Back to Home

Data Processing Agreement

Last updated: April 26, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Daxo ("Processor", "we", "us") and the customer ("Controller", "you") and governs the processing of personal data in connection with our API services. This DPA is designed to meet the requirements of applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Daxo to process Personal Data on behalf of the Controller.

3. Scope and Roles

When you use our API to access data, you act as the Controller determining the purposes and means of processing, and Daxo acts as the Processor processing data on your behalf in accordance with your instructions. For data that Daxo collects and maintains independently, Daxo acts as an independent Controller.

4. Processing Instructions

Daxo shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Inform the Controller if we believe an instruction infringes applicable data protection laws
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Not process Personal Data for purposes other than those specified in the Terms of Service and this DPA

5. Security Measures

Daxo implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security testing and vulnerability assessments
  • Incident response and disaster recovery procedures
  • Employee security training and confidentiality agreements
  • Physical security controls for data center facilities

6. Sub-processors

The Controller authorizes Daxo to engage Sub-processors to assist in providing the Services. Daxo shall:

  • Maintain a list of current Sub-processors available upon request
  • Notify the Controller of any intended changes to Sub-processors
  • Ensure Sub-processors are bound by data protection obligations at least as protective as those in this DPA
  • Remain liable for the acts and omissions of its Sub-processors

7. Data Subject Rights

Daxo shall assist the Controller in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including rights of access, rectification, erasure, data portability, and objection. We will notify you promptly if we receive a request directly from a Data Subject related to your use of our Services.

8. Data Breach Notification

In the event of a Personal Data breach, Daxo shall:

  • Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach
  • Provide sufficient information to enable the Controller to meet its own notification obligations
  • Cooperate with the Controller in investigating and mitigating the breach
  • Document all breaches, including facts, effects, and remedial actions taken

9. International Transfers

Where Personal Data is transferred outside of the European Economic Area or other jurisdictions with data transfer restrictions, Daxo ensures appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

10. Audit Rights

Daxo shall make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.

11. Data Retention and Deletion

Upon termination of the Services or upon the Controller's written request, Daxo shall delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires retention. We will provide certification of deletion upon request.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except where applicable law prohibits such limitations for data protection violations.

13. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service. The obligations contained in this DPA shall survive termination to the extent necessary to wind down processing activities and comply with applicable law.

14. Contact

For questions about this DPA or to exercise your rights, please contact us at support@getdaxo.io.