Legal documentation

Data processing agreement (DPA)

This agreement sets personal data processing terms where Leaxio acts as data processor on behalf of customers acting as data controllers.

Last updated: February 11, 2026

1. Introduction and scope

This Data Processing Agreement (DPA) supplements Leaxio Terms of Service and EULA and applies when the customer (Controller) uses Leaxio to process personal data subject to the European Union General Data Protection Regulation (GDPR) or similar data protection laws.

This DPA is an integral part of the services agreement and prevails over conflicting terms regarding data protection matters.

2. Definitions

  • Data Controller: The Leaxio customer that determines the purposes and means of processing personal data.
  • Data Processor: Leaxio, which processes personal data on behalf of the Controller.
  • Personal Data: Any information related to an identified or identifiable natural person processed through Leaxio.
  • Processing: Any operation performed on personal data, including collection, storage, consultation, disclosure, and deletion.
  • Data Subject: The identified or identifiable natural person to whom personal data relates.
  • Subprocessor: Any processor engaged by Leaxio to process personal data on behalf of the Controller.

3. Roles and responsibilities

3.1 Controller role (Customer)

The Controller:

  • Determines purposes and means of personal data processing
  • Is responsible for obtaining valid legal bases for processing
  • Must inform data subjects about processing activities
  • Is responsible for responding to data subject rights requests
  • Must comply with applicable data protection laws

3.2 Processor role (Leaxio)

Leaxio, as Processor:

  • Processes personal data only under documented Controller instructions
  • Ensures authorized personnel are subject to confidentiality obligations
  • Implements appropriate technical and organizational security measures
  • Assists the Controller in responding to rights requests
  • Notifies the Controller of personal data breaches without undue delay

4. Processing instructions

Leaxio processes personal data only based on documented Controller instructions, except where processing is required by applicable law. Processing instructions include:

  • Providing Leaxio services under Terms of Service and EULA
  • Complying with specific written instructions from the Controller
  • Applying processing settings configured by the Controller in the platform

If Leaxio believes an instruction infringes GDPR or other data protection law, it will immediately inform the Controller.

5. Types of processed data

Leaxio may process the following categories of personal data:

  • Contact data: Names, email addresses, phone numbers, physical addresses
  • Identification data: Tax identifiers, identity documents
  • Financial data: Payment details, transaction history
  • Employment data: Employee information entered by the Controller
  • Usage data: Platform usage information and activity logs

Specific data types depend on how the Controller uses the Leaxio platform.

6. Subprocessors

6.1 Subprocessor authorization

The Controller authorizes Leaxio to engage subprocessors to process personal data. Leaxio ensures subprocessors are bound by data protection obligations substantially similar to this DPA.

6.2 Current subprocessors list

  • Supabase Inc. - Database hosting and authentication (USA, multi-region infrastructure)
  • Vercel Inc. - Web application hosting (USA, global CDN)
  • Stripe Inc. - Payment processing (USA, Ireland for EU customers)
  • Sentry - Error and performance monitoring (USA)
  • Upstash - Cache storage and rate limiting (multi-region)

6.3 Change notifications

Leaxio will notify the Controller at least 30 days in advance of adding or replacing subprocessors via email or platform announcement. The Controller may object on legitimate data protection grounds within 14 days of notification.

7. Security measures

Leaxio implements appropriate technical and organizational measures to protect personal data, including:

7.1 Technical measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication available for users
  • Data isolation between organizations through Row-Level Security (RLS)
  • Audit logs for data access and modifications
  • Encrypted automated backups with defined retention
  • Protection against DDoS and other security threats

7.2 Organizational measures

  • Access control policy based on need and role
  • Confidentiality agreements with authorized personnel
  • Security incident management procedures
  • Periodic security reviews
  • Vulnerability management and security patching

Leaxio reviews and updates these measures regularly to maintain a security level appropriate to risk.

8. Personal data breaches

In the event of a personal data breach, Leaxio:

  • Will notify the Controller without undue delay and, where possible, within 72 hours of becoming aware
  • Will provide available information on breach nature, categories and approximate number of affected data subjects, and compromised personal data
  • Will describe measures taken or proposed to address and mitigate adverse effects
  • Will provide contact details for additional information
  • Will reasonably cooperate with the Controller in investigation and remediation

9. Controller assistance

9.1 Data subject rights requests

Leaxio will assist the Controller through appropriate technical and organizational measures so the Controller can fulfill rights requests (access, rectification, deletion, portability, objection, processing restriction).

The platform includes features allowing the Controller to handle many requests directly. For additional assistance, the Controller should contact Leaxio support.

9.2 DPIAs and prior consultations

Leaxio will reasonably assist the Controller with data protection impact assessments (DPIAs) and prior supervisory authority consultations where required, providing information about security measures, processing activities, and risk mitigation.

10. Data deletion and return

At the end of processing services, Leaxio will, at the Controller’s choice:

  • Delete all personal data processed on behalf of the Controller, unless law requires retention
  • Return all personal data to the Controller in a structured and commonly used format (typically JSON or CSV)

The Controller must make this choice within the established retention period (typically 30 days after cancellation). After this period, Leaxio will permanently delete data.

11. Audits and inspections

Leaxio will make available information necessary to demonstrate compliance with this DPA and will allow and contribute to audits, including inspections, by the Controller or an authorized auditor, subject to:

  • Written notice at least 30 days in advance
  • Frequency not greater than once per year, except in breach scenarios
  • Auditor confidentiality agreement
  • Coordination to minimize operational disruption
  • Reasonable audit costs borne by the Controller

Leaxio will provide available security certification documentation (where applicable) as compliance evidence.

12. International data transfers

Personal data may be transferred and processed in jurisdictions outside the European Economic Area (EEA). Where this occurs, Leaxio ensures appropriate safeguards through:

  • Subprocessors covered by European Commission adequacy decisions, or
  • Standard Contractual Clauses (SCCs) approved by the European Commission, or
  • Certifications such as Privacy Shield (where applicable and valid), or
  • Other legally recognized GDPR transfer mechanisms

Leaxio will provide copies of applicable safeguards upon Controller request.

13. Duration and termination

This DPA takes effect when the Controller starts using Leaxio to process personal data subject to GDPR and remains in effect until all personal data processing has ceased in accordance with Section 10.

Obligations that by nature should survive termination (such as confidentiality, liability limitations, and governing law) remain in force.

14. Governing law and jurisdiction

This DPA is governed by the same laws as Leaxio Terms of Service. Nothing in this DPA limits Controller rights under GDPR or applicable data protection law.

15. Order of precedence

In case of conflict between this DPA and other Leaxio agreements (Terms of Service, EULA), this DPA prevails for personal data processing matters.

16. Contact

For questions related to this DPA or GDPR rights, contact contacto@leaxio.com.