Data Processing Agreement

Last updated: February 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Proxifai ("Processor," "we," "us") and the customer ("Controller," "you") who uses our platform and services (the "Service"). This DPA governs the processing of personal data by Proxifai on behalf of the customer in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable privacy legislation.

By using the Service to process personal data of third parties, you agree to this DPA. If you require a signed copy, contact [email protected].

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by Proxifai to process Personal Data on behalf of the Controller.
  • "Data Protection Laws" means all applicable data protection and privacy legislation, including GDPR (Regulation (EU) 2016/679), UK GDPR, CCPA/CPRA, and any national implementing legislation.
  • "Standard Contractual Clauses (SCCs)" means the standard contractual clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

2.1 Roles

For the purposes of this DPA, the customer is the Controller and Proxifai is the Processor of Personal Data submitted to or processed through the Service.

2.2 Subject Matter and Duration

The subject matter of processing is the provision of the Proxifai platform as described in the Terms of Service. Processing begins when Personal Data is first submitted to the Service and continues for the duration of the agreement, plus any retention period specified herein.

2.3 Nature and Purpose

The purpose of processing is to:

  • Provide, operate, and maintain the Service, including AI agent task execution and code execution
  • Store and manage project data, source code, and related content
  • Manage user authentication and account access
  • Process billing and usage data
  • Provide customer support
  • Process data through third-party AI model providers for agent task execution, subject to the data processing terms of those providers

2.4 Types of Personal Data

The following categories of Personal Data may be processed:

  • Contact information (name, email address)
  • Account credentials and authentication data
  • Usage data and activity logs
  • Source code and project data (which may incidentally contain Personal Data)
  • IP addresses and device information
  • Billing information
  • AI agent interaction data (prompts, instructions, and outputs, which may incidentally contain Personal Data)

2.5 Categories of Data Subjects

  • Customers and their authorized users
  • End users whose data may be present in source code, project data, or AI agent interactions submitted by the customer

3. Obligations of the Processor

3.1 Instructions

Proxifai shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. If Proxifai is required by law to process Personal Data for another purpose, it shall inform the Controller of that legal requirement before processing, unless prohibited by law.

3.2 Confidentiality

Proxifai shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

Proxifai shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • Encryption: Encryption of Personal Data in transit (TLS 1.2+) and at rest
  • Access Control: Role-based access controls and multi-factor authentication limiting access to Personal Data to authorized personnel only
  • Isolation: Container-level and network isolation for code execution environments, preventing cross-tenant data access
  • Availability: Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Backup: Regular backup procedures to restore availability and access to Personal Data in a timely manner
  • Testing: Processes for regularly testing, assessing, and evaluating the effectiveness of security measures, including penetration testing
  • Monitoring: Security monitoring, logging, and alerting systems
  • Incident Response: Documented incident response procedures aligned with GDPR and NIS2 Directive notification requirements where applicable

3.4 Sub-processors

The Controller provides general authorization for Proxifai to engage sub-processors. Proxifai shall:

  • Maintain a current list of sub-processors at /sub-processors
  • Notify the Controller of any intended changes to sub-processors at least 30 days in advance by updating the sub-processors page
  • Provide the Controller the opportunity to object to the new sub-processor within that 30-day period
  • Impose data protection obligations on each sub-processor by way of a contract that provides at least the same level of protection as this DPA
  • Remain fully liable to the Controller for the performance of each sub-processor's obligations
  • Conduct appropriate due diligence on sub-processors' security practices before engagement

3.5 Data Subject Rights

Proxifai shall assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to Data Subject requests exercising their rights under Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making and profiling (GDPR Article 22)

3.6 Security Incident Notification

Proxifai shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident involving Personal Data. The notification shall include:

  • A description of the nature of the incident, including the categories and approximate number of Data Subjects and records concerned
  • The name and contact details of the point of contact
  • A description of the likely consequences of the incident
  • A description of the measures taken or proposed to address the incident, including measures to mitigate its possible adverse effects

Where required by the NIS2 Directive (Directive 2022/2555), Proxifai shall additionally provide an early warning to the relevant competent authority or CSIRT within 24 hours of becoming aware of a significant cybersecurity incident, followed by a detailed notification within 72 hours, and a final report within one month.

Proxifai shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the incident.

3.7 Data Protection Impact Assessment

Proxifai shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and the information available to Proxifai. This includes providing information about the AI processing activities, data flows through third-party AI model providers, and the security measures implemented in code execution environments.

3.8 AI-Specific Processing Provisions

Where Personal Data is processed by AI agents or submitted to third-party AI model providers as part of the Service:

  • Proxifai ensures that appropriate data processing agreements are in place with all third-party AI model providers
  • Personal Data submitted to third-party AI model providers is not used for training those providers' AI models under our commercial terms with those providers
  • Proxifai maintains logs of AI processing activities involving Personal Data for compliance and audit purposes
  • The Controller is responsible for minimizing Personal Data in prompts and task descriptions submitted to the Service where feasible, in accordance with the data minimization principle

4. Obligations of the Controller

The Controller shall:

  • Ensure that it has a lawful basis for the processing of Personal Data
  • Provide clear documented instructions to the Processor regarding the processing of Personal Data
  • Ensure compliance with Data Protection Laws with respect to its use of the Service
  • Inform Data Subjects about the processing of their Personal Data as required by applicable law, including disclosure of AI processing where required
  • Promptly notify Proxifai of any changes to applicable data protection regulations that may affect Proxifai's processing activities
  • Conduct appropriate risk assessments and data protection impact assessments for high-risk processing activities, including automated decision-making using AI agents
  • Minimize the inclusion of Personal Data in prompts, code, and task descriptions submitted to the Service where reasonably practicable

5. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. For such transfers, Proxifai relies on:

  • EU-U.S. Data Privacy Framework and the UK Extension thereof, where applicable
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference as applicable:
    • Module Two (Controller to Processor) applies where the Controller transfers Personal Data to Proxifai as Processor
  • For transfers from the UK, the UK International Data Transfer Addendum to the SCCs applies
  • For transfers from Switzerland, the SCCs apply with the modifications specified by the Swiss Federal Data Protection and Information Commissioner

Where Personal Data is subsequently transferred to sub-processors (including third-party AI model providers) located outside the EEA, Proxifai ensures that appropriate transfer mechanisms are in place with each sub-processor.

6. Audit Rights

Proxifai shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with Proxifai's operations. The Controller shall bear the cost of any audit. Proxifai may provide relevant certifications (e.g., SOC 2 reports, ISO 27001 certificates) as an alternative to on-site audits where reasonably sufficient.

7. Data Return and Deletion

Upon termination of the agreement or upon the Controller's written request, Proxifai shall, at the Controller's choice:

  • Return all Personal Data to the Controller in a commonly used, machine-readable format; or
  • Delete all Personal Data, including all existing copies, unless applicable law requires continued storage

Proxifai shall complete the return or deletion within 30 days of the request and shall provide written confirmation of deletion upon request. Backup copies may be retained for a reasonable period (not exceeding 90 days) for disaster recovery purposes, after which they shall be deleted.

8. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law, including liability for violations of Data Protection Laws that are not subject to contractual limitation under applicable mandatory law.

9. Term

This DPA shall remain in effect for as long as Proxifai processes Personal Data on behalf of the Controller. The obligations of this DPA shall survive for as long as Proxifai retains any Personal Data processed under this DPA.

10. Governing Law

This DPA shall be governed by the same law that governs the Terms of Service, except where Data Protection Laws require otherwise. For Personal Data subject to GDPR, the provisions of this DPA shall be interpreted in accordance with GDPR. For disputes related to GDPR-protected data, the courts of the EU Member State where the Data Subject habitually resides shall have jurisdiction.

11. Contact

For questions about this DPA, including to request a signed copy or to exercise audit rights, contact:

Proxifai
Email: [email protected]
Data Protection Contact: [email protected]