Data Processing Addendum
Last updated March 4, 2026
This Data Processing Addendum (“DPA”) forms part of and is incorporated into any agreement between Ankar AI Ltd (“Ankar”) and its customers (“Customer”) that references this DPA, including without limitation the Ankar Terms of Service and any applicable order form or service agreement (the “Agreement”), governing Customer’s use of Ankar’s services (the “Services”). To the extent that Ankar Processes any Customer Personal Data in connection with Customer’s use of the Services, this DPA sets forth Customer’s instructions for the Processing of such data and the rights and obligations of both Parties. This DPA applies from the date Customer first accesses or uses the Services.
1. Definitions
Capitalised terms not defined in this DPA have the meanings given in the Agreement. In this DPA the following definitions shall apply:
“Customer Personal Data” means any Personal Data that Ankar Processes on behalf of Customer under the Agreement and this DPA. It includes Provided Data (as such term is defined in the Agreement).
“Data Protection Laws” means as applicable the laws that relate to data protection, data brokering, security, privacy or the use or processing of Customer Personal Data, including: (i) the General Data Protection Regulation 2016/679 (the “GDPR”); (ii) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together the “UK GDPR”); (iii) US State Privacy Laws; and (iv) any relevant directive, order, rule, regulation or other binding instrument which implements any applicable law, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
“Deidentified or Aggregated Data” means data that has been processed so it does not identify any individual and cannot reasonably be re-identified, including data combined into summary or statistical form so that no individual can be identified.
“Personal Data Breach” has the meaning given in UK GDPR and includes equivalent concepts under applicable Data Protection Laws.
“Restricted Transfer” means a transfer of Customer Personal Data from the EEA or the UK to a country not recognised as providing an adequate level of protection where a transfer mechanism is required under Data Protection Laws.
“Services” has the meaning set out in the Agreement.
“US State Privacy Laws” means all US state privacy laws applicable to the Processing of Customer Personal Data, including the California Consumer Privacy Act as amended by the California Privacy Rights Act and similar state laws.
“Business”, “Consumer”, “Controller”, “Data Subjects”, “Personal Data”, “Process”, “Processing”, “Processor”, “Service Provider” and “Subprocessor” shall have the same meanings given to them under applicable Data Protection Laws.
2. Role
a. Processor/Subprocessor. Where Ankar Processes Customer Personal Data as a Processor or Subprocessor pursuant to Data Protection Laws, Clauses 2(c), 3, 5, 6, 7, 8, 9, 10 and 11 shall apply to such processing.
b. Service Provider. Where Ankar Processes Customer Personal Data as a Service Provider pursuant to Data Protection Laws, Clauses 2(c), 4, 5, 6, 7, 8, 9, 10 and 11 shall apply to such processing.
c. Instructions. Where Ankar is a Processor, Subprocessor or Service Provider in relation to the Customer Personal Data, to the extent required by Data Protection Laws:
i. Ankar will Process Customer Personal Data only on documented instructions from Customer, as set out in the Agreement and this DPA, including Schedule 1 (Processing Details), and as further specified through Customer's use and configuration of the Services, unless required by Data Protection Laws and in such a case, Ankar shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
ii. Ankar shall Process Customer Personal Data for the limited and specified purposes of providing and supporting the Services. If Ankar is required by law to Process Customer Personal Data other than on Customer’s instructions, Ankar will (to the extent legally permitted) inform Customer before such Processing.
iii. Ankar shall notify Customer promptly if it: (i) makes a determination that it can no longer comply with Customer’s instructions for the Processing of Customer Personal Data, Ankar’s obligations under Data Protection Laws, or the terms of this DPA, or (ii) believes that Customer’s instructions infringe Data Protection Laws.
iv. Ankar will maintain records of its Processing activities and will make available information reasonably necessary to demonstrate compliance with this DPA.
d. Controller. Customer acknowledges that: (i) Ankar may also be a Controller with respect to Customer Personal Data, including account administration, billing and payment administration, customer relationship management, support communications, security, fraud prevention and abuse monitoring, and service analytics and performance. Ankar’s Privacy Policy available at https://ankar.ai/privacy-policy applies in such circumstances; and (ii) Ankar may create and use Deidentified or Aggregated Data provided that such data does not identify (and cannot reasonably be used to identify) any individual.
3. Ankar Obligations GDPR/UK GDPR. Where Ankar is a Processor or Subprocessor pursuant to the UK GDPR and/or GDPR, in relation to the Customer Personal Data, Ankar shall to the extent required by UK GDPR and/or GDPR:
a. ensure that any of Ankar’s personnel or other persons that are authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
b. taking into account the nature of the Processing and information available to Ankar, assist Customer to enable Customer to comply with its obligations under Data Protection Laws in relation to (i) Data Subject requests; (ii) Personal Data Breaches; and (iii) data protection impact assessments and prior consultation with supervisory authorities or regulators;
c. implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data; and
d. notify Customer without undue delay (to the extent legally permitted) if Ankar receives a request from a Data Subject relating to Customer Personal Data. Ankar will not respond except on Customer’s documented instructions or as required by law.
4. Ankar Obligations US State Privacy Laws.
a. Where Ankar acts as a Service Provider under US State Privacy Laws, this clause shall apply and Ankar shall:
i. not “sell” or “share” Customer Personal Data (as those terms are defined under applicable US State Privacy Laws);
ii. not Process, retain, use or disclose Customer Personal Data for any other purpose other than the specified purpose of providing the Services, including for “targeted advertising” or “cross-context behavioural advertising” or outside the direct business relationship between the Parties except as permitted by law;
iii. assist Customer in the fulfilment of Customer’s obligations to respond to consumer requests;
iv. not combine Customer Personal Data with Personal Data obtained from other sources except as permitted by Data Protection Laws, this DPA or the Agreement; and
v. provide the same level of privacy protection as is required of Customer under Data Protection Laws.
b. Customer shall have the right to take reasonable and appropriate steps to ensure that Ankar Processes Customer Personal Data in a manner consistent with the Customer’s obligations under Data Protection Laws. Upon notice from Ankar of a determination that Ankar can no longer comply with its obligations under Data Protection Laws, Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorised Processing of Customer Personal Data.
5. Audit
a. Where Ankar is a Processor, Subprocessor or Service Provider in relation to the Customer Personal Data, to the extent required by Data Protection Laws, Ankar shall make available to Customer information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, conducted by Customer or another independent third party auditor mandated by Customer. To the extent permitted by Data Protection Laws, Ankar may (i) satisfy audit requests by providing: (a) recent SOC 2 Type II and/or ISO 27001 reports or summaries; and/or (b) third-party audit reports covering substantially similar controls. Solely to the extent required by Data Protection Laws, Ankar shall permit onsite audits upon reasonable written notice (minimum 30 calendar days) during normal business hours. Audits must be limited to information relevant to Customer Personal Data and may not unreasonably interfere with Ankar’s business. Customer will bear its auditor’s costs and Ankar may charge reasonable fees for time and access. Any audit is subject to appropriate confidentiality obligations. Customer will ensure its auditor is independent and not a competitor of Ankar, and Ankar may require Customer to use an independent third-party auditor agreed in good faith. Customer may audit Ankar’s compliance no more than once in any 12 month period, or following a notified Personal Data Breach.
6. Subprocessors
a. Where Ankar is a Processor, Subprocessor or Service Provider in relation to Customer Personal Data, Customer grants Ankar a general authorisation to engage Subprocessors to Process Customer Personal Data as necessary to provide the Services. Ankar’s current subprocessors are set out in Schedule 2 (“Subprocessor List”). Ankar will provide at least 10 days’ prior written notice of any addition or replacement of a Subprocessor by notifying the Customer of such change. Customer may object to a new Subprocessor on reasonable grounds relating to the protection of Customer Personal Data by notifying Ankar within 10 days of the notice. In case of an objection, the parties shall cooperate to negotiate and mutually agree a solution. If Ankar does not receive a written objection within the applicable notice period, Customer is deemed to have authorised the appointment of the Subprocessor.
b. Ankar shall enter into a written agreement with each Subprocessor imposing data protection obligations materially similar to this DPA to the extent required by Data Protection Laws.
c. To the extent required by Data Protection Laws, Ankar will remain liable to Customer for the performance of each Subprocessor to the extent the Subprocessor fails to fulfill its data protection obligations under the applicable data processing agreement with Ankar.
7. Personal Data Breach
a. Where Ankar is a Processor, Subprocessor or Service Provider in relation to the Customer Personal Data, Ankar shall notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data Breach related to Customer Personal Data. Ankar’s notice will include information required for Customer to meet its breach notification obligations under Data Protection Laws, to the extent then known. The notification shall include, to the extent known: (i) the nature of the Personal Data Breach; (ii) the categories and approximate number of individuals and Customer Personal Data records concerned; (iii) the likely consequences; (iv) measures taken or proposed to address it and mitigate adverse effects; and (v) a contact point for further information.
8. Return and Deletion
a. Where Ankar is a Processor, Subprocessor or Service Provider in relation to the Customer Personal Data to the extent required by Data Protection Laws, on termination or expiry of the Services, Ankar will, at Customer’s choice, delete or return Customer Personal Data, except to the extent retention is required by law or for security, backup, or dispute resolution purposes. If Customer requests deletion, Ankar will delete Customer Personal Data from active systems and will delete it from backups in accordance with Ankar’s standard backup deletion cycle. On request, Ankar will confirm deletion in writing or provide a deletion certificate.
9. International Transfers
a. Customer Personal Data is stored and processed within the Hosting Region selected by Customer at onboarding:
i. UK/EU tenants: Customer Personal Data is stored and processed within UK/EU-based AWS regions (e.g., Paris, London);
ii. US tenants: Customer Personal Data is stored and processed within US-based AWS regions.
b. In that context it is not anticipated that Customer providing Customer Personal Data to Ankar will constitute a Restricted Transfer. Should there be a Restricted Transfer between Customer and Ankar, the parties will cooperate to put in place any required data transfer mechanisms that are required by Data Protection Laws.
10. Customer Obligations
a. Customer will comply with all Data Protection Laws when it provides Personal Data to Ankar.
b. Customer represents and warrants that: (a) Customer has complied with Data Protection Laws in collecting and Processing the Customer Personal Data and has all necessary rights, permissions, consents and authorisations for disclosing the Customer Personal Data to Ankar and enabling Ankar to Process the Customer Personal Data as set out in the Agreement and this DPA; and (b) Customer will not take any action that would cause Customer’s disclosure of Customer Personal Data to Ankar to be a “sale” or “share” under US State Privacy Laws.
c. Customer will not provide Special Category Data or other sensitive data (including criminal offence data) unless the Parties agree in writing and appropriate safeguards are implemented.
d. Customer will notify Ankar without undue delay if Customer determines that the Processing of Customer Personal Data under the Agreement does not, or will not, comply with Data Protection Laws. In that case, Ankar may suspend or stop Processing the affected Customer Personal Data until the issue is resolved.
11. Miscellaneous
a. Order of Precedence. If there is any conflict between the Agreement and this DPA regarding the Processing of Customer Personal Data, this DPA will control to that extent.
b. Limitation of Liability. Liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
c. Survival. This DPA remains in effect for so long as Ankar Processes Customer Personal Data on behalf of Customer.
SCHEDULE 1 – Processing Details
The following are the details of the data processing:
Subject Matter, Nature, and Purpose of the Processing: To perform the Services in accordance with the Agreement and DPA where Ankar is a Processor or Subprocessor, including as necessary to provide access, authentication, collaboration, usage analytics, and audit functionality within the platform. Processing activities include collection, hosting, storage, organisation, access, and deletion.
Categories of Personal Data: This will include: basic contact information (for example name, business email address, role/title), account identifiers, activity metadata (login times, usage logs), and any other data uploaded by Customer.
Special Category Data: No special category data will intentionally be processed pursuant to the Agreement and this DPA unless otherwise agreed in writing by the Parties.
Categories of Data Subject: This will include: Customer employees, contractors, authorised users, and other individuals whose data is uploaded to or generated through the Services.
Duration of the Processing: For the term of the Agreement and until deletion/return of Customer Personal Data under this DPA.
SCHEDULE 2 – Subprocessor List
