Data Processing Agreement
This Data Processing Agreement governs how Procurax processes personal data on behalf of enterprise customers in connection with the Procurax enterprise procurement platform, in compliance with GDPR, UK GDPR, and other applicable data protection laws.
1. Introduction and Scope
This Data Processing Agreement (“DPA”) forms part of the agreement between Procurax Inc. (“Procurax,” “Processor”) and the subscribing organization (“Customer,” “Controller”) for the provision of the Procurax enterprise procurement platform (the “Services”).
This DPA describes how Procurax processes personal data on behalf of the Customer in connection with the Services, and sets out the rights and obligations of each party under applicable data protection law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) where applicable.
This DPA applies to any personal data that Procurax processes as a data processor on behalf of the Customer as data controller, including personal data relating to the Customer's employees, suppliers, contractors, and other individuals whose data is entered into or generated by the Procurax platform.
2. Definitions
In this DPA:
- “Personal Data” means any information relating to an identified or identifiable natural person processed by Procurax on behalf of the Customer.
- “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, alteration, disclosure, or deletion.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- “Sub-processor” means any third party engaged by Procurax to process Personal Data on behalf of the Customer.
- “Supervisory Authority” means any data protection regulatory authority with jurisdiction over the processing of Personal Data.
- “Standard Contractual Clauses” or “SCCs” means the standard data protection clauses for the transfer of personal data to processors in third countries as approved by the European Commission.
3. Processing Instructions
Procurax shall process Personal Data only in accordance with the documented instructions of the Customer. The Customer's instructions are contained in the agreement for the Services and this DPA. If Procurax is required by applicable law to process Personal Data in a manner that is inconsistent with the Customer's instructions, Procurax shall inform the Customer of this requirement before processing unless prohibited from doing so by law.
The subject matter, nature, purpose, and duration of processing, together with the categories of Personal Data and categories of data subjects, are described in Schedule 1 to this DPA. Procurax processes Personal Data only to the extent necessary to provide the Services and fulfill its obligations under the agreement.
4. Security Measures
Procurax shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, as appropriate:
- Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
- Ongoing confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore availability and access to Personal Data in a timely manner following a physical or technical incident
- Regular testing and evaluation of the effectiveness of technical and organizational measures
- Role-based access controls and the principle of least privilege
- Multi-factor authentication for all personnel with access to Personal Data
- Annual SOC 2 Type II audit and ISO 27001 certification
5. Sub-processors
The Customer grants Procurax general authorization to engage sub-processors for the processing of Personal Data. Procurax maintains a current list of approved sub-processors, available at support@procurax.io upon request.
Procurax shall inform the Customer of any intended addition or replacement of sub-processors with at least 30 days' prior notice. The Customer may object to a new sub-processor within 15 days of such notice if it has reasonable grounds to believe the new sub-processor cannot process Personal Data in compliance with applicable data protection law. In such cases, the parties shall work in good faith to resolve the objection.
Procurax shall impose data protection obligations on sub-processors that are equivalent to those set out in this DPA, and remains responsible for the acts and omissions of its sub-processors.
6. Data Subject Rights
To the extent permitted by law, Procurax shall promptly notify the Customer if it receives a request from a data subject exercising their rights under applicable data protection law (such as rights of access, erasure, portability, restriction, or objection).
Procurax shall not respond directly to data subject requests unless instructed by the Customer or required by law. Procurax shall provide the Customer with reasonable technical and organizational assistance to fulfill data subject requests within the legally required timeframes.
7. Data Breach Notification
Procurax shall notify the Customer without undue delay, and in any case within 72 hours of becoming aware, of any Data Breach involving Personal Data processed on behalf of the Customer. The notification shall include, to the extent available at the time of notification:
- The nature of the Data Breach, including the categories and approximate number of data subjects and records affected
- Contact details of the Data Protection Officer or other relevant contact
- Likely consequences of the Data Breach
- Measures taken or proposed to address the breach and mitigate its effects
The Customer is responsible for notifying relevant Supervisory Authorities and data subjects as required by applicable law. Procurax shall provide reasonable cooperation and assistance for such notifications.
8. International Data Transfers
Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to Procurax or its sub-processors in countries not recognized as providing an adequate level of data protection, such transfers shall be governed by:
- The Standard Contractual Clauses (SCCs) approved by the European Commission (Regulation (EU) 2016/679, Article 46(2)(c)), incorporated by reference into this DPA; or
- Such other applicable safeguards as recognized under the GDPR or UK GDPR
Customers may request a copy of the applicable SCCs by contacting support@procurax.io
9. Data Deletion and Return
Upon termination or expiry of the agreement, or upon the Customer's written request, Procurax shall securely delete or return all Personal Data processed on behalf of the Customer, unless retention is required by applicable law. Deletion shall be confirmed in writing within 30 days of the request or termination date.
The Customer may export their data from the platform during the subscription term and for 30 days following termination using the platform's data export functionality.
10. Audit Rights
Procurax shall provide the Customer with all information reasonably necessary to demonstrate compliance with this DPA. The Customer may conduct audits or inspections of Procurax's processing activities, either directly or through an appointed third-party auditor, with at least 30 days' prior written notice.
Audits shall be conducted during normal business hours, shall not disrupt Procurax's operations, and shall be subject to appropriate confidentiality obligations. Procurax may satisfy audit requirements by providing its most recent SOC 2 Type II audit report or ISO 27001 certification.
11. Contact and Data Protection Officer
For questions about this DPA, data protection inquiries, or to exercise data subject rights, contact:
- Email: support@procurax.io
- Subject: Include “DPA” or “Data Protection” in the subject line
- Post: Procurax Inc., Data Protection, Washington, D.C., USA
For questions about this document, contact our legal team at support@procurax.io
© 2026 Procurax Inc. All rights reserved.
