Data Processing Agreement (DPA)
This page provides a template Data Processing Agreement (DPA) for Ovyxa customers. Business customers can download this template or request a signed copy.
Overview
Under GDPR, when you use Ovyxa to process analytics data about your website visitors:
- You (the customer) are the Data Controller
- Ovyxa is the Data Processor
- A DPA is required to govern this relationship
This agreement ensures compliance with GDPR Article 28 (Processor obligations).
DPA Template
DATA PROCESSING AGREEMENT
Effective Date: [Date of Agreement]
Between:
Data Controller:
- Legal Name: [Your Company Name]
- Address: [Your Address]
- Contact: [Your Email]
- ("Customer" or "Controller")
and
Data Processor:
- Legal Name: Ovyxa SAS
- Address: [Ovyxa Address], France
- Contact: legal@ovyxa.com
- ("Ovyxa" or "Processor")
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions
Terms used in this DPA have the meanings given in the GDPR:
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Data Subject" means the individual to whom Personal Data relates
- "Processing" means any operation performed on Personal Data
- "Sub-processor" means any entity engaged by Ovyxa to process Personal Data
1.2 Agreement Hierarchy
This DPA forms part of and supplements the Ovyxa Terms of Service. In case of conflict, this DPA prevails on data protection matters.
2. SCOPE AND PURPOSE OF PROCESSING
2.1 Subject Matter
Ovyxa will process Personal Data solely for the purpose of providing analytics services to the Customer as described in the Service Agreement.
2.2 Nature of Processing
- Collection: Receiving analytics events from Customer's websites
- Storage: Storing event data in Ovyxa infrastructure
- Analysis: Aggregating and analyzing data for reporting
- Retrieval: Providing access to reports and dashboards
2.3 Duration
Processing will continue for the duration of the Service Agreement and for the retention period specified in Customer's site settings (6-36 months), unless earlier termination or deletion is requested.
2.4 Categories of Data Subjects
- Website visitors who visit Customer's websites
- Users who trigger custom events on Customer's websites
2.5 Types of Personal Data
Ovyxa processes the following categories of Personal Data:
| Category | Data Elements |
|---|---|
| Technical Data | IP address (transient, not stored), User-Agent string (parsed, categories only stored) |
| Online Identifiers | None (cookie-less mode) or localStorage ID (opt-in mode only) |
| Usage Data | Page URLs, referrer URLs, event names, event properties |
| Derived Data | Country code, browser type, device type, operating system |
Special Categories (Article 9): None. Ovyxa does not process sensitive personal data.
3. OBLIGATIONS OF THE PROCESSOR
3.1 Compliance with Instructions
Ovyxa shall:
- Process Personal Data only on documented instructions from the Customer
- Not process Personal Data for any other purpose
- Immediately inform Customer if instructions violate GDPR or other EU/Member State data protection laws
3.2 Confidentiality
Ovyxa ensures that persons authorized to process Personal Data:
- Are bound by confidentiality obligations (contract or statutory)
- Receive appropriate training on GDPR compliance
- Access Personal Data only as necessary for their role
3.3 Security Measures
Ovyxa implements appropriate technical and organizational measures:
Technical Measures:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- IP address pseudonymization (not stored raw)
- Automated vulnerability scanning
- Secure key management (KMS)
- Regular security patching
Organizational Measures:
- Role-based access control (RBAC)
- Two-factor authentication for staff
- Access logging and monitoring
- Incident response procedures
- Annual security audits
- Staff security training
3.4 Sub-processors
3.4.1 Authorization
Customer authorizes Ovyxa to engage sub-processors listed in Annex A and at https://ovyxa.com/subprocessors
3.4.2 Sub-processor Requirements
Ovyxa ensures that sub-processors:
- Are bound by data protection obligations equivalent to this DPA
- Provide sufficient guarantees of security measures
- Are located within the EU/EEA (no third-country transfers)
3.4.3 Changes to Sub-processors
Ovyxa will:
- Notify Customer at least 30 days before adding/replacing sub-processors
- Provide Customer opportunity to object for legitimate data protection reasons
- Allow Customer to terminate the agreement if objection is not accommodated
3.5 Data Subject Rights
Ovyxa will assist Customer in responding to Data Subject requests:
Assistance includes:
- Providing relevant Personal Data in machine-readable format
- Deleting or restricting processing of Personal Data
- Technical support for rectification requests
Response time: Within 7 business days of Customer's request
Fees: No additional fees for up to 5 requests per year. Additional requests may incur reasonable fees.
4. DATA TRANSFERS
4.1 Location of Processing
All Personal Data is processed and stored within the European Union and European Economic Area.
Primary data centers:
- France (OVHcloud, Scaleway)
- Germany (Hetzner)
4.2 No Third-Country Transfers
Ovyxa does not transfer Personal Data outside the EU/EEA. If such transfer becomes necessary:
- Customer will be notified 60 days in advance
- Appropriate safeguards (Standard Contractual Clauses, etc.) will be implemented
- Customer may terminate the agreement without penalty
5. DATA SECURITY AND BREACH NOTIFICATION
5.1 Security Audits
Customer has the right to:
- Request annual security documentation (SOC 2 Type II or equivalent)
- Conduct audits (subject to reasonable notice and confidentiality)
- Engage third-party auditors (Customer bears costs)
5.2 Personal Data Breach
In the event of a Personal Data breach, Ovyxa will:
- Notify Customer without undue delay, no later than 48 hours after becoming aware
- Provide details including:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Likely consequences
- Measures taken or proposed to address the breach
- Cooperate with Customer's investigation and remediation efforts
- Document all breaches (regardless of notification requirement)
Ovyxa will NOT notify Data Subjects or authorities directly (Customer's responsibility as Controller).
6. DATA RETENTION AND DELETION
6.1 Retention Period
Personal Data is retained according to Customer's site settings:
- Free tier: Up to 12 months
- Pro plans: 24-36 months (configurable)
6.2 Deletion on Termination
Upon termination or expiry of the Service Agreement:
- Customer may export all Personal Data (30-day grace period)
- Ovyxa will delete or return all Personal Data within 30 days
- Copies in backups will be securely deleted per retention schedule (max 90 days)
6.3 Deletion on Request
Customer may request deletion at any time:
- Via account settings (self-service)
- By email to support@ovyxa.com
- Deletion completed within 30 days
7. LIABILITY AND INDEMNIFICATION
7.1 Liability
Ovyxa is liable for damages caused by Processing that violates GDPR, subject to limitations in the Terms of Service.
7.2 Customer Indemnification
Customer agrees to indemnify Ovyxa against claims arising from:
- Customer's instructions that violate applicable laws
- Customer's failure to obtain necessary consents from Data Subjects
- Customer's violation of this DPA
8. TERM AND TERMINATION
8.1 Term
This DPA takes effect on the Service Agreement effective date and remains in force for the duration of the Service Agreement.
8.2 Termination Rights
Either party may terminate if the other:
- Materially breaches this DPA and fails to remedy within 30 days
- Is unable to comply with GDPR obligations
8.3 Survival
Sections 3.2 (Confidentiality), 5 (Security), 6 (Deletion), and 7 (Liability) survive termination.
9. GENERAL PROVISIONS
9.1 Governing Law
This DPA is governed by the laws of France, in accordance with the Terms of Service.
9.2 Jurisdiction
Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Paris, France.
9.3 Amendments
Ovyxa may update this DPA to reflect:
- Changes in applicable law (GDPR, local laws)
- Guidance from supervisory authorities
- Industry best practices
Customer will be notified 30 days in advance of material changes.
9.4 Severability
If any provision is held invalid, the remainder of this DPA remains in effect.
ANNEX A: SUB-PROCESSORS
| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| OVHcloud | Infrastructure hosting | France | GDPR-compliant DPA |
| Scaleway | Infrastructure hosting | France | GDPR-compliant DPA |
| Hetzner | Infrastructure hosting | Germany | GDPR-compliant DPA |
| Stripe (EU) | Payment processing | Ireland | Standard Contractual Clauses |
Last updated: [Date]
Full list: https://ovyxa.com/subprocessors
SIGNATURES
For Customer (Data Controller):
Signature: _______________________ Name: [Name] Title: [Title] Date: [Date]
For Ovyxa SAS (Data Processor):
Signature: _______________________ Name: [Name] Title: [Title] Date: [Date]
How to Use This Template
For Free Tier Customers
The DPA is incorporated by reference in the Terms of Service. No separate signature required.
For Business/Enterprise Customers
To obtain a signed DPA:
- Email us: legal@ovyxa.com or sales@ovyxa.com
- Provide:
- Your company legal name and address
- Authorized signatory details
- Any specific DPA requirements (we'll accommodate if possible)
- Review: We'll send you a customized DPA within 5 business days
- Sign: Electronic or wet signature accepted
- Receive: Fully executed copy for your records
Custom DPA Requirements
We can accommodate reasonable modifications:
- Additional security measures
- Enhanced audit rights
- Stricter deletion timelines
- Specific sub-processor exclusions
- Extended liability provisions
Contact our legal team to discuss custom requirements.
Additional Resources
Questions?
- Legal inquiries: legal@ovyxa.com
- DPA requests: sales@ovyxa.com
- Data Protection Officer: dpo@ovyxa.com
We're committed to making compliance easy for our customers.