Data Processing Agreement
Last updated: 1 June 2026
This data processing agreement (hereinafter: the “Agreement” or “DPA”) sets out the arrangements between the customer as controller and OXIAE as processor, for the processing of personal data that OXIAE carries out on behalf of the customer in the context of the OXIAE service. The Agreement forms an integral part of the main agreement between the parties and is drawn up in accordance with article 28 of the General Data Protection Regulation (GDPR).
1. Parties & roles
This Agreement is concluded between:
- The customer, the party designated in the main agreement as the recipient of the service, hereinafter referred to as the “Controller”. The Controller determines the purpose and means of the processing.
- OXIAE, a trade name of VDS International S.A., a company established in Panama, registered in the Registro Público de Panamá under folio 155777850, reachable via privacy@oxiae.com and with domain oxiae.com, hereinafter referred to as the “Processor”. The Processor processes personal data solely on behalf of and on the instructions of the Controller.
The parties acknowledge that the Controller bears the ultimate GDPR responsibility towards data subjects and the supervisory authority, and that the Processor acts within the limits of the instructions laid down in this Agreement. Where the parties jointly determine the purpose and means for a specific component, joint controllership may arise; this is then arranged separately in writing. See controller or processor for a full explanation of this division of roles.
2. Subject matter & duration
The subject matter of this Agreement is the processing of personal data by the Processor for the purpose of delivering the OXIAE service, including the receiving, verifying, routing and delivering of intake requests (leads) and the keeping of an audit trail.
This Agreement takes effect on the date the main agreement becomes effective and remains in force as long as the Processor processes personal data on behalf of the Controller. Termination of the main agreement also terminates this Agreement, without prejudice to the provisions that by their nature remain in force, such as confidentiality and the obligations regarding return and deletion (article 12).
3. Nature and purpose of the processing
The Processor processes personal data solely for the purposes described below and not for its own purposes:
- receiving and capturing intake requests via forms, landing pages and APIs;
- verifying the provenance, consent and quality of the intake requests;
- matching and routing intake requests to the right recipient based on the rules set by the Controller;
- delivering intake requests and supporting payouts, acceptances and disputes;
- keeping an audit trail, dashboards and reports for the purpose of accountability;
- providing support, management and maintenance of the service.
The Processor processes the data in a manner consistent with the principles of lawfulness, purpose limitation and data minimisation.
4. Types of personal data & categories of data subjects
4.1 Types of personal data
In the context of the service, the following categories of personal data may, among others, be processed:
- contact details (such as name, email address, phone number, address);
- request data (such as the content of the request, product interest and preferences);
- provenance and consent data (such as source, timestamp, IP address and recorded consent);
- technical data and metadata (such as timestamps, device and session data, status and routing information).
The service is not designed to process special categories of personal data. The Controller ensures that such data is not submitted through the service, unless the parties have laid down separate arrangements for it.
4.2 Categories of data subjects
The processing may relate to the following categories of data subjects: applicants and consumers who submit a request, contact persons of recipients and suppliers, and users of the platform.
5. Instructions of the controller
The Processor processes personal data solely on the basis of documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless a legal provision applicable to the Processor requires it to process. In that case, the Processor informs the Controller of that legal requirement before the processing, unless that legislation prohibits this notification on important grounds of public interest.
This Agreement and the configuration the Controller establishes within the platform (such as routing rules and retention periods) constitute the documented instructions. The Processor immediately informs the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
6. Confidentiality
The Processor ensures that the persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is limited to staff for whom that access is necessary for the performance of their tasks.
This confidentiality obligation remains in force after termination of this Agreement.
7. Security measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, the Processor takes appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include, among others, encryption in transit and at rest, role- and context-based access control, logging and monitoring, and tested backup and recovery procedures.
A concrete description of the security measures is included in the Security measures annex and on the Security & encryption page. The Processor reviews and updates the measures periodically.
8. Sub-processors
The Controller grants the Processor general written authorisation to engage sub-processors for components of the processing, such as hosting, email and monitoring. The Processor imposes on each sub-processor the same data protection obligations as those set out in this Agreement.
The Processor informs the Controller in advance of intended changes to the list of sub-processors (addition or replacement). From the moment of notification, the Controller has an objection period of 30 days to raise a reasoned objection to a new sub-processor. If the parties reach no agreement, the Controller has the right to terminate the relevant component of the service. The Processor remains fully liable to the Controller for the performance of the obligations by the sub-processor.
The current list of sub-processors is included in the Sub-processors annex and is available on request.
9. Assistance with data subject rights
Taking into account the nature of the processing, the Processor assists the Controller, by means of appropriate technical and organisational measures and insofar as possible, in fulfilling the obligation to respond to requests from data subjects. This concerns the exercise of rights such as access, rectification, erasure, restriction, objection and data portability.
If the Processor receives a request directly from a data subject, it refers the data subject to the Controller and informs the Controller without undue delay. The Processor does not respond to such requests independently, unless legally obliged to do so.
10. Data breaches
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach. Under the GDPR, the Controller is in principle obliged to report a notifiable data breach to the supervisory authority within 72 hours of becoming aware of it; the Processor arranges its notification in such a way that the Controller can meet that deadline.
The Processor’s notification contains at least a description of the nature of the breach, the categories and numbers concerned, the likely consequences and the measures taken or proposed. The Processor provides reasonable assistance in investigation, containment, recovery and the prevention of recurrence, and documents the incident in the audit trail.
11. Audits & inspections
The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR, and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
An audit takes place after reasonable prior notice, at most once a year (except in the event of a specific cause or a request from the supervisory authority), during office hours and in a manner that disrupts the Processor’s operations as little as possible. The Processor may first satisfy a reasonable request for information by means of existing reports, certifications or overviews from the audit trail. The costs of an audit are borne by the Controller, unless the audit reveals a material shortcoming on the part of the Processor.
12. Return and deletion at termination
After termination of the service, the Processor, at the Controller’s choice, deletes or returns all personal data, and deletes existing copies, unless storage of the personal data is required under Union or national law.
The Controller may request an export of the data within a reasonable period after termination. Thereafter, the personal data is demonstrably deleted or anonymised, including from backups in accordance with the regular backup cycle. The deletion is traceable on request in the audit trail.
13. Liability
The liability of the parties under this Agreement is governed by the liability provisions of the main agreement, with due observance of the mandatory framework of the GDPR. Each party is liable for damage resulting from its own failure to perform its obligations under the GDPR and this Agreement.
The limitations and exclusions of liability set out in the main agreement apply correspondingly to this Agreement, insofar as legally permitted. Nothing in this Agreement limits the rights of data subjects under the GDPR.
14. Governing law
This Agreement is governed by [applicable law, to be determined], with due observance of the GDPR for the processing of personal data of EU data subjects. Disputes arising out of or in connection with this Agreement are submitted to the competent court in the district where the Processor is established, unless the parties agree otherwise in writing or mandatory law provides otherwise.
In the event of a conflict between this Agreement and the main agreement, this Agreement prevails insofar as it concerns the processing of personal data.
Annex: security measures
Below are the technical and organisational measures the Processor takes, as referred to in article 7. The measures are reviewed periodically and may be supplemented in response to new insights or risks. A more detailed description is available on the Security & encryption page.
| Category | Measure |
|---|---|
| Access management | Role- and context-based access (least privilege), with multi-factor authentication for administrator access and periodic review of permissions. |
| Encryption in transit | Encryption of all data traffic via current TLS protocols between users, systems and sub-processors. |
| Encryption at rest | Encryption of personal data in the database and backups with strong, managed keys. |
| Logging & monitoring | Complete audit trail of processing activities, plus security and stability monitoring with alerting on anomalies. |
| Separation of environments | Strict separation between development, test and production environments; production data is not used in testing. |
| Backup & recovery | Regular, encrypted backups with tested recovery procedures and defined recovery objectives. |
| Pseudonymisation & minimisation | Data minimisation by design and pseudonymisation wherever it does not stand in the way of the purpose. |
| Personnel & confidentiality | Confidentiality obligations for staff, awareness training and documented access procedures. |
Annex: sub-processors
The sub-processors below are engaged for components of the processing, as referred to in article 8. All are bound by the same security and retention arrangements. The list is indicative; the current version is available on request.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud hosting (EU region) | Storage and hosting of the application and database | EU |
| Email service | Transactional messages and notifications | EU |
| Error monitoring & logging | Security and stability monitoring | EU |
| [Sub-processor name] | [Purpose of the processing] | [Location] |
Bracketed fields are placeholders that are filled in per concrete engagement.
Contact
Questions about this data processing agreement, a request for the signed model or to view the current sub-processor list? Get in touch via privacy@oxiae.com. The details of the data protection officer are available on request: [officer name].
Read more
Need a data processing agreement?
Book a demo or request the standard model, and see how OXIAE demonstrably records roles, security and retention periods.