Initial working version · formal legal review scheduled before commercial launch. This document does not replace signing the main services contract.
⚠️ This is a reference translation. The Spanish version is legally binding. View Spanish version →
This DPA regulates RAXAR's responsibilities as data processor when we process personal data on behalf of our clients (controllers) under contracted services. Complies with GDPR (EU 2016/679), Spanish Organic Law 3/2018 (LOPDGDD), and European regulations on international transfers.
1. Parties and Scope
This Data Processing Agreement ("DPA") regulates RAXAR's obligations as data processor when we provide services to a client ("Controller") who, in normal contracting course, instructs us to process personal data of third parties (employees, end customers, prospects) on their behalf.
— Data Controller: the client contracting RAXAR services.
— Data Processor: SOLUTIONS RAXAR, S.L. (brand "RAXAR") · Tax ID B88688205 · C/ Cardenal Parrado, 3, Esc. 2, 18013 Granada (Spain).
— Processing purpose: execution of contracted SaaS services (automation, dashboards, autonomous agents, integrations, training, strategic consulting).
This DPA is automatically integrated into the main contract signed with the client. It prevails over any contradictory condition of the main contract regarding data protection.
2. Nature and Purpose of Processing
RAXAR will process the Controller's personal data exclusively for the purposes described in the services contract:
— Provision of contracted SaaS services (lead processing, email triage, candidate scoring, document analysis, system monitoring, etc.).
— Execution of automations and workflows configured by the client or under their instructions.
— Storage, processing, and return of results to the client via the RAXAR platform and integrated channels.
— Technical support and incident resolution (when explicitly requested by the client).
RAXAR will not use Controller data for its own purposes (model training, commercial benchmarking, assignment to third parties, cross-profiling between clients). Multi-tenant isolation is applied at database level via Row Level Security (RLS) and client_id identification in all operations.
3. Data Subject Categories and Data
Depending on contracted service, processed personal data may include:
— Contact data — name, email, phone, company, position.
— Professional data — CV, experience, training (for Talent Management).
— Communications — incoming/outgoing emails, chat conversations (for Smart Inbox/AI Support Chat).
— Operational financial data — invoices, orders, accounting documents (for Smart Collections and Document Intelligence).
— Technical data — logs, usage metrics, session identifiers (for monitoring and analysis).
The Controller guarantees having obtained the appropriate legal bases for RAXAR to process this data on their behalf.
4. Processor (RAXAR) Obligations
RAXAR commits to:
— Process personal data only following documented instructions from the Controller.
— Ensure that personnel authorized to process data are subject to binding confidentiality duties.
— Apply appropriate technical and organizational measures per Art. 32 GDPR (see section 6).
— Assist the Controller in fulfilling their GDPR obligations, including:
· Attention to data subject rights (access, rectification, erasure, portability, restriction, objection) within 15 calendar days from request.
· Impact assessments (DPIA) related to processing performed by RAXAR.
· Security breach notification (without undue delay, never beyond 48 hours from knowledge).
— Allow reasonable audits by the Controller or an external auditor designated by them, with 30 calendar days prior notice.
— Return or delete personal data at end of services, per Controller instructions (see section 8).
5. Sub-processors
RAXAR uses the following sub-processors to provide contracted services. The client gives general consent to sub-processing by signing the contract; any substantial change will be notified with 30 days notice to allow reasoned objection.
— Hostinger International Ltd. (Cyprus) — VPS hosting (EU servers).
— Anthropic PBC (USA) — NLP processing for ARIA and agents. Transfer protected via EU-approved Standard Contractual Clauses (SCCs 2021/914).
— Groq Inc. (USA) — High-speed NLP processing. SCCs applicable.
— PostHog Inc. (EU Cloud) — Product analytics. EU servers.
— Stripe Payments Europe Ltd. (Ireland) — Payment processing (only B2B billing data, no access to client data subjects).
— Sanity.io (Norway / EEA) — Public content management (no client personal data).
The complete updated list is Annex III. Change notifications are sent to the Controller's registered contact email with 30 days notice.
6. Security Measures (Art. 32 GDPR)
RAXAR applies the following technical and organizational measures, periodically reviewed:
Technical:
— Encryption in transit (TLS 1.3) for all communications between client, dashboard, and backend.
— Encryption at rest for sensitive data (AES-256) at database layer.
— Multi-tenant isolation via Row Level Security (RLS) in PostgreSQL with 140+ active policies in production schema.
— Mandatory multi-factor authentication (2FA) for administrative platform access.
— Periodic rotation of credentials and access tokens (quarterly minimum; incident → immediate).
— Centralized logging, real-time monitoring (Uptime Kuma, GlitchTip), and guardrails on all AI model calls.
— Automatic daily backups with offsite retention in geographically separated location.
— Sandboxing and strict allowlist validation for any AI-generated code execution.
Organizational:
— Minimum privilege principle and granular RBAC (4 roles: superadmin, admin, team, client).
— Signed confidentiality commitment by all personnel with data access.
— Documented incident response policy with defined RTO/RPO.
— GDPR and security training for the team.
— Annual review of providers and sub-processors.
7. International Transfers
When a service requires transferring data to a country outside the European Economic Area (EEA), RAXAR guarantees:
— Transfer to countries with European Commission adequacy decision, or
— Standard Contractual Clauses (SCCs 2021/914) in force, complemented with additional measures required after Schrems II ruling (C-311/18), or
— Applicable Binding Corporate Rules (BCRs) of the sub-processor.
Current sub-processors with international transfer are Anthropic and Groq (USA), both with signed SCCs. If the client reasonably objects to a specific transfer, RAXAR will offer available alternatives (e.g. routing to local models on RAXAR tower via privacy_mode) or, if impossible to maintain service without that transfer, termination of the affected service.
8. Retention and Return / Erasure
During contract validity, RAXAR will retain data for the strictly necessary time for service provision, per Controller instructions.
At contract end (any reason), the Controller has 30 calendar days to choose:
— Return of data in structured format (CSV, JSON, SQL dump), or
— Certified erasure of all processed data, including backup copies.
After 30 days without instruction, RAXAR will proceed by default to certified erasure. Offsite backups are purged per established cycle (maximum retention: 90 days post-erasure). RAXAR will issue an erasure certificate on Controller request.
RAXAR may retain strictly necessary data to comply with its own legal obligations (tax billing, claim defense) for the minimum time legally required.
9. Security Breach Notification
If RAXAR becomes aware of a personal data security breach processed on behalf of the Controller (per Art. 4.12 GDPR), will notify the Controller without undue delay and, in any case, within 48 hours from knowledge.
The notification will include, to the extent available:
— Nature of breach and categories / approximate volume of data subjects and data affected.
— Probable consequences and measures adopted or proposed to mitigate effects.
— Contact details of RAXAR's Security Officer.
— Investigation status and notification plan to data subjects and authorities, if applicable.
RAXAR will maintain an internal breach register available to the Controller or supervisory authorities.
10. Data Subject Rights
RAXAR will assist the Controller in handling data subject requests (access, rectification, erasure, restriction, portability, and objection rights) via:
— A dedicated channel for request transmission: privacidad@raxar.es.
— Self-service tools on the RAXAR platform when request volume justifies.
— Technical response within 15 calendar days from Controller's request reception, to allow Controller to respond to data subject within the legal 30-day period.
The Controller is the only one legitimated to respond directly to the data subject; RAXAR will not contact the data subject on own initiative except on explicit instruction.
11. Validity, Applicable Law, and Termination
This DPA enters into force with signing of the main services contract and remains valid while said contract lasts plus the post-termination retention period (section 8).
Governed by applicable Spanish and European data protection legislation (GDPR, LOPDGDD). For any controversy related to this DPA, parties submit with express waiver of any other venue to Courts and Tribunals of Algeciras (Spain), unless regulations applicable to the Controller or data subjects impose another mandatory venue.
Any modification of this DPA requires written agreement. RAXAR may update sub-processors list and security measures per procedures described in sections 5 and 6, communicating to Controller with foreseen notice.
12. Impact Assessment (DPIA)
RAXAR makes available to the Controller, on request, the following documentation to assist in Data Protection Impact Assessment (DPIA · Art. 35 GDPR):
— Technical datasheet of processing performed by our systems.
— Data flow diagram and intervening sub-processors.
— Risk assessment and mitigation measures applied (from our internal templates).
— Register of processing activities (RoPA · Art. 30) related to contracted services.
Requests to privacidad@raxar.es · response within 15 calendar days.
13. Contact
For any question related to this DPA or personal data protection at RAXAR:
— Dedicated email: privacidad@raxar.es
— General contact: hello@raxar.es
— Legal contact: legal@raxar.es
— Designated Officer (DPO): RAXAR is not legally required to appoint a DPO (Art. 37 GDPR · no large-scale systematic observation or large-scale processing of special categories as main activity). Dedicated channel privacidad@raxar.es is managed by the management team with formal responsibility in data protection.
The competent supervisory authority in Spain is the Spanish Data Protection Agency (AEPD, www.aepd.es). Data subjects affected by processing performed by RAXAR as processor can file claims before the AEPD or the competent authority of their residence.
Annex I · Processing Details
Purpose: provision of SaaS automation and AI services per main contract.
Duration: while services contract is in force + post-termination retention period defined in section 8.
Processing nature: collection, structuring, storage, consultation, use, communication (to the Controller themselves), conservation, erasure, or destruction of personal data.
Specific purpose: provision of contracted product functionalities (e.g. automatic triage of incoming emails, lead scoring, etc.).
Personal data type: contact, professional, communications, operational financial, and technical data per service (detailed in section 3).
Data subject categories: employees, customers, prospects, candidates, and any other natural person whose data the Controller enters or authorizes processing on the RAXAR platform.
Annex II · Technical and Organizational Measures (TOMs)
Measures implemented by RAXAR per Art. 32 GDPR:
A. Pseudonymization and encryption of personal data:
— Encryption in transit TLS 1.3.
— Encryption at rest AES-256 for sensitive data.
— Logical pseudonymization via tenant_id in all operational tables.
B. Permanent confidentiality, integrity, availability, and resilience of systems:
— RLS (Row Level Security) with 140+ active policies.
— Mandatory 2FA for administrators.
— Automatic daily backups with integrity verification.
— Resilient architecture with auto-healing containers and 24/7 monitoring.
C. Ability to quickly restore availability and data access in case of incident:
— Target RPO: 24 hours.
— Target RTO: 4 hours for critical services · 8h for non-critical.
— Documented incident response runbooks.
D. Process of regular verification, evaluation, and assessment of effectiveness:
— Quarterly technical audits.
— Semi-annual disaster recovery tests.
— Annual review of providers and sub-processors.
— Centralized logs with 90-day retention for forensics.
Annex III · Authorized Sub-Processors
Updated list of sub-processors with potential access to Controller personal data. Current list maintained at raxar.es/dpa/subprocesadores and email-notified to Controller for any substantial change with 30 days notice.
Infrastructure:
— Hostinger International Ltd. (Cyprus · EU servers · ISO 27001) · VPS hosting.
AI models (international transfer · SCCs 2021/914):
— Anthropic PBC (USA) · general NLP processing.
— Groq Inc. (USA) · fast NLP processing.
— OpenAI (USA) · occasional use per Controller configuration.
Analytics and observability:
— PostHog Inc. (EU Cloud) · aggregated anonymized product analytics.
— GlitchTip (self-hosted on our EU infrastructure) · technical error tracking.
Communication and email:
— Self-hosted Stalwart infrastructure (EU · no external email sub-processor).
Payments:
— Stripe Payments Europe Ltd. (Ireland · EU) · payment processing (Controller B2B billing data · no data subject data).
Public content CMS:
— Sanity.io (Norway · EEA) · no Controller personal data.
Controller may reasonably object to any sub-processor within 30 calendar days from notification. If impossible to maintain affected service without that sub-processor, parties will agree a reasonable solution (technical alternative, exclusion of affected service, or partial termination without penalty).