Last updated: TBD — DRAFT
This Data Processing Agreement ("DPA") supplements the Terms of Service for tenants subject to the EU General Data Protection Regulation (GDPR), UK GDPR, Switzerland FADP, or India's DPDP Act. It governs ProjexCloud Inc.'s processing of personal data on behalf of the tenant (acting as Data Controller).
Terms used in this DPA have the meaning given to them in the GDPR (Article 4) or, where applicable, the equivalent provisions of UK GDPR, FADP, or DPDP. "Customer Personal Data" means personal data processed by ProjexCloud on the tenant's behalf.
The tenant is the Data Controller of Customer Personal Data. ProjexCloud is the Data Processor and processes Customer Personal Data only on documented instructions from the tenant, except where required by law.
ProjexCloud shall: (a) process Customer Personal Data only on the tenant's documented instructions; (b) ensure persons authorized to process the data are bound by confidentiality; (c) implement the technical and organizational measures set forth in Annex II; (d) engage subprocessors only with the tenant's prior authorization as described in Section 6; (e) assist the tenant in responding to data-subject requests; (f) notify the tenant of personal data breaches without undue delay; (g) make available all information necessary to demonstrate compliance.
Where the tenant has bound a customer-managed key (CMEK) per the Security page, ProjexCloud's technical ability to access Customer Personal Data depends on the active grant on the tenant's KMS. Revoking the grant renders the data undecryptable within approximately 30 seconds.
The current list of subprocessors is available on request and via the tenant-admin console. ProjexCloud will provide at least 30 days' notice before engaging a new subprocessor, during which the tenant may object on reasonable grounds.
For Customer Personal Data subject to the GDPR or UK GDPR, transfers outside the EEA or UK rely on the EU Standard Contractual Clauses (Module 2 / Module 3 as applicable) or the UK International Data Transfer Agreement / Addendum, supplemented by the technical measures in Annex II.
ProjexCloud provides tenant-admin endpoints under /api/data-rights/* for tenants to action data-subject access, rectification, erasure, restriction, portability, and objection requests. Where a data subject contacts ProjexCloud directly, ProjexCloud will redirect them to the tenant.
ProjexCloud makes the SOC 2 Type II report (once available), penetration test summaries, and the live audit chain export available under NDA upon request. Annual on-site audits are available for Enterprise tenants on reasonable notice.
[DRAFT — categories of data subjects, categories of personal data, types of processing, duration.]
[DRAFT — encryption at rest and in transit, access control, audit logging, vulnerability management, incident response, BCP/DR. Reference the Security page.]
[DRAFT — current list to be exported from the subprocessor registry.]
To execute a counter-signed copy of this DPA, contact legal@projexcloud.com.