Data Processing Agreement

How this works: this page publishes the DPA that applies between loxal (processor) and a business customer (controller) when the customer purchases a service where loxal processes personal data on the customer's behalf — currently, Page Finder (website crawling + search) and the IP Whois & Geolocation API when used against end-user IPs.

Accepting our Terms of Service incorporates this DPA as Art. 28 GDPR terms. If your organisation requires a signed paper copy on your template, email info@loxal.net.

1. Parties

Processor

Alexander Orlov (natural person, trading as "loxal"), Clementine-von-Braunmühl-Weg 11, 81541 München, Germany (see Imprint).

Controller

The customer named in the service order.

2. Subject, nature, and purpose of processing

• Page Finder: crawling and indexing of the controller's Authorized Domains; serving search queries submitted by the controller's end users; logging queries and IP addresses for operational and anti-abuse purposes.
• IP Whois & Geolocation API: returning GeoIP, ASN, and request-metadata responses for IP addresses supplied by the controller's applications; logging API requests for quota, billing, and audit.

3. Categories of data subjects and data

• End users of the controller's website or application.
• Individuals mentioned in crawled public content (names, roles, contact details as published by the controller).
• Data categories: IP addresses, HTTP request metadata, search terms, crawled page content, timestamps. No special-category data (Art. 9 GDPR) is intentionally processed.

4. Duration

For the term of the service agreement, extended by 30 days for data deletion and handover.

5. Obligations of the processor (Art. 28(3) GDPR)

1. Process personal data only on documented instructions from the controller, including as set out in the service order and this DPA.
2. Ensure persons authorised to process the data are bound by confidentiality.
3. Implement appropriate technical and organisational measures (Annex A).
4. Engage sub-processors only under the conditions in § 6 below.
5. Assist the controller with data-subject requests (Art. 12–23 GDPR) and with Art. 32–36 obligations.
6. On termination, delete or return all personal data unless EU or Member-State law requires retention.
7. Make available all information necessary to demonstrate compliance and allow audits, including inspections, conducted by the controller or an independent auditor (§ 9).
8. Notify the controller without undue delay of any personal data breach affecting the controller's data.
9. Immediately inform the controller if, in the processor's opinion, an instruction infringes the GDPR or other EU / Member-State data-protection law.

6. Sub-processors

The controller grants general written authorisation for engagement of the following sub-processors:

• OVH SAS, 2 rue Kellermann, 59100 Roubaix, France — infrastructure hosting (EU).
• Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland — payment processing (not involved in controller's operational data).
• DB-IP (operated by 2VIA S.A., Belgium) — provider of the DB-IP Lite geolocation database under CC BY 4.0. IP addresses are resolved locally against a hosted copy of the database; no end-user IP is sent to DB-IP.

The processor will inform the controller of any intended changes via the email address on file, giving the controller a 14-day objection period. If the controller objects on reasonable grounds, the controller may terminate the affected part of the service.

7. International transfers

All operational processing occurs within the EU. Where a sub-processor above is located outside the EEA, the transfer is safeguarded by Art. 46 GDPR Standard Contractual Clauses.

8. Technical and organisational measures (Annex A)

• TLS 1.2+ for all traffic in and out of the service.
• API-key-gated access with per-key quota enforcement.
• Key material stored as sha256(pepper || key) (peppered server-side).
• Hosting on OVH EU infrastructure (ISO/IEC 27001 at the provider level).
• Backups: see just sync-pluto — encrypted off-site copy to controlled endpoint.
• Access to production is restricted to the operator; audit logs are retained 90 days.
• Breach response: notification to controller within 24 hours of detection; regulator notification within 72 hours (Art. 33).

9. Audits

Controller may audit the processor's compliance on 30 days' notice, no more than once per year unless a material breach has occurred. Audits are conducted at the controller's expense. The processor may fulfil its audit obligation by providing up-to-date third-party certifications or attestations.

10. Liability & jurisdiction

Liability follows the limits set out in the main Terms of Service § 11. German law applies; jurisdiction München, insofar as permitted between Kaufleute / juristische Personen per § 38 ZPO.