Handling other organisations' documents is the core of what we do, so how we treat that data matters. This statement explains our commitments when we process documents on your behalf. It sits alongside our Privacy Policy and Terms of Service, and is backed by a formal data-processing agreement (DPA) for client engagements.
Our role
When we process documents you provide, you are the data controller and Axiodoc is your data processor: we process the material only on your documented instructions and only to deliver the agreed work.
Security
- Encryption — data is encrypted in transit (TLS) and at rest.
- Access control — access to client documents is restricted to what is necessary to run your pipeline, on a least-privilege basis.
- Isolation — processing infrastructure is kept separate from the public website and access-controlled.
- Segregation — each client's data is kept logically separated; we do not commingle one client's documents or outputs with another's.
No training on your data
We do not use your documents or the data extracted from them to train machine-learning models, and we do not permit our processing providers to do so.
Sub-processors
To operate, we rely on a small number of vetted providers (for example cloud infrastructure and processing services), each bound by contractual security and confidentiality obligations and, where relevant, approved international-transfer safeguards. A current list of sub-processors is provided to clients on request under our DPA. We give clients advance notice of material changes so they can object.
Retention and deletion
We keep your documents only for as long as needed to deliver the agreed work. On completion — or at any time on request — source documents are deleted from active systems, and from backups within our standard backup-rotation window. Deletion terms can be tailored in your agreement.
Data location and transfers
We can discuss processing location during onboarding. Where any processing occurs outside the UK or EEA, we apply appropriate transfer safeguards.
Breach notification
If a personal-data breach affecting your documents occurs, we will notify you without undue delay and support your own notification obligations.
Data-processing agreement
Client engagements are covered by a written DPA setting out these commitments in binding detail — including the subject matter, duration, nature and purpose of processing, categories of data, and the parties' obligations under UK GDPR. To request our DPA, contact [email protected].