Skip to content
Legal

Data Processing Addendum

Last updated

Template notice. A Data Processing Addendum is a legally significant document. The structure below is a common pattern but should be reviewed by privacy counsel and aligned with your actual sub-processor list, security measures, and data flows.

1. Parties and roles

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Proxaro Networks LLC ("Processor") and the Customer identified in the Order Form ("Controller"). Where Customer uses the service to process personal data, Controller is the data controller (or, under the CCPA/CPRA, the "business") and Proxaro is the processor (or "service provider").

2. Scope of processing

Proxaro processes personal data solely for the purpose of providing the service and on the documented instructions of Controller. Processing details:

  • Subject matter: proxy gateway access.
  • Duration: lifetime of the service contract plus metadata retention per our Privacy Policy.
  • Categories of data subjects: end users of target resources accessed by Controller through the service.
  • Categories of personal data: any personal data Controller chooses to transmit via the gateway. Proxaro does not intercept or store payload data.

3. Sub-processors

Controller authorizes Proxaro to engage the sub-processors listed in our Privacy Policy. We notify Controller of new sub-processors with at least 30 days' notice, giving Controller the right to object.

4. Technical and organizational measures

Encryption in transit (TLS 1.2+), encryption at rest for all billing and account data, US-based infrastructure with SOC 2 Type II audit in progress, access controls, least-privilege principle for engineering access, annual third-party penetration testing.

5. International transfers

Where personal data of individuals in the EEA or the United Kingdom is transferred to Proxaro in the United States, the transfer is protected by:

  • The EU-US Data Privacy Framework (where Proxaro self-certifies); and
  • The EU Standard Contractual Clauses (2021/914) as a fallback legal basis.

6. Breach notification

In the event of a personal data breach involving Controller's data, Proxaro will notify Controller without undue delay and in any case within 48 hours of detection.

7. Data subject and consumer rights assistance

Proxaro will assist Controller, insofar as possible, in responding to data subject rights requests under GDPR/UK GDPR and to consumer requests under the CCPA/CPRA and other US state privacy laws.

8. Deletion and return

On termination of the service, Proxaro will delete all personal data under its control within 30 days, save where retention is required by applicable law (including US federal and state tax record-retention requirements).

9. Audit

Once per 12-month period, Controller may request evidence of compliance in the form of our most recent SOC 2 report and an architecture overview. On-site audits are available by mutual arrangement.