Legal

Data Processing Agreement

Version 1.0 — Effective May 2026 — This Agreement supplements the Coaxiom Terms of Service and Privacy Policy.

To request a countersigned copy of this DPA, email [email protected] with your legal entity name and the email address on your Coaxiom account. We return a countersigned copy within 5 business days.

1. Definitions

For purposes of this Data Processing Agreement ("DPA"), the following terms have the meanings set out below. Terms used but not defined herein shall have the meanings given to them in the GDPR or the Coaxiom Terms of Service.

2. Scope and Purpose of Processing

2.1 Nature and Purpose

Coaxiom processes Personal Data solely to the extent necessary to provide the Services to the Customer. The purposes of Processing are: (a) service delivery and API access provisioning; (b) billing and subscription management; (c) security monitoring and fraud prevention; and (d) system performance monitoring and error logging.

2.2 Categories of Personal Data Processed

In the course of providing the Services, Coaxiom processes the following categories of Personal Data:

2.3 Categories of Data Subjects

The Data Subjects whose Personal Data is processed under this DPA are: the Customer's authorised users and employees who hold Coaxiom accounts or access the Services using API credentials issued to the Customer.

2.4 Duration of Processing

Coaxiom will process Personal Data for the duration of the Agreement. Upon expiry or termination of the Agreement, Coaxiom will retain Personal Data for a maximum of 90 days (the "Retention Period") to facilitate data export or return, after which it will be deleted or anonymised in accordance with Section 9 of this DPA. Coaxiom may retain anonymised and aggregated data beyond the Retention Period for internal analytics purposes, provided such data cannot be used to re-identify any Data Subject.

3. Obligations of the Processor (Coaxiom)

3.1 Documented Instructions

Coaxiom shall process Personal Data only on documented instructions from the Controller, as set out in this DPA and the Agreement, unless required to do so by applicable law. In such case, Coaxiom shall inform the Controller of that legal requirement before processing, unless prohibited from doing so by law on grounds of public interest. Coaxiom shall promptly notify the Controller if, in its opinion, any instruction infringes the GDPR or other applicable data protection law.

3.2 Confidentiality

Coaxiom shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Coaxiom shall ensure access to Personal Data is limited to those personnel who require access for the purposes of providing the Services.

3.3 Technical and Organisational Security Measures

Coaxiom shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are described in detail in Section 5 of this DPA.

3.4 Sub-processor Obligations

Coaxiom shall not engage any Sub-processor without prior general written authorisation from the Controller. The current list of authorised Sub-processors is set out in Section 4. Coaxiom shall impose data protection obligations on any Sub-processor equivalent to those imposed on Coaxiom under this DPA, by way of a written contract. Coaxiom shall remain liable to the Controller for the performance of Sub-processors' obligations.

3.5 Assistance with Data Subject Requests

Taking into account the nature of the Processing, Coaxiom shall assist the Controller, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to Data Subject requests for the exercise of rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. Coaxiom shall forward any Data Subject request it receives directly from a Data Subject to the Controller without undue delay.

3.6 Assistance with Compliance Obligations

Coaxiom shall assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR, including: security of processing; notification of personal data breaches to the supervisory authority; communication of personal data breaches to the Data Subject; data protection impact assessments; and prior consultation with supervisory authorities.

3.7 Deletion or Return of Data

Upon termination or expiry of the Agreement, Coaxiom shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires storage of the Personal Data. Coaxiom will complete deletion or return within 30 days of the termination date. Upon request, Coaxiom will provide written confirmation that deletion has been completed.

3.8 Audit Rights

Coaxiom shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA. Coaxiom shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, provided that: (a) the Controller gives Coaxiom at least 30 days' written notice; (b) the audit is conducted during normal business hours and does not disrupt Coaxiom operations; (c) the parties agree in advance on the scope and confidentiality of the audit; and (d) any third-party auditor is bound by an appropriate confidentiality obligation. Coaxiom may satisfy this obligation in whole or in part by providing the Controller with up-to-date SOC 2 reports or equivalent third-party audit results.

4. Sub-processors

The Controller grants Coaxiom general written authorisation to engage the Sub-processors listed below. Coaxiom will notify the Controller at least 14 days in advance of any additions or replacements to this list, giving the Controller the opportunity to object. The Controller may object on reasonable grounds relating to data protection, in which case the parties shall work in good faith to resolve the objection.

Sub-processor Purpose Location Data Processed
Supabase Inc. Database hosting, authentication, row-level security US (AWS us-east-1) User accounts, usage logs, API keys (hashed)
Netlify Inc. Web hosting, CDN, serverless functions US Request logs, IP addresses
Resend Inc. Transactional email delivery US Email addresses, email content (transactional only)
Stripe Inc. Payment processing and subscription billing US Billing information (Coaxiom does not store card data)
Cloudflare Inc. CDN, DDoS protection, WAF, DNS, edge encryption Global edge network IP addresses, request metadata
PostHog Inc. Product analytics and usage event tracking US / EU (customer configurable) Usage events, anonymised user IDs, page views

Each Sub-processor listed above maintains its own SOC 2 Type II certification and applicable data protection agreements. Copies of Sub-processor DPAs are available upon written request to [email protected].

5. Security Measures

Coaxiom implements and maintains the following technical and organisational security measures pursuant to Article 32 of the GDPR:

5.1 Encryption

5.2 Access Controls

5.3 Incident Detection and Response

5.4 Personnel and Confidentiality

5.5 Change Management

All changes to production systems are managed through version-controlled pull requests in GitHub. No changes are deployed to production without review. Deployments are logged with timestamps and author identifiers.

6. Data Subject Rights

Coaxiom shall assist the Controller in responding to Data Subject rights requests under the GDPR. The following describes how Coaxiom supports each right:

Response SLA: Coaxiom will respond to all verified data subject rights requests forwarded by the Controller within 30 calendar days. Coaxiom reserves the right to extend this period by up to a further 30 days where the complexity or volume of requests requires it, with notice to the Controller.

7. International Data Transfers

7.1 Transfer Mechanism

Coaxiom's primary infrastructure is located in the United States. Where Personal Data originating from the European Union or European Economic Area is transferred to the United States, such transfers are made pursuant to the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021 (Module Two: Controller to Processor), which are hereby incorporated by reference into this DPA.

7.2 Sub-processor Transfers

Where Sub-processors listed in Section 4 process Personal Data originating from the EU/EEA in countries not recognised as providing an adequate level of data protection, Coaxiom ensures that such Sub-processors have entered into Standard Contractual Clauses or rely on an alternative lawful transfer mechanism recognised under the GDPR.

7.3 Transfer Impact Assessment

Coaxiom has conducted a transfer impact assessment with respect to Personal Data transferred to the United States. Given the nature of the data processed (API usage metadata, email addresses, IP addresses), the technical security measures in place (AES-256 encryption at rest, TLS 1.2+ in transit), and the limited sensitivity of the data categories, Coaxiom is satisfied that the SCCs provide an adequate level of protection for such transfers.

7.4 EU Data Residency

Enterprise customers requiring EU data residency may contact [email protected] to discuss configuration options. Supabase supports EU-region database hosting (AWS eu-central-1) for customers with this requirement.

8. Liability

8.1 Allocation of Liability

Each party shall be liable to the other party for any damage caused by that party's breach of this DPA or the GDPR. Coaxiom's liability under this DPA is subject to and does not exceed the limitations set forth in the Coaxiom Terms of Service.

8.2 Cap on Processor Liability

Coaxiom's aggregate liability to the Controller arising under or in connection with this DPA, whether arising in contract, tort (including negligence), or otherwise, shall not exceed the total fees paid by the Controller to Coaxiom in the twelve (12) months immediately preceding the event giving rise to the claim. This limitation does not apply to liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be limited by law.

8.3 Controller Liability

The Controller is responsible for: (a) ensuring it has a lawful basis for processing Personal Data under the GDPR before instructing Coaxiom to process it; (b) the accuracy and lawfulness of any instructions given to Coaxiom under this DPA; and (c) any liability arising from the Controller's own failure to comply with applicable data protection law.

8.4 Third-Party Claims

If a Data Subject or supervisory authority brings a claim against either party in respect of processing under this DPA, the parties shall cooperate in good faith to defend such claim. Each party shall bear the costs of its own defence. Where a claim arises from a breach by one party, that party shall indemnify the other for any damages, fines, or legal costs awarded against the non-breaching party as a direct result of the breach.

9. Term and Termination

9.1 Term

This DPA is effective from the date it is executed and shall remain in force for the duration of the Agreement between the parties, including any renewal periods. This DPA is coterminous with the main Agreement and shall automatically terminate upon the expiry or termination of the Agreement.

9.2 Effect of Termination

Upon termination of this DPA or the Agreement, Coaxiom shall, within 30 days of the termination date and at the Controller's election:

The Controller must exercise this election in writing no later than 15 days after the termination date. If no election is made, Coaxiom will default to deletion. Upon completion of deletion, Coaxiom will provide written confirmation to the Controller within 5 business days.

9.3 Legal Retention Obligations

Notwithstanding Section 9.2, Coaxiom may retain Personal Data to the extent required by applicable law. In such case, Coaxiom shall inform the Controller of the legal basis and scope of retention and shall ensure the retained data is processed only as required by applicable law and is not used for any other purpose.

10. Governing Law

10.1 General

This DPA and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of the State of Arizona, United States, without reference to its conflict of laws provisions.

10.2 GDPR Obligations

Notwithstanding Section 10.1, the GDPR obligations under this DPA are interpreted and applied in accordance with applicable European Union data protection law. Where there is a conflict between Arizona law and GDPR requirements, the GDPR shall take precedence in respect of the processing of Personal Data originating from the EU/EEA.

10.3 Dispute Resolution

Disputes arising under this DPA that cannot be resolved by good-faith negotiation shall be submitted to the courts of Maricopa County, Arizona, except that either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent the unauthorised use or disclosure of Personal Data.

10.4 Supervisory Authority

Nothing in this DPA limits the right of any Data Subject to lodge a complaint with a competent supervisory authority under the GDPR, or the right of either party to cooperate with a supervisory authority in the investigation of a complaint or inquiry.

11. Execution

Request a Signed DPA

To request a countersigned copy of this Data Processing Agreement, email us with the following information:

We will return a countersigned copy within 5 business days. Signed DPAs are retained by both parties and supersede this online version for the specific customer relationship.

This DPA is published for transparency and customer reference. It constitutes a binding agreement only when executed in writing by both parties. For custom DPA terms, MSAs, or data protection addenda tailored to your jurisdiction, contact [email protected].