Ophraxx
Disclaimer: This website is currently in beta testing. Some features may not be complete, and content may be out of date.

Data Processing Addendum

Back to Other Policies

Last updated: March 2026

1. Scope and Definitions

This Data Processing Addendum ("DPA") applies when Ophraxx AI processes personal data on behalf of a customer ("Controller") in connection with business or enterprise services. "Personal data," "processing," "controller," and "processor" have the meanings given in applicable data protection law (e.g. the GDPR). Ophraxx AI acts as a processor (or subprocessor) when processing personal data on documented instructions from the Controller. Our systems are built and operated by us; we do not delegate controller-level decisions or data use to unnamed or unaccountable parties.

2. Roles and Responsibilities

The customer is the data controller for personal data it provides or determines the means and purposes of processing for. Ophraxx AI is the data processor (or subprocessor) when we process that data to provide the services. We will process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless we are required to process by applicable law; in that case we will inform the Controller of that requirement unless the law prohibits it.

3. Processing Instructions and Purposes

We process personal data only on documented instructions from the Controller and for the purpose of providing the services (e.g. operating the conversational bot, website, web applications, authentication, profile and settings management, safety and abuse prevention, and support). We will not use personal data for any purpose other than as set out in the agreement with the Controller and this DPA, or as required by law. We will not sell personal data or use it for advertising. If the Controller instructs us to process personal data in a manner that we believe conflicts with applicable law, we will inform the Controller and will not follow the instruction until it is lawfully amended or we are required to comply by law.

4. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (e.g. TLS) and at rest where appropriate.
  • Access controls and the principle of least privilege; access to personal data is limited to personnel who need it to perform the services.
  • Monitoring and logging of access and security-relevant events; regular review of logs and audit trails.
  • Incident response procedures to detect, assess, and remediate security events; we will notify the Controller of a personal data breach without undue delay where required by law or contract.
  • Secure development and deployment practices; we do not outsource core processing logic or safety systems to unnamed parties.

Further detail on our security practices is in our Security & Privacy page.

5. Subprocessors and Infrastructure

Where we use subprocessors or infrastructure operated by others to deliver the services (e.g. hosting, database, or network infrastructure), we ensure they are bound by confidentiality and security obligations consistent with this DPA and applicable law. Our core processing logic, safety systems, and policy enforcement remain under our control; we do not delegate controller-level decisions or data use to unnamed or unaccountable parties. We will inform the Controller of any intended changes concerning the addition or replacement of subprocessors and will allow the Controller an opportunity to object on reasonable grounds. If the Controller objects and we cannot reasonably accommodate the objection, the Controller may terminate the affected services in accordance with the agreement.

6. Data Subject Rights

We will assist the Controller in fulfilling its obligations to respond to data subject requests (e.g. access, rectification, erasure, restriction, portability, objection) where required by applicable law and to the extent we can do so within our role as processor. We will pass on to the Controller any data subject request we receive and will not respond directly to the data subject unless the Controller authorizes us to do so. Assistance may be subject to reasonable fees if the request is manifestly unfounded or excessive.

7. International Transfers

Where personal data is transferred to a country outside the European Economic Area (or other jurisdiction that requires a transfer mechanism), we will ensure appropriate safeguards are in place, such as standard contractual clauses approved by the relevant authority or other mechanisms permitted by applicable law. We will provide the Controller with information necessary to demonstrate compliance with transfer requirements upon request.

8. Deletion or Return

Upon termination or expiry of the services, we will delete or return personal data to the Controller in accordance with the agreement and applicable law, unless we are required to retain it by law. At the Controller's request, we will certify that deletion has been completed. Any retained data will remain subject to this DPA and applicable law.

9. Audits and Demonstrating Compliance

We will make available to the Controller information necessary to demonstrate compliance with this DPA and applicable data protection law. We may provide that information in the form of documentation, certifications, or audit reports. If an audit is required by law and the information we provide is insufficient, we will allow for audits (including inspections) by the Controller or an agreed auditor, subject to reasonable notice, confidentiality obligations, and not more than once per year unless required by a supervisory authority or a material incident. Audits will be at the Controller's expense unless otherwise agreed.

10. Term and Survival

This DPA takes effect when the Controller and Ophraxx AI agree to it (e.g. by signing an agreement that incorporates it or by using services that are subject to it) and continues for as long as we process personal data on behalf of the Controller. Obligations that by their nature should survive (e.g. confidentiality, security, data subject rights, deletion or return, audit) will survive termination or expiry of the services.