Propolyx.

Data processing addendum

DPA, ready to counter-sign.

Propolyx's Data Processing Addendum is Article 28 GDPR compliant, with EU SCCs (Module 2) and the UK IDTA attached. Below is the operative text — the executable PDF is one click away.

Latest version

Propolyx DPA · May 2026 · v3.0

Request signed PDF

1.Definitions

Capitalised terms not defined here have the meaning given in the Propolyx Terms of Service (the “Agreement”). In this DPA, “Controller,” “Processor,” “Personal Data,” “Processing,” “Data Subject,” and “Supervisory Authority” have the meanings given in the GDPR.

You (the customer) are the Controller. Propolyx is the Processor.

2.Scope and roles

This DPA applies to Propolyx's Processing of Personal Data on behalf of Customer in connection with the Service. Propolyx will Process Personal Data only on documented instructions from the Customer, which are deemed given by the Customer's use of the Service.

3.Subprocessors

Customer authorises Propolyx to engage the subprocessors listed at /trust. Propolyx will give at least 30 days' advance notice of changes to the list and Customer may object on reasonable grounds.

Propolyx remains liable for the acts and omissions of subprocessors to the same extent as its own.

4.Security measures

Propolyx implements the technical and organisational measures set out at /security, which the parties agree are appropriate to the risk. These include encryption at rest with customer-managed KMS, encryption in transit (TLS 1.3), tenant-isolated storage, scoped IAM, and a 24/7 security operations centre.

5.International transfers

Where Customer Personal Data is transferred from the EU/EEA, UK, or Switzerland to a country not deemed adequate by the European Commission, the parties agree to be bound by the EU Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum, attached as Schedule 2.

Enterprise customers can elect EU residency (eu-west-1) to keep Processing within the EEA.

6.Data subject requests

Propolyx will, to the extent legally permitted, promptly notify the Customer of any request received directly from a Data Subject and will assist the Customer in fulfilling its obligations to respond.

7.Personal data breach notification

Propolyx will notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting Customer Personal Data, with sufficient information to allow the Customer to meet its obligations under Article 33 GDPR.

8.Audits

Propolyx will make available all information necessary to demonstrate compliance with Article 28 GDPR, including the SOC 2 Type II report (under NDA). Customer may, at its expense and on reasonable notice, conduct an audit no more than once per year unless required by a Supervisory Authority.

9.Return or deletion

Upon termination of the Agreement, Propolyx will, at the Customer's choice, return or delete all Customer Personal Data, including from backups, within 90 days. Certifications of deletion are available on request.