing, marketing and

sales handler execution, invoice generation, scheduled task execution,

receipt and audit trail generation, and the AXIS trust ladder evaluation.

3.2 Duration

For the term of your subscription, plus any post-termination retention

periods set out in §10.

3.3 Nature and purpose

Layer Zero Processes Customer Data to:

Operate the AXIS handlers and Departments you have access to under your

subscription tier (per the Tier Capabilities surfaced in your Dashboard).

Generate AI-assisted output (drafts, plans, summaries) using the

Sub-processors named in §6.

Maintain receipts and audit trails for every external action AXIS executes

on your behalf, in axis_action_receipts.

Provide the operator with the diagnostic information necessary to support

you under your Service plan.

Layer Zero will not Process Customer Data for any other purpose, will not

Sell or Share Personal Information (CCPA §1798.140(ad), §1798.140(ah)), and

will not combine Customer Data with data from other sources except as

necessary to detect security incidents.

3.4 Categories of Data Subjects

You and your authorised users; your employees and contractors; your customers

and prospects; counterparties to contracts you process through AXIS.

3.5 Categories of Personal Data

Identity (name, email), contact (email, phone, address), business profile

(industry, size, revenue band), commercial (invoices, payments, balances),

communications (campaigns, support threads), authentication (hashed

passwords, OAuth refresh tokens encrypted at rest), usage telemetry (IP, UA,

request log).

Layer Zero does not knowingly Process Special Personal Information (POPIA

s26) or Special Categories of Personal Data (GDPR Art. 9) — including

race, religion, biometric, health, political affiliation, or trade union

membership — unless you instruct it to do so by populating those fields, in

which case the additional protections of POPIA s27-s33 and GDPR Art. 9(2)

apply and you confirm you have a lawful basis.

4. Layer Zero's obligations

4.1 Documented instructions (GDPR Art. 28(3)(a); POPIA s21(1))

Layer Zero will Process Customer Data only on your documented instructions,

which are: (a) this DPA, (b) your Terms of Service acceptance, (c) any

Subscription configuration you set in Dashboard, and (d) any operator

support requests you make in writing. Layer Zero will inform you if an

instruction infringes applicable data-protection law.

4.2 Confidentiality (GDPR Art. 28(3)(b); POPIA s20(2))

Layer Zero ensures that persons authorised to Process Customer Data are

under a contractual or statutory obligation of confidentiality.

4.3 Security (GDPR Art. 28(3)(c), Art. 32; POPIA s19)

Layer Zero implements appropriate technical and organisational measures

("TOMs") to protect Customer Data against unauthorised or unlawful

Processing, accidental loss, destruction, or damage. The TOMs as of the

Effective Date are summarised in §5 and may be updated by Layer Zero

provided the level of protection is not materially reduced.

4.4 Sub-processors (GDPR Art. 28(2), Art. 28(4); POPIA s21(2))

You provide a general written authorisation for Layer Zero to engage the

Sub-processors named in §6. Layer Zero will inform you of any intended

addition or replacement of Sub-processors with at least 30 days' notice,

and you may object on reasonable data-protection grounds, in which case

Layer Zero will work with you to find a mitigation or, failing that, you may

terminate the affected Service with pro-rata refund of pre-paid fees.

4.5 Data subject rights (GDPR Art. 28(3)(e); POPIA s23-s25)

Layer Zero will assist you in responding to requests from Data Subjects to

exercise their rights of access, rectification, erasure, restriction,

portability, and objection. Where the request can be satisfied through

self-service tools in the Dashboard, you may execute it yourself; where it

requires operator action, Layer Zero will act on your written instruction

within 30 calendar days unless a longer period is permitted by law.

4.6 Cooperation with supervisory authorities (GDPR Art. 28(3)(f); POPIA s40)

Layer Zero will, on your written request, provide reasonable assistance with

data-protection impact assessments, prior consultations with supervisory

authorities, and supervisory-authority investigations.

4.7 Records of Processing (GDPR Art. 30(2))

Layer Zero maintains records of Processing carried out on your behalf in

axis_action_receipts and a maintained register of categories of Processing

for the EEA Article 30(2) requirement, available on request.

5. Security measures (TOMs)

Layer Zero's current technical and organisational measures include:

Tenant isolation. Customer Data is partitioned per tenant via Supabase

Row-Level Security (RLS) policies. RLS is enforced at the database level;

application code cannot bypass RLS without a service-role token, the use

of which is logged.

Encryption in transit. All connections to AXIS endpoints

(admin.layerzerostudios.com, dashboard.layerzerostudios.com, the API)

use TLS 1.2+ with HSTS.

Encryption at rest. Customer Data is stored in Supabase Postgres

(AES-256 at the storage layer). OAuth refresh tokens and integration

secrets are stored in Supabase Vault, AES-256 with per-tenant key

namespacing (client_{client_id}_{provider}).

Authentication. Operator access uses SSO with TOTP-based 2FA where

supported. Customer access is via email + password (bcrypt-hashed) with

2FA available. API keys are tenant-scoped, hashed at rest, rate-limited.

Network. Production hosting on Hetzner Falkenstein (Germany);

Supabase project hosted in EU-West region. SSH access to the production

VPS is restricted to ed25519 keys; password authentication is disabled.

Receipts and audit trail. Every external action AXIS performs on your

behalf produces an axis_action_receipts row including provider,

external ID, proof URL, verification method, and timestamp. You can query

the trail at any time via Dashboard or API.

Backups. Supabase Point-in-Time Recovery (PITR) is enabled; backup

passphrase is held in operator's secrets store.

Personnel. As of the Effective Date, production access is restricted

to a single Layer Zero Studios operator, who acts as the data controller

for personal data processed by Layer Zero and is bound by confidentiality

obligations consistent with POPIA s19 (security safeguards) and GDPR

Art. 28(3)(b).

Vulnerability management. Dependencies are tracked via npm audit;

high-severity vulnerabilities are patched within 14 days.

Logging. Application logs are kept for 30 days; receipts are kept

indefinitely (subject to §10 retention rules).

These TOMs may be updated as the Service evolves. Material reductions in

protection require 30 days' written notice to you.

6. Sub-processors

You authorise Layer Zero to engage the following Sub-processors as of the

Effective Date. The current authoritative list is published at

layerzerostudios.com/legal/sub-processors

and is updated under the §4.4 notification process.

|---|---|---|---|

| Slack Technologies, LLC | Operator-internal notifications; customer-connected workspace integrations | United States | Account event metadata for operator alerts; customer-controlled when integrated |

Cross-border transfers are addressed in §7.

For Sub-processors located outside the EEA / UK / South Africa, the legal

basis for transfer relies on (a) the EU Standard Contractual Clauses (2021

SCCs) entered into directly between Layer Zero and the Sub-processor, or

(b) the Sub-processor's adequacy decision where one exists, or (c) explicit

consent recorded at the time of integration connection.

7. International data transfers

7.1 GDPR Chapter V (Articles 44–50)

Where Layer Zero transfers Customer Data of EEA Data Subjects to a

third country not benefiting from an adequacy decision under GDPR Art. 45,

the transfer is governed by the **2021 Standard Contractual Clauses

(Module Two: Controller-to-Processor)** between Layer Zero and the

recipient Sub-processor, supplemented by the Transfer Impact Assessment

(TIA) procedures recommended by the European Data Protection Board.

7.2 POPIA s72 (transborder information flows)

Layer Zero will transfer Personal Information of South African Data

Subjects to a third country only if (a) the recipient is subject to a law,

binding corporate rules, or binding agreement that provides an adequate

level of protection (POPIA s72(1)(a)), (b) the Data Subject consents

(s72(1)(b)), or (c) the transfer is necessary for the performance of a

contract between the Data Subject and the responsible party (s72(1)(c)).

The 2021 SCCs are deemed adequate by Layer Zero for s72(1)(a) purposes.

7.3 CCPA cross-border

Where Personal Information of California residents is transferred outside

California, Layer Zero remains a Service Provider under CCPA §1798.140(ag)

and the Service-Provider obligations of §1798.100(d) and §1798.140(j)

travel with the data.

8. Personal Data Breach notification

8.1 Notification to you

Layer Zero will notify you of a Personal Data Breach affecting your

Customer Data without undue delay and in any event within 72 hours of

becoming aware of it, in line with GDPR Art. 33. For breaches AXIS

classifies as Severity P0 or P1 under the AXIS Incident Response

Runbook, the operator commits to notification **within 60 minutes of

detection** (a tighter standard than statute requires).

8.2 Information provided

Each notification will include, to the extent known: the nature of the

breach, the categories and approximate number of Data Subjects and

records concerned, the likely consequences, the measures taken or

proposed to address the breach, and the contact point for further

information (GDPR Art. 33(3)).

8.3 Notification to the Information Regulator

Where Layer Zero is acting as Operator under POPIA s22, it will assist

you (the Responsible Party) in notifying the Information Regulator

"as soon as reasonably possible" after the breach.

8.4 Receipts as evidence

Every action AXIS took for you during the breach window is queryable

via axis_action_receipts. Layer Zero will provide a tenant-specific

incident report on demand at no charge.

9. Data subject requests

9.1 Right of access (GDPR Art. 15; POPIA s23; CCPA §1798.110)

You can self-serve an export of all your Customer Data via the Dashboard

or the operator can produce one within 30 calendar days of written

request.

9.2 Right to rectification (GDPR Art. 16; POPIA s24)

Customer Data fields are editable in Dashboard; for fields that require

operator action, requests are honoured within 30 calendar days.

9.3 Right to erasure (GDPR Art. 17; POPIA s24; CCPA §1798.105)

On verified erasure request, Layer Zero performs a **hard cascade

deletion**: the tenant record and all child rows in axis_action_receipts,

axis_business_brain, axis_business_context, axis_clients_* tables,

ledger entries, KPI snapshots, integration tokens, and Vault entries are

deleted within 30 calendar days, with the following carve-outs:

Forensic export. Before deletion, a structured export of operational

metadata (action receipts, audit trail, integration logs — *with PII

redacted*) is preserved in a write-once forensic store as agent_logs.

This is necessary for incident-response, dispute resolution, and

regulator cooperation. The forensic export does not contain the

substantive content of communications, customer contact details, or

business-brain content; it contains operational metadata only (handler

name, status, timestamp, error class).

Accounting retention. Where Customer Data is contained in invoices

and tax-relevant records, the underlying records are retained for the

period required by South African Revenue Service rules (currently

5 years per the Tax Administration Act 28 of 2011 s29) and equivalent

foreign tax-authority requirements, after which they are deleted in

the next quarterly purge. **You acknowledge this exception by

countersigning this DPA.**

The hard-cascade model is the AXIS-as-of-N+14 posture; Layer Zero may

move to a tombstoning model in a future Service version, in which case

you will be notified under §4.4.

9.4 Right to restriction, portability, objection

Honoured per GDPR Art. 18, 20, 21 and POPIA equivalents within 30

calendar days of written request.

9.5 CCPA-specific rights

California residents have the right to know, delete, correct, and limit

use of sensitive Personal Information (CCPA §§1798.100, 1798.105, 1798.106,

1798.121). Layer Zero does not Sell or Share Personal Information; the

"Do Not Sell or Share My Personal Information" signal is honoured by

default.

10. Term, termination, return, and deletion

10.1 Term

This DPA applies for as long as Layer Zero Processes Customer Data on

your behalf.

10.2 Return or deletion (GDPR Art. 28(3)(g); POPIA s21(2))

On termination of the Service, Layer Zero will delete or return

all Customer Data within 30 days, at your election, except for:

The forensic-export operational metadata under §9.3(1), retained

indefinitely for incident-response purposes (PII redacted).

The accounting retention under §9.3(2).
Backups containing Customer Data, which are deleted on the next

rotation cycle (Supabase PITR window: 7 days).

10.3 Certification

On written request, Layer Zero will provide a written certification of

deletion within 30 days of completion.

On 30 days' written notice, you may request an audit of Layer Zero's

compliance with this DPA, at your cost, no more than once per calendar

year, conducted by you or by an independent auditor mutually agreed in

writing. Audits will be conducted during business hours, will not

unreasonably interfere with Layer Zero's operations, and will be

subject to confidentiality obligations.

In lieu of a customer-led audit, Layer Zero may satisfy this obligation

by providing the most recent of: (a) a SOC 2 Type II report on the

Service, (b) an ISO/IEC 27001 certificate, (c) a Supabase

infrastructure attestation passed through to you, or (d) Layer Zero's

own internal audit report. As of the Effective Date, Layer Zero is

pre-SOC 2 and provides (c) and (d).

12. Liability and indemnity

The liability of each party under this DPA is governed by the limitation

of liability clauses of the Terms of Service, except that nothing in

those clauses limits or excludes either party's liability to a Data

Subject under GDPR Art. 82 or POPIA s99. The parties remain jointly and

severally liable to the Data Subject for the full amount of damage

suffered (GDPR Art. 82(4)) and may seek contribution from each other in

proportion to fault (GDPR Art. 82(5)).

13. Governing law and jurisdiction

This DPA is governed by the laws of the Republic of South Africa, with

exclusive jurisdiction in the courts of Cape Town, save that:

For Data Subjects in the EEA / UK, the SCCs in §7.1 are governed by the

laws of the Member State indicated in the SCC's "Annex IV" of the

applicable signed instrument (defaulting to Ireland) and Data

Subjects retain their statutory rights to bring proceedings under

GDPR Art. 79.

For Data Subjects in California, statutory CCPA rights are not waived

by this clause.

14. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this

DPA prevails as to the matters expressly addressed here. The 2021 SCCs

referenced in §7.1, where they apply, prevail over inconsistent terms

of this DPA in respect of the EEA transfer they govern.

15. Changes

Layer Zero may amend this DPA from time to time. Material changes will

be notified to you with at least 30 days' written notice. Continued

use of the Service after the notice period constitutes acceptance.

16. Contact and signature

Data Protection contact

Layer Zero Studios

privacy@layerzerostudios.com

The Customer accepts this DPA by:

(a) electronic acceptance during checkout or in Dashboard, or

(b) countersignature of this document via DocuSign or equivalent.

Acceptance is logged with timestamp, IP address, and account ID against

the Customer record.