Legal

Data Processing Agreement

Last updated: June 21, 2026  ·  Effective: June 21, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Proxya (proxya.co) (the "Provider") and the user of the Service (the "Client"). It applies where, and to the extent that, the Provider processes Personal Data on behalf of the Client in connection with the Service.

Acceptance of the Service constitutes acceptance of this DPA.

1. Definitions

  • Personal Data: any information relating to an identified or identifiable individual (the "data subject").
  • Data Controller: the party that determines the purposes and means of processing Personal Data.
  • Data Processor: the party that processes Personal Data on behalf of the Controller.
  • Processing: any operation performed on Personal Data, including collection, recording, storage, use, disclosure, restriction, erasure or destruction.
  • Data Breach: any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and purpose

The Provider shall process Personal Data only to deliver the Service described in the agreement with the Client, and strictly in accordance with the Client's documented instructions, unless otherwise required by applicable law. The subject matter, duration, nature and purpose of the processing are defined by the Client's use of the Service.

3. Roles of the parties

In relation to Personal Data processed on the Client's behalf, the Client acts as the Data Controller and the Provider acts as the Data Processor. Each party is responsible for complying with the data-protection obligations applicable to its role.

4. Provider's obligations

  • Process Personal Data only on the Client's documented instructions.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect Personal Data against unauthorized processing and accidental loss.
  • Notify the Client without undue delay after becoming aware of a Data Breach affecting the Client's Personal Data.
  • Assist the Client, taking into account the nature of processing, in fulfilling its obligations, including data-protection impact assessments and responding to data-subject requests and supervisory authorities.
  • Maintain records of the processing activities carried out on the Client's behalf.

5. Client's obligations

  • Ensure that all Personal Data provided to the Provider is collected and processed lawfully, fairly and transparently.
  • Provide clear and lawful documented instructions for the processing of Personal Data.
  • Promptly inform the Provider of any change in processing requirements or circumstances affecting the Personal Data processed.

6. Sub-processors

The Client authorizes the Provider to engage sub-processors to support delivery of the Service. The Provider will impose data-protection obligations on each sub-processor that are substantially equivalent to those in this DPA, and will give the Client reasonable prior notice of any intended changes to sub-processors so that the Client may object on reasonable grounds.

7. International data transfers

Any transfer of Personal Data to a jurisdiction other than the Client's will be carried out in compliance with applicable data-protection law and subject to appropriate safeguards, such as standard contractual clauses or an equivalent mechanism.

8. Security measures

The Provider maintains technical and organizational security measures appropriate to the risk, including encryption in transit, access controls, authentication safeguards and monitoring. These measures are reviewed and updated as the Service and the threat landscape evolve.

9. Data breach notification

If the Provider becomes aware of a Data Breach affecting the Client's Personal Data, it will notify the Client without undue delay and provide information reasonably available to assist the Client in meeting any notification obligations to authorities or data subjects.

10. Duration, return and deletion

This DPA remains in effect for as long as the Provider processes Personal Data on the Client's behalf. On termination or expiry of the Service, the Provider will, at the Client's choice, delete or return the Personal Data processed on the Client's behalf, unless retention is required by applicable law.

11. Audit rights

The Provider will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, subject to reasonable prior notice, confidentiality, and mutual agreement on timing and scope so as not to disrupt the Provider's operations or other clients.

12. Liability

Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except to the extent that applicable data-protection law provides otherwise.

13. Governing law

This DPA is governed by, and disputes are resolved in accordance with, the governing-law and dispute-resolution provisions of the Terms of Service.

14. Amendments

Any amendment to this DPA must be made in writing. Where changes are required to reflect updated legal requirements, the Provider will notify the Client and the updated DPA will apply to ongoing processing.

Questions about this document?

If anything here is unclear, we are happy to explain it in plain language. Contact us or email legal@proxya.co.