Legal & trust

Data Processing (DPA Outline)

The outline of the data processing agreement (DPA) used for B2B engagements where Rexora processes personal data on a client's behalf. The signed DPA for each engagement prevails.

Operational draft — owner/legal review required. This text is a working draft prepared for review and is not yet reviewed legal advice.

1. Roles

The client is the controller of its business data; Rexora acts as processor for the agreed workflows. Where Rexora processes its own correspondence and contracts, it acts as an independent controller.

2. Scope and instructions

Processing is limited to the categories of data and purposes listed in the engagement's processing annex.
Workflows process only the fields needed for the purpose (data minimisation by design).
Processing follows the client's documented instructions; changes require written agreement.

3. Subprocessors

Third-party tools (e.g. hosting, AI model providers, automation platforms) used in a workflow are listed per engagement and approved by the client before use.
EU-hosted options are preferred wherever the stack allows it; transfers outside the EU/EEA happen only with valid transfer mechanisms.

4. Security measures

Access on a need-to-know basis, scoped credentials, no shared accounts.
Client content is not used to train models.
Demo and test data is ephemeral and deleted after use.
Client content is kept out of application logs by design.

5. Retention and deletion

Retention periods are agreed per engagement. On termination or on request, personal data is deleted or returned, and deletion is confirmed in writing.

6. Incidents and audits

Personal data breaches are notified to the client without undue delay. The client may audit compliance as agreed in the DPA (typically via documentation and written answers first).

All legal documents