This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Draxion, Inc. (“Draxion”) and the Customer and is incorporated by reference. It governs the processing of personal data by Draxion on behalf of the Customer in accordance with GDPR Article 28.
Enterprise customers requiring a countersigned DPA for procurement purposes should contact privacy@draxion.io. We will provide an executed copy within 5 business days.
1. Definitions
In this Data Processing Agreement, the following terms have the meanings set out below:
- “Controller”means the Customer — the entity that determines the purposes and means of processing personal data.
- “Processor”means Draxion, Inc. — the entity that processes personal data on behalf of the Controller under this DPA.
- “Personal Data” has the meaning given in GDPR Article 4(1): any information relating to an identified or identifiable natural person.
- “Processing” has the meaning given in GDPR Article 4(2): any operation performed on personal data, including collection, storage, analysis, and deletion.
- “Data Subject”means the individual to whom personal data relates — primarily employees, contractors, and authorized users of the Customer organization.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679 and, where applicable, the UK GDPR as retained in UK domestic law.
- “Standard Contractual Clauses” or “SCCs” means the clauses adopted by the European Commission under GDPR Article 46(2)(c) for international transfers of personal data, as updated from time to time.
- “Sub-processor” means any third party engaged by Draxion to process personal data on behalf of the Customer.
2. Subject Matter and Duration
Draxion processes personal data on behalf of the Customer solely to provide the Draxion AI governance platform and related services as described in the Terms of Service.
Processing begins when the Customer activates the Draxion service and continues until termination of the Customer’s subscription, after which Draxion will delete or return all personal data in accordance with Section 10 of this DPA.
3. Nature, Purpose, and Categories of Processing
| Element | Detail |
|---|---|
| Nature | Collection, storage, analysis, aggregation, and deletion of employee AI tool usage data via the Draxion Chrome extension, API integrations, and platform dashboard |
| Purpose | Shadow AI detection, data leakage prevention, employee risk scoring, compliance report generation, AI policy creation, and AI governance documentation for the Customer organization |
| Categories of personal data | Employee name, work email address, employee ID, device identifiers, AI tool usage metadata (tool name, timestamp, risk classification, department), DLP event classifications. Raw content of employee inputs to AI tools is never stored — only the classification result. |
| Special category data | None intentionally collected. The Customer must ensure employees do not submit special category data (health, biometric, political, religious) to AI tools within the scope of monitoring. |
| Data subjects | Employees, contractors, and other authorized users of the Customer organization who are subject to AI governance monitoring |
| Retention | Detection events: 12 months. Audit logs: 24 months. Compliance reports: duration of subscription plus 30 days. All data deleted within 30 days of subscription termination unless longer retention is required by applicable law. |
4. Controller Obligations
The Customer, acting as Controller, represents and confirms that:
- It has a lawful basis under GDPR Article 6 for monitoring employee AI tool usage — typically legitimate interests under Article 6(1)(f) or compliance with a legal obligation under Article 6(1)(c).
- It has provided appropriate notice to employees regarding AI tool monitoring in accordance with GDPR Articles 13 and 14, including in its employee privacy notice or acceptable use policy.
- Where required by applicable employment law (including in Germany, France, the Netherlands, and other jurisdictions requiring works council consultation), it has completed all required consultations before deploying the Draxion Chrome extension.
- It will not instruct Draxion to process personal data in a manner that would violate applicable data protection law.
- It maintains a Record of Processing Activities (ROPA) under GDPR Article 30 that includes processing activities carried out by Draxion on its behalf under this DPA.
5. Processor Obligations
Draxion, acting as Processor, commits to:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries, unless required to do so by applicable law — in which case Draxion will notify the Controller unless prohibited by law.
- Ensure that all persons authorized to process personal data are subject to appropriate confidentiality obligations.
- Implement the technical and organizational security measures described in Section 8 of this DPA.
- Notify the Controller promptly — and in any event within 48 hours — if Draxion believes an instruction from the Controller violates applicable data protection law.
- Assist the Controller in fulfilling its obligations regarding data subject rights (Section 7), data protection impact assessments (GDPR Article 35), and prior consultation with supervisory authorities (GDPR Article 36).
- Upon termination of the service, delete or return all personal data to the Controller within 30 days and delete existing copies, unless applicable law requires continued storage.
- Make available all information necessary to demonstrate compliance with this DPA and contribute to and allow for audits and inspections in accordance with Section 11.
6. Sub-processors
The Customer grants Draxion general authorization to engage the sub-processors listed below. Draxion will provide at least 30 days written notice of any new sub-processor or material changes to existing sub-processors, during which time the Customer may object on reasonable and documented grounds related to data protection.
Draxion imposes data protection obligations on all sub-processors equivalent to those set out in this DPA.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase, Inc. | Database hosting, storage, and real-time data services | United States (AWS us-east-1) | SCCs |
| Vercel, Inc. | Application hosting, global CDN, and edge functions | United States / Global CDN | SCCs |
| Clerk, Inc. | Authentication, session management, and user identity | United States | SCCs |
| OpenAI, LLC | AI policy generation and compliance report drafting. No personal data is sent to OpenAI — only anonymized organizational metadata. | United States | SCCs + Zero Data Retention Agreement |
| Arcjet, Inc. | API rate limiting, bot protection, and security middleware | United States | SCCs |
| Doppler, Inc. | Secrets and configuration management. Does not process customer personal data. | United States | SCCs |
To receive notifications of sub-processor changes or to request the current complete sub-processor list, contact privacy@draxion.io.
7. Data Subject Rights
Draxion will assist the Controller in responding to requests from data subjects exercising their rights under GDPR Chapter III, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
Where Draxion receives a data subject request directly, it will forward the request to the Controller within 5 business days without responding to the data subject directly, as the Controller is responsible for determining the appropriate response.
Draxion will provide technical assistance to support the Controller’s response at no additional charge for standard requests.
8. Technical and Organizational Security Measures
Draxion implements the following security measures to protect personal data:
- Encryption in transit: TLS 1.3 for all data in transit between client, extension, and server.
- Encryption at rest: AES-256 encryption for all stored personal data via Supabase managed encryption.
- Access controls: Role-based access control with principle of least privilege. Database row-level security (RLS) enforces complete organizational data isolation at the query level.
- Audit logging: All data access and modifications are logged with tamper-evident cryptographic JWT signing. Logs are immutable and retained for 24 months.
- Zero SELECT *:All database queries specify exact columns — no wildcard queries permitted in the codebase.
- Secrets management: All credentials and API keys managed via Doppler. Zero plaintext secrets in the codebase or environment files.
- Vulnerability management: Automated security quality gates on every code deployment. TypeScript strict mode with zero-error policy.
- Prompt injection defense: All LLM inputs are structurally separated from user-controlled data. No customer personal data is passed directly into AI model prompts.
9. Personal Data Breach Notification
Draxion will notify the Controller without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting Customer data.
Notification will include, to the extent available at the time:
- The nature of the breach, including categories and approximate number of data subjects and personal data records affected.
- The name and contact details of Draxion’s data protection contact.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
The Controller is responsible for notifying the relevant supervisory authority under GDPR Article 33 and affected data subjects under GDPR Article 34 where required. Draxion will cooperate fully and provide all information reasonably necessary.
Report security incidents to: security@draxion.io
10. Return and Deletion of Data
Upon expiry or termination of the Customer’s subscription, Draxion will:
- Retain all Customer personal data for 30 days following the termination date to allow the Customer to export data via the platform or API before deletion.
- Delete all Customer personal data from active systems within 30 days of the termination date.
- Delete all Customer personal data from backup systems within 90 days of the termination date, in accordance with standard backup rotation cycles.
- Provide written confirmation of deletion upon request.
Draxion may retain personal data beyond these periods only where required by applicable law, and only for the minimum period required.
11. Audit Rights
Draxion will make available all information reasonably necessary to demonstrate compliance with this DPA and will permit the Controller or its designated auditor to conduct audits of relevant processing activities, subject to the following conditions:
- The Controller provides at least 30 days written notice of the intended audit.
- Audits are conducted during normal business hours and do not unreasonably disrupt Draxion’s operations.
- The auditor is subject to appropriate confidentiality obligations.
In lieu of a direct audit, Draxion may provide its then-current SOC 2 Type II report (when available), third-party penetration test summary, or equivalent documentation as evidence of compliance. Requests for audit documentation should be directed to security@draxion.io under NDA.
12. International Data Transfers
Draxion’s primary infrastructure is located in the United States. Where processing involves a transfer of personal data from the EEA, United Kingdom, or Switzerland to the United States or another country without an adequacy decision, Draxion relies on the European Commission’s Standard Contractual Clauses (Controller-to-Processor, Module 2) as the appropriate safeguard under GDPR Article 46.
Copies of the applicable SCCs are available upon request at privacy@draxion.io.
13. Governing Law
This DPA is governed by the laws of the Province of Ontario, Canada. For EEA and UK customers, the applicable Standard Contractual Clauses take precedence over this governing law clause to the extent required by applicable data protection law.
Nothing in this DPA limits the rights of data subjects to bring a complaint before their local data protection authority.
14. Contact and Countersigned DPA
For questions about this DPA, to request a countersigned copy for procurement purposes, or to exercise any rights under this agreement:
Draxion, Inc.
Privacy and Data Protection
privacy@draxion.io
Enterprise customers requiring a countersigned DPA will receive a fully executed copy within 5 business days of request.