Data Processing Agreement

This data processing agreement (hereinafter "Agreement") reflects an agreement with respect to the terms governing the processing of the personal data transferred to Xoxzo Europa OÜ, registry code 14564077, address Sepapaja 6, Tallinn 15551, Estonia (hereinafter "Processor") by its customer during the provision of Service. The term "Service" refers to the service provided by

The term "Customer" refers to a legal person which has fully performed all necessary steps to register to use Service. Customer's acceptance to this Agreement shall form a legally binding agreement between the Customer and Processor.

The Processor and the Customer jointly referred to as the "Parties" and each separately as the "Party", HAVE AGREED on the following terms in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer of the personal data specified in Appendix 1;

1.1 "Data Subject" means an identified or directly or indirectly identifiable natural person.
1.2 "Personal Data" means any information relating to a Data Subject.
1.3 "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.4 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.5 "Service" means any services provided to the Customer after it has founded as a legal entity and during which the Processor may become aware of Data Subjects and their Personal Data which the Customer is processing in its business activity.

2.1 The Parties undertake to comply with all obligations arising from any applicable data protection legislation, including but not limited to the EU General Data Protection Regulation no 2016/679 and the Estonian Personal Data Protection Act.
2.2 The Parties shall refrain from any action, which could result in the other Party's failure to comply with its obligations under the applicable data protection legislation.
2.3 During the provision of Service the Processor may be required to process Personal Data on behalf of the Customer. By this Agreement, the Parties shall agree on Personal Data Processing requirements in order to secure that the Processing complies with the respective data protection law and to ensure the protection of Data Subject's rights.
2.4 Under this Agreement, the Customer is acting as data controller and the Processor is acting as a data processor in the meaning of General Data Protection Regulation.

3.1 Processor shall process the Personal Data only to the extent, and in such a manner, as necessary for the provision of Service.
3.2 Processor confirms that it shall not process the Personal Data in any other purpose which is not specified in the Appendix 1 of this Agreement. To ensure this the Processor shall:
3.2.1 refrain from any personal use, including commercial use, of the Personal Data processed for the provision of Service;
3.2.2 comply and ensure that its own employees or any third parties used by the Processor comply with the principles of the applicable data protection regulation, incl. comply with confidentiality clause; and
3.2.3 provide the Customer with all necessary information to demonstrate that it complies with this Agreement.
3.2.4 process the Personal Data only on behalf of the Customer and in compliance with its instructions and the Agreement.
3.3 If the Processor cannot provide compliance for whatever reasons, it agrees to inform promptly the Customer of its inability to comply, in which case the Customer is entitled to suspend the transfer of data and/or terminate the Agreement.
3.4 Processor shall promptly notify the Customer about:
3.4.1 any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
3.4.2 any accidental or unauthorised access;
3.4.3 any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so.
3.5 Processor shall not transfer the Personal Data being transferred under this Agreement to any third party without the prior written consent of the Customer. Where Processor subcontracts its obligations under this Agreement to a third party then it shall agree on data processing agreement which impose the same obligations on the third party as are imposed on the Processor under this Agreement.
3.6 If the Processor wishes to transfer the Personal Data to third parties locating in countries outside of European Economic Area ("EEA"), then Processor shall ensure the application of the appropriate safeguards by those third parties.
3.7 The Processor shall take all appropriate technical and organizational security measures to prevent the destruction, loss or alteration, unauthorized disclosure of Personal Data or unauthorized access to such data, either accidentally or unlawfully.
3.8 If so requested by the Customer and within the timeframes as reasonably determined by the Customer, the Processor shall supply the Customer with full details of the technical and organizational measures in place to safeguard the security of the Personal Data and compliance with this Appendix 2. The Processor shall enable the Customer to carry out security audits and take all necessary steps to verify the implementation of the technical and organizational security measures. All costs related to the fulfilment of the obligations specified herein, incl. costs related to the organization of an audit shall be borne by the Customer. If the fulfilment of the obligations specified herein bring along any costs or loss of revenue to Processor, the Processor has the right to claim reimbursement of costs or loss of revenue from the Customer.
3.9 The Processors shall notify the Customer without undue delay if it becomes aware of any Personal Data Breach. The information notified to Customer shall describe the nature of the Personal Data Breach, incl., where possible the following:
3.9.1 the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
3.9.2 the name and contact details of the data protection officer or other contact point where more information can be obtained;
3.9.3 the description of the likely consequences of the Personal Data Breach; and
3.9.4 the description of the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.1 With this Agreement, the Parties shall not be released from the obligations applicable from the respective data protection laws.
4.2 The Processor shall not be liabale for any damages arising from the Customer's willful misconduct in Processing the Personal Data.

5.1 This Agreement becomes effective when signed by both Parties and remains in force until the fulfilment of the obligations arising from the provision of Service or the Service Agreement.
5.2 Either Party has the right to terminate the Agreement by written notice to the other Party by giving 30 days' advance notice.
5.3 The parties agree that upon the termination of the Agreement, the Processor shall, return all the Personal Data transferred and the copies thereof to the Customer or shall destroy all the Personal Data and certify in wrting to the Customer that it has done so, unless legislation imposed upon the Processor prevents it from returning or destroying all or part of the Personal Data transferred. In that case the Processor is obligated to ensure the confidentiality of Personal Data transferred by the Customer and cease for further Processing of the Personal Data.

6.1 This Agreement, along with any appendices attached hereto and incorporated herein by reference, sets forth the entire agreement between the Parties in this subject matter and supersedes any prior proposals and representations between the Parties, whether written or oral.
6.2 Amendments and supplements to the Agreement shall only be deemed valid if agreed on by the Parties and if the declarations contained in such an agreement are expressed in writing. Amendments to the Agreement shall be deemed to be integral annexes to the Agreement.
6.3 This Agreement is governed by and construed in accordance with the laws of Estonia. Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or validity thereof will be finally settled by Harju County Court as the court of first instance.


1. Categories of Personal Data and Data Subjects
1.1. The Personal Data concern the following categories of individuals and Personal Data:
• Customer's name, avatar, billing address, contact email, contact phone, VAT number, evidence of actual location for EU VAT purposes.

2. Purposes of the data Processing
2.1. The Personal Data will be processed for the following purposes during the provision of Service:
• Customer's billing and payment collection
• Provisioning and fulfilling Service for the Customer 
• Contacting Customer on important annoucement concerning Service

3. Processing activities
3.1. The Personal Data will be subject to the following Processing activities and processing by the following IT solutions of the Processor and third-party processors:
• Preparation of payments, collection, storage, structuring, processing, modification, deletion of Customer's payment transaction data - Paypal, Paddle, Stripe, Xoxzo Inc ( and LeapIN
• Hosting, data and file storage, backup of Processor's software solution: Amazon Web Services
• Sending notifications to customers: Sendgrid and Drip
• General management and development works on Service: Xoxzo Inc (


1. Applicable measures
1.1. Processor assigns the access rights to the Personal Data Processing system to the minimum extent necessary for the provision of Service. The Processor confirms that access to any Personal Data is provided only to its employees who need the access for the provision of Service.
1.2. Processor cancels the access right of the Personal Data Processing system without delay when the Personal Data handler is changed due to the personnel shift or retirement.
1.3. When a Processor issues a user account that can access the Personal Data Processing system, it is issuing a user account for each Personal Data handler and shall not share it with other Personal Data handler.
1.4. Processor is using multi location data backup servers which are configured to perform full, incremental, and differential data backup and follow a predefined schedule.

2. Prevention from malicious programs
2.1. Processor has installed firewall protections to all its servers that can prevent and treat malicious programs, and maintain the latest status through automatic update of the security program.
2.2. Processor's security team is continuously monitoring event logs, notifications and alerts from all systems to identify and manage threats.

3. Information security incident management
3.1. Information security events is reported to the Customer as quickly as possible.
3.2. All employees of the Processor are aware of the procedure for reporting information security events and the point of contact to which the events should be reported.

Last updated: Jan 9, 2019

We are social

Facebook Likes

Like us on Facebook