This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Coraxity, Inc. (“Processor”) and the Customer (“Controller”) and is required for customers subject to GDPR or other data protection regulations.
1. Definitions
“Personal Data” has the meaning given in applicable data protection law.
“Processing” has the meaning given in applicable data protection law.
“Data Subject” means the individual to whom Personal Data relates.
“Sub-processor” means any processor engaged by Corax to process Personal Data.
2. Scope and Purpose
2.1 Corax processes Personal Data only to provide the services described in the Terms of Service.
2.2 Corax processes Personal Data only on documented instructions from the Customer.
2.3 Corax will not process Personal Data for any purpose other than providing the service unless required by law.
3. Corax Obligations
3.1 Process Personal Data only as instructed by Customer.
3.2 Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
3.3 Implement appropriate technical and organizational security measures including:
- AES-256-GCM encryption at rest
- TLS 1.3 in transit
- Access controls and audit logging
- Regular security reviews
3.4 Assist Customer in responding to Data Subject requests.
3.5 Notify Customer within 72 hours of becoming aware of a Personal Data breach.
3.6 Delete or return all Personal Data on termination of the agreement as instructed by Customer.
3.7 Provide all information necessary to demonstrate compliance with this DPA.
4. Sub-Processors
4.1 Customer authorizes Corax to engage the following sub-processors:
| Sub-Processor | Location | Purpose |
|---|---|---|
| Anthropic, Inc. | USA | AI processing |
| Auth0, Inc. | USA | Authentication |
| Stripe, Inc. | USA | Payment processing |
| Railway Corp | USA | Cloud hosting |
| Cloudflare, Inc. | USA | CDN and security |
| VAPI | USA | Voice services |
| Mailgun (Sinch) | USA | Email delivery |
| Amazon Web Services | USA | Infrastructure |
| Microsoft Corporation | USA | Analytics (Clarity) |
4.2 Corax will notify Customer of any changes to sub-processors with 30 days notice.
4.3 Customer may object to a new sub-processor within 14 days of notification.
5. International Transfers
Where Personal Data is transferred outside the EEA, Corax ensures appropriate safeguards are in place including standard contractual clauses or adequacy decisions.
6. Audit Rights
Customer may audit Corax's compliance with this DPA once per year upon 30 days written notice, at Customer's expense, or following a confirmed Personal Data breach.
7. Term
This DPA remains in effect for the duration of the Terms of Service and terminates automatically on termination of the Terms of Service.
To execute this DPA contact legal@coraxity.com.