Skip to content

Data Processing Agreement

Last updated: March 1, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between cajeX ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller. This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant legislation.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means any unauthorized access to, or acquisition, use, or disclosure of Personal Data.

3. Scope and Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the Service as described in the Terms of Service. The categories of data processed include:

  • User account information (name, email, company).
  • Authentication and access log data.
  • Architecture project data and associated metadata.
  • Usage analytics and platform interaction data.

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the Controller in responding to data subject requests.
  • Notify the Controller without undue delay upon becoming aware of a Data Breach.
  • Delete or return all Personal Data upon termination of the Service, at the Controller's choice.

5. Sub-processors

The Processor may engage Sub-processors to assist in providing the Service. The Processor shall maintain a current list of Sub-processors and shall notify the Controller of any intended changes. The Controller may object to a new Sub-processor within 30 days of notification. The Processor shall ensure that all Sub-processors are bound by data protection obligations no less protective than those in this DPA.

6. Data Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission. Where data is processed in the United States, transfers are protected under the EU-US Data Privacy Framework where applicable.

7. Security Measures

The Processor implements the following security measures:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3).
  • Multi-tenant data isolation with strict access controls.
  • Regular security assessments and penetration testing.
  • Incident response procedures with defined escalation paths.
  • Employee security awareness training.
  • Access logging and monitoring with correlation IDs.

8. Data Breach Notification

In the event of a Data Breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

9. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller. The Processor shall provide documentation of its security practices upon reasonable request.

10. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service. Upon termination, the Processor shall delete or return all Personal Data within 30 days, unless retention is required by applicable law. The Controller may request a certificate of deletion.

11. Contact

For questions about this DPA, please contact our Data Protection Officer at privacy@cajex.ai.