1.Definitions
Capitalised terms not defined here have the meaning given in the Propolyx Terms of Service (the “Agreement”). In this DPA, “Controller,” “Processor,” “Personal Data,” “Processing,” “Data Subject,” and “Supervisory Authority” have the meanings given in the GDPR.
You (the customer) are the Controller. Propolyx is the Processor.
2.Scope and roles
This DPA applies to Propolyx's Processing of Personal Data on behalf of Customer in connection with the Service. Propolyx will Process Personal Data only on documented instructions from the Customer, which are deemed given by the Customer's use of the Service.
3.Subprocessors
Customer authorises Propolyx to engage the subprocessors listed at /trust. Propolyx will give at least 30 days' advance notice of changes to the list and Customer may object on reasonable grounds.
Propolyx remains liable for the acts and omissions of subprocessors to the same extent as its own.
4.Security measures
Propolyx implements the technical and organisational measures set out at /security, which the parties agree are appropriate to the risk. These include encryption at rest with customer-managed KMS, encryption in transit (TLS 1.3), tenant-isolated storage, scoped IAM, and a 24/7 security operations centre.
5.International transfers
Where Customer Personal Data is transferred from the EU/EEA, UK, or Switzerland to a country not deemed adequate by the European Commission, the parties agree to be bound by the EU Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum, attached as Schedule 2.
Enterprise customers can elect EU residency (eu-west-1) to keep Processing within the EEA.
6.Data subject requests
Propolyx will, to the extent legally permitted, promptly notify the Customer of any request received directly from a Data Subject and will assist the Customer in fulfilling its obligations to respond.
7.Personal data breach notification
Propolyx will notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting Customer Personal Data, with sufficient information to allow the Customer to meet its obligations under Article 33 GDPR.
8.Audits
Propolyx will make available all information necessary to demonstrate compliance with Article 28 GDPR, including the SOC 2 Type II report (under NDA). Customer may, at its expense and on reasonable notice, conduct an audit no more than once per year unless required by a Supervisory Authority.
9.Return or deletion
Upon termination of the Agreement, Propolyx will, at the Customer's choice, return or delete all Customer Personal Data, including from backups, within 90 days. Certifications of deletion are available on request.