Data Processing Addendum (DPA)

For data you submit (product names, lot numbers, order linkage, sample metadata, contact details, and any account identifiers), you act as the Controller and Axiom acts as your Processor. Axiom processes this data only to provide the analytical and verification Services and on your documented instructions, except where law requires otherwise.

• Receiving sample/order submissions via the portal or the authenticated /api/v1 surface;
• Producing, sealing, storing, and serving certificates of analysis (COAs);
• Operating the public verification interface, embed, and webhook delivery to your endpoints;
• Maintaining audit logs of issuance, revocation, and verification events.

Business records (product, lot, order, COA), account contacts (name, email), and technical identifiers (API key references, IP addresses for rate limiting and audit). Axiom does not require special-category personal data and asks that you not submit it.

Axiom maintains the technical and organizational measures described in our Security & Breach Notification statement, including encryption in transit, encryption of webhook signing secrets at rest, API keys hashed at rest, least-privilege access, SSRF-guarded outbound delivery, and a minimized public payload. Personnel with access are bound by confidentiality.

Axiom uses the subprocessors listed at /legal/subprocessors. Axiom imposes data-protection obligations on each subprocessor no less protective than this DPA and remains responsible for their performance. We will give notice of a new subprocessor and a reasonable window to object.

Data is processed in the United States. Where required, transfers are made under an appropriate lawful mechanism (e.g. Standard Contractual Clauses) referenced in the signed DPA.

Axiom will, taking into account the nature of processing, assist you in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations.

Axiom will notify you without undue delay, and in any case within 72 hours of becoming aware, of a personal-data breach affecting your data, with the information described in our Security statement.

On termination, you may export your data at any time via the authenticated GET /api/v1/export endpoint (orders, samples, and COA records with verification URLs and digests). On written request Axiom will delete or return your data within 30 days, except records Axiom must retain by law or for the integrity of the public verification chain (issued COA hashes and revocation status remain verifiable).

On reasonable notice and no more than annually, Axiom will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

Axiom Analytics Labs LLC · 2108 N St Ste N, Sacramento, CA 95816, USA · legal@axiomanalyticslab.com