DATA PROCESSING AGREEMENT

Last updated January 15, 2025

1. DEFINITIONS AND INTERPRETATION

This Data Processing Agreement ("DPA") is entered into between Foxtery S.L. ("Processor", "we", "us", or "our"), a company registered in Spain at Calle Marc Aureli 10, Barcelona, Barcelona 08006, and the Corporate Customer ("Controller", "you", or "your"). This DPA is incorporated into and forms part of the Agreement between the parties and reflects the parties' agreement with regard to the Processing of Personal Data.

This DPA applies to all activities where we process Personal Data on your behalf in the course of providing our AI-powered corporate learning platform and related services ("Services"). By using our Services, you acknowledge that you are entering into this DPA and agree to be bound by its terms.

Key Terms and Definitions:

  • "Agreement": The main service agreement between us, including the Terms of Service available at [https://foxtery.com/policies/terms-of-service] and any other incorporated documents.

  • "Applicable Data Protection Laws": Encompasses the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee, and any other applicable data protection or privacy laws and regulations.

  • "Controller": The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For this DPA, you, as our Corporate Customer, act as the Controller.

  • "Processor": A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For this DPA, Foxtery acts as the Processor.

  • "Processing": Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction.

  • "Personal Data": Any information relating to an identified or identifiable natural person ("Data Subject"), including names, identification numbers, location data, online identifiers, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

  • "Customer Data": All data, including Personal Data, that you provide to us or upload to our Services in connection with your use of the Services.

  • "Training Materials": Any content, documentation, or materials you provide or upload for creating or generating learning content, including corporate documents, training manuals, and educational resources used as input for our AI-powered features.

  • "AI Processing": Automated processing of Personal Data using our artificial intelligence technologies, including machine learning algorithms, natural language processing, and automated content generation.

  • "Learning Data": All data related to user interaction with educational content, including progress tracking, completion rates, assessment results, and performance metrics.

  • "Personal Data Breach": Any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

  • "Sub-processor": Any data processor we engage who agrees to receive Personal Data from us for Processing activities carried out on your behalf.

Document Interpretation:

  • References to legal frameworks or legislation include modifications, amendments, and subordinate legislation.

  • Terms like "including," "include," "in particular," or "for example" are illustrative and do not limit the preceding words.

  • Terms such as "commission," "data subject," "member state," "supervisory authority," and others defined in Article 4 of the GDPR carry the same meaning as therein.

  • All terms related to data protection are interpreted in accordance with the GDPR and other Applicable Data Protection Laws.

Legal Hierarchy:

In case of conflict or inconsistency between this DPA, our Privacy Policy, Terms of Service, or any other agreement, the order of precedence is: (1) this DPA, (2) the Terms of Service, (3) the Privacy Policy, (4) any other agreement.


2. SCOPE AND PURPOSE

This DPA covers all processing activities undertaken by us in providing our AI-powered corporate learning platform and related services. We process your Personal Data strictly in accordance with your instructions and only for the purposes described in this Agreement or as otherwise agreed in writing.

Nature and Subject Matter of Processing

Our platform enables:

  • User authentication and account management,

  • Content generation and delivery (including AI-powered content),

  • Progress tracking and assessment,

  • Learning analytics, and related functionalities.

The nature of our processing includes collection, storage, retrieval, use, analysis, and, where requested, anonymization or pseudonymization of Personal Data necessary to deliver and improve these services.

Categories of Data and Data Subjects

  1. Account and Profile Data: e.g., names, emails, job titles for identifying and managing user accounts.

  2. Platform Usage Data: e.g., login records, feature usage patterns for service delivery, security, and analytics.

  3. Learning Data: e.g., course progress, assessment results, completion rates related to user interaction with educational content.

  4. Training Materials: e.g., documents, manuals, resources which may contain Personal Data from third parties if provided by you.

Data Subjects: Primarily your employees, contractors, or other authorized personnel; may extend to individuals (e.g., clients) whose data appears in uploaded materials.

Purposes of Processing

We process Personal Data to:

  • Manage user authentication and permissions,

  • Deliver AI-generated or customized learning content,

  • Track learning performance and enable reports or certificates,

  • Ensure the security, stability, and optimization of the platform,

  • Comply with legal requirements (e.g., fraud prevention, supervisory authority requests),

  • Fulfill our contractual obligations.

We do not use Personal Data for secondary purposes (e.g., marketing) without your explicit authorization.

Data Minimization and Duration

We adhere to data minimization, collecting and processing only the Personal Data necessary for the stated purposes. The duration of processing corresponds to the term of our main service agreement, unless otherwise required by law or agreed in writing.

Transparency and Control

We maintain clarity about how Personal Data is processed. You may contact us in writing for specific configurations or requests related to data handling or retention. We maintain internal transaction logs and documentation for troubleshooting and compliance, available upon request.


3. TERRITORIAL SCOPE

This DPA applies to the processing of Personal Data in the context of our activities, regardless of whether the processing takes place in the European Union (EU) or not, specifically:

  • Processing in the context of our establishment in the EU (primary establishment in Spain, operations in Germany),

  • Processing of Personal Data of Data Subjects in the EU related to offering our Services or monitoring their behavior,

  • Processing of Personal Data outside the EU subject to EU data protection law by virtue of public international law.

For EU customers, we process and store Personal Data primarily within the EU. Any transfer outside the EU complies with Chapter V of the GDPR (see Section 8). For non-EU customers, data may be processed in their region or the EU, with appropriate safeguards per applicable laws.

We comply with regional laws (e.g., UK GDPR, Swiss Federal Data Protection Act) as applicable to our role as a data processor.


4. OBLIGATIONS OF THE DATA CONTROLLER

As the Data Controller, you retain primary responsibility for lawfully collecting and determining the purposes and means of processing Personal Data within our platform. You agree to:

  1. Lawful Basis and Instructions

    • Ensure a valid legal basis (e.g., consent, contract, legitimate interests) for all Personal Data processed.

    • Provide clear, documented instructions via account settings, admin interface, or written communication.

    • Inform us promptly if any instruction might conflict with applicable laws.

  2. Rights and Permissions

    • Obtain necessary rights, authorizations, and consents for Personal Data in Training Materials or uploaded content.

    • Ensure Data Subjects are informed and have consented (or are lawfully subject) to processing within our AI features.

  3. Data Accuracy and Quality

    • Maintain accuracy and quality of Personal Data, updating records as needed.

    • Ensure third-party Personal Data in uploaded materials complies with data protection principles.

  4. Responding to Data Subject Requests

    • Act as the primary contact for Data Subjects exercising rights (e.g., access, rectification, erasure).

    • Handle requests per applicable laws, with our reasonable cooperation.

    • Provide documented instructions for our assistance in fulfilling these requests.

  5. Security Cooperation

    • Follow our security guidance and configure access controls appropriately.

    • Report suspected security incidents to us without delay.

    • Maintain confidentiality of login credentials, API keys, etc.

  6. Documentation and Audit Support

    • Keep records of processing nature, purposes, authorized users, and risk assessments.

    • Provide timely information if we request documentation for compliance or regulatory inquiries.

  7. Risk Assessment and Compliance

    • Evaluate risks of your data processing (including AI functionalities) and conduct Data Protection Impact Assessments (DPIAs) where required.

    • Inform us of special legal or compliance requirements affecting processing.

  8. Sub-processor Review

    • Review our sub-processor list and object if you have legitimate concerns (see Section 7).

    • Propose reasonable alternatives if a new sub-processor risks non-compliance.


5. OBLIGATIONS OF THE DATA PROCESSOR

As your Data Processor, we commit to processing Personal Data per your instructions and applicable laws. We will:

  1. Process Only on Documented Instructions

    • Act solely on instructions via the admin interface, written directives, or agreed channels.

    • Inform you if an instruction seems non-compliant and suspend processing until clarified.

  2. Maintain Confidentiality

    • Ensure personnel are bound by confidentiality agreements or statutory obligations.

    • Limit access to Personal Data to those requiring it for their duties.

  3. Sub-Processor Management

    • Engage sub-processors with adequate data protection commitments equivalent to this DPA.

    • Maintain an updated sub-processor list and notify you of changes.

    • Remain liable for sub-processors’ actions or omissions.

  4. Assistance with Data Subject Requests

    • Provide technical or organizational measures (e.g., platform tools) to assist you.

    • Forward direct Data Subject inquiries to you unless legally required to respond.

  5. Personal Data Breach Notification

    • Notify you without undue delay of a breach, providing required information.

    • Collaborate in investigating and mitigating breach impact.

  6. Compliance and Audit Support

    • Keep records of processing activities, available upon request.

    • Contribute to audits or inspections with reasonable notice during business hours.

  7. Data Return or Deletion

    • Delete or return Personal Data upon service termination, at your choice, except where legally required to retain.

    • Protect retained data under this DPA’s confidentiality and security provisions.

  8. Security Measures

    • Implement and maintain measures outlined in Section 6.

    • Update measures to adapt to threats, technologies, or legal requirements.

  9. AI Processing Safeguards

    • Maintain data separation and anonymization/pseudonymization for AI-generated content.

    • Refrain from using your data for general-purpose AI training without authorization, unless anonymized.


6. SECURITY MEASURES

We implement the following technical and organizational measures to protect Personal Data, regularly reviewed and adapted to evolving threats and best practices:

Infrastructure and Network Security

  • Secure data centers with physical security controls, environmental monitoring, and high availability.

  • Network segmentation, firewalls, and intrusion detection systems; prompt security patches.

Encryption and Key Management

  • TLS for data in transit; AES-256 for data at rest.

  • Secure key management with restricted access and regular rotation; encrypted backups stored separately.

Access Control and Authentication

  • Role-based permissions (need-to-know basis), logged and reviewed.

  • Background checks and confidentiality obligations for employees; strict access lifecycle processes.

Monitoring and Incident Response

  • Logs and metrics to identify issues; anomaly investigation.

  • Documented incident response plan with detection, containment, remediation, and communication steps; post-incident reviews.

Application Security

  • Secure development practices (code reviews, vulnerability scanning); separate environments for development, testing, and production.

  • Isolated AI execution environments to prevent cross-customer data leakage.

AI-Specific Safeguards

  • Logical isolation of data for AI features; anonymization/pseudonymization for model training preserving confidentiality.

Business Continuity and Disaster Recovery

  • Redundant systems, encrypted backups, and tested recovery procedures ensuring service restoration.

Ongoing Security Assessments

  • Regular vulnerability scans, penetration tests, and audits; prioritized fixes based on risk severity.


7. SUB-PROCESSORS

Authorization for Sub-processors

By accepting this DPA, you provide general written authorization to engage sub-processors, subject to conditions in this section and notification of changes.

Current Sub-processors

  • Microsoft Azure: Cloud infrastructure (Germany, US).

  • OpenAI: NLP for content generation/personalization (US/EU).

  • Microsoft Azure AI: Learning pattern analysis (US/EU).

  • NVIDIA AI: Computational acceleration (US/EU).

  • HubSpot: User support and CRM (US/EU).

  • Stripe: Payment transactions (independent controller, US/EU).

Each sub-processor provides a DPA or equivalent terms ensuring compliance with Applicable Data Protection Laws.

Changes and Notifications

  • Updated sub-processor list available upon request.

  • Notification of changes via email (30 days prior) and account dashboard updates.

Objection Rights and Process

  • Object within 14 days of notification with reasonable grounds.

  • We’ll address concerns or allow termination if unresolved within 30 days.

Sub-processor Obligations and Oversight

  • We’re liable for sub-processors; they commit to equivalent data protection obligations via public DPAs or contracts.

  • Sub-processors must process data per our instructions, implement security measures, assist with obligations, and report non-compliance.

Compliance Monitoring

  • Ongoing reviews of sub-processors’ security and data protection practices; detailed records of data flows.

Confidentiality Requirements

  • Sub-processors adhere to confidentiality obligations equivalent to this DPA, surviving termination.


8. INTERNATIONAL DATA TRANSFERS

Primary and Secondary Processing Locations

  • Primary processing in Germany (EEA customers); secondary in the US or other regions for recovery/operations.

  • Preferred data residency options available where feasible.

Lawful Transfer Mechanisms

  • Standard Contractual Clauses (SCCs) or approved frameworks.

  • Transfer Impact Assessments (TIAs) to ensure equivalent protection; supplementary measures (encryption, pseudonymization) if needed.

Additional Safeguards

  • Robust encryption, logging, monitoring, and access controls; data minimization for transfers.

Updates and Notifications

  • Monitor regulatory guidance; inform you if compliance becomes unfeasible, collaborating on remedies.

Documentation and Transparency

  • Records of transfer mechanisms and TIAs available upon request; sub-processors’ SCCs tracked for compliance.


9. DATA BREACH NOTIFICATION

Breach Detection and Initial Response

  • Continuous monitoring; immediate incident response assessing scope, containing risks, and documenting findings.

Notification Requirements

  • Notify you within 72 hours of a confirmed breach with details (nature, affected data, consequences, measures taken).

  • Phased updates as investigation progresses.

Investigation and Documentation

  • Thorough investigation of cause, impact, and response effectiveness; detailed records for compliance.

Cooperation and Support

  • Assist with your notifications, risk assessments, and regulatory inquiries.

Risk Assessment

  • Assess breach severity and impact to determine notification and mitigation needs.

Mitigation and Prevention

  • Implement fixes, enhance monitoring, update policies, and train staff to prevent recurrence.

Communication and Training

  • Clear, timely communications; staff trained on incident response.

Continuous Improvement

  • Update procedures based on incidents, regulations, and best practices; regular testing.


10. DATA RETENTION

General Retention Principles

  • Retain Personal Data only as necessary for its purpose, including service provision and legal compliance.

Service-Related Data Retention

  • Active account data retained during service relationship; learning data per your requirements.

  • AI-generated content retained during subscription, exportable/deletable by you.

Post-Termination Retention

  • 30-day retention post-termination for recovery/export; deletion thereafter, except backups/legal holds.

Legal and Compliance Requirements

  • Retain data for financial, tax, or regulatory purposes as required; longest applicable period applies.

Data Minimization and Review

  • Periodic reviews to delete unnecessary data based on amount, nature, and risk.

Technical Implementation

  • Prompt, secure deletion upon request or termination; backups overwritten per rotation.

Special Circumstances

  • Extended retention for legal holds, disputes, or investigations, secured and purpose-limited.

Documentation and Transparency

  • Detailed retention policies available upon request.

Data Export and Deletion Requests

  • Export/deletion available via platform or support, fulfilled per laws and obligations.


11. FINAL PROVISIONS

Term and Termination

  • Effective upon service acceptance; remains until main agreement termination.

  • Surviving obligations (e.g., confidentiality) continue post-termination.

Amendments and Updates

  • Material changes notified 30 days prior; objection allows termination if unresolved.

Governing Law and Jurisdiction

  • Governed by Spanish law; disputes under exclusive jurisdiction of Barcelona courts.

Severability

  • Invalid provisions replaced with enforceable equivalents; others remain effective.

Precedence

  • DPA takes precedence over conflicting agreements regarding data processing.

Notifications

  • Written notifications to dpo@foxtery.com or our postal address; your contact info must be current.

Audit Rights

  • Compliance evidence (e.g., reports) available; direct audits with 30 days’ notice, once yearly unless justified, during business hours.

Assignment

  • No assignment without consent, except in mergers/acquisitions.

Force Majeure

  • No liability for uncontrollable delays, except payment/data protection obligations.

Entire Agreement

  • DPA and appendices constitute the full agreement on data processing.

Interpretation

  • Headings for convenience; "including" means without limitation.


12. CONTACT INFORMATION

Foxtery S.L.
Calle Marc Aureli 10
Barcelona, Barcelona 08006
Spain
Phone: +34936940325
Email: info@foxtery.com

Company Details:

  • Registration No.: B16372799

  • VAT: ESB16372799

  • Director: Artem Maslov

Payment Details:

  • Account holder: Foxtery S.L.

  • Bank name: BANCO BILBAO VIZCAYA ARGENTARIA S.A.

  • SWIFT/BIC: BBVAESMMXXX

  • IBAN: ES3501821015040202514386

  • Bank Address: C/ SAUCEDA 28, MADRID, Spain

Last updated: January 15, 2025


ANNEX I: DETAILS OF PROCESSING

1. Subject Matter of the Processing

Provision of Foxtery’s AI-powered corporate learning platform and related services per the main Agreement and DPA.

2. Duration of the Processing

  • Term: Duration of the Agreement.

  • Termination: Data deleted/returned per DPA, subject to legal retention obligations.

3. Nature and Purpose of the Processing

  • Nature: Collection, storage, organization, adaptation, AI-based analysis, retrieval, use.

  • Purpose: User account management, AI-powered learning materials, progress tracking, analytics, service improvement/security.

4. Types of Personal Data

  1. Identification Data: Names, emails, job titles.

  2. Login/Authentication Data: Usernames, hashed passwords, tokens.

  3. Contact Data: Business contact details if provided.

  4. Learning Data: Course progress, completion rates, assessment results.

  5. Training Materials: Embedded Personal Data in uploaded content.

  6. Technical Data: IP addresses, browser type, device identifiers, usage logs.

5. Categories of Data Subjects

  1. Employees/contractors using the platform.

  2. Authorized personnel with administrative/instructor roles.

  3. Third parties in uploaded training materials.


ANNEX II: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (TOMS)

1. Physical Access Control

  • Data centers with restricted entry, 24/7 security, CCTV, multi-factor authentication, environmental controls.

2. Logical Access Control

  • Role-based permissions, unique IDs, secure passwords, periodic reviews.

3. Data Access Control

  • Need-to-know access, logged attempts, periodic permission checks.

4. Transmission Control

  • TLS for encrypted communication, VPN for internal connections, security headers.

5. Data Input Control

  • Basic validation, critical event tracking, versioning/backups where feasible.

6. Job Control

  • Processing per instructions, staff training, AI task scheduling to prevent data blending.

7. Availability Control

  • Redundant infrastructure, encrypted backups, cloud redundancy/failover.

8. Separation Control

  • Logical isolation, encrypted multi-tenant data, segregated AI models.

9. Pseudonymization and Encryption

  • Data minimization/pseudonymization, AES-256 at rest, TLS 1.3 in transit, key management.

10. Incident Response and Notification

  • Incident procedure for identification/containment, prompt breach notification, post-incident analysis.

11. Monitoring

  • Vulnerability scans, log reviews, risk-based remediation.

12. AI-Specific Controls

  • Input validation, application-layer isolation, re-identification prevention.


ANNEX III: AUTHORIZED SUB-PROCESSORS AND SUB-PROCESSING ACTIVITIES

Sub-Processor

Location

Service Provided

Microsoft Azure

Germany, US

Cloud infrastructure

OpenAI

US/EU

NLP for content generation

HubSpot

US/EU

User support and CRM

NVIDIA AI

US/EU

Computational acceleration for AI

Stripe

US/EU

Payment transactions (independent controller)

List updated per Section 7 notification procedure.


ANNEX IV: STANDARD CONTRACTUAL CLAUSES (SCCs)

1. SCC Incorporation

  • Controller ("data exporter") and Foxtery ("data importer/processor") enter EU SCCs (Decision 2021/914) for transfers outside the EEA.

2. Interpretation and Precedence

  • SCCs incorporated by reference; prevail over DPA for transfers.

3. Module Selection

  • Module 2: Controller to Processor (typical).

  • Module 3: Processor to Processor (sub-processors in third countries).

4. Appendices to the SCCs

  • Appendix I: Annex I (Details of Processing).

  • Appendix II: Annex II (TOMS).

  • Appendix III: Annex III (Sub-processors).

5. Execution and Effect

  • Executed via main Agreement/DPA; separate signing if required.

6. Supplementary Measures

  • Encryption, pseudonymization, etc., per TIAs.

7. Governing Law of the Clauses

  • EU Member State law recognizing third-party rights (e.g., Ireland, Netherlands).

 

About

Pricing

Features

Blog

Email:

support@foxtery.com

Address:

Marc Aureli 10, Barcelona, 08006, Spain

Privacy Policy

Terms of Use

Data Processing Agreement

Cookie Policy

About

Pricing

Features

Blog

Email:

support@foxtery.com

Address:

Marc Aureli 10, Barcelona, 08006, Spain

Privacy Policy

Terms of Use

Data Processing Agreement

Cookie Policy

About

Pricing

Features

Blog

Email:

support@foxtery.com

Address:

Marc Aureli 10, Barcelona, 08006, Spain

Privacy Policy

Terms of Use

Data Processing Agreement

Cookie Policy

About

Pricing

Features

Blog

Email:

support@foxtery.com

Address:

Marc Aureli 10, Barcelona, 08006, Spain

Privacy Policy

Terms of Use

Data Processing Agreement

Cookie Policy

About

Pricing

Features

Blog

Email:

support@foxtery.com

Address:

Marc Aureli 10, Barcelona, 08006, Spain

Privacy Policy

Terms of Use

Data Processing Agreement

Cookie Policy

Back

Back

Back

Back

Back