Data Processing Agreement (DPA)

1. Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RixForge Ltd (“Processor”) and its customers (“Controller”) and governs how we handle personal data on your behalf.

This DPA ensures compliance with the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679).

2. Roles & Responsibilities

You, the customer, are the data controller — determining the purpose and means of data processing. RixForge Ltd acts as your data processor — processing data only under your documented instructions.

3. Purpose of Processing

We process personal data solely to provide, maintain, and support the services you use — including secure storage, backups, support, and feature functionality.

4. Types of Data & Data Subjects

• Data Subjects: Your users, staff, collaborators, and clients
• Data Types: Names, email addresses, project/task metadata, access logs (if enabled)

Sensitive personal data is not required to use our services. Any such data is processed at your discretion.

5. Security & Confidentiality

RixForge Ltd implements technical and organizational measures to protect personal data, including:

• Data encryption at rest and in transit
• Secure access control and logging
• Regular software updates and backups
• Principle of least privilege for staff access (if any)

6. Subprocessors

We use minimal subprocessors, disclosed transparently. All subprocessors are GDPR-compliant and located in the EU or in jurisdictions with adequate safeguards.

We will notify you before engaging any new subprocessor.

7. International Data Transfers

Personal data is processed primarily in the European Economic Area (EEA). If transfers occur outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

8. Assistance With Data Subject Rights

We will assist you in fulfilling data subject requests — such as access, correction, deletion, or export — where technically feasible and legally required.

9. Data Retention & Deletion

Upon termination of your account, we will delete or return all personal data within 30 days, unless legal obligations require otherwise.

You may also request early data erasure at any time.

10. Audits & Transparency

Upon reasonable notice, we will provide information necessary to demonstrate compliance with this DPA. On-site audits may be conducted if required by law or supervisory authority.

11. Changes to This Agreement

We may revise this DPA from time to time. Material changes will be communicated in advance via email or within the platform.

12. Contact

If you have any questions about this DPA or your data rights, contact us at privacy@rixforge.com.