Data Processing Addendum

\u201cController,\u201d \u201cProcessor,\u201d \u201cPersonal Data,\u201d and \u201cProcessing\u201d have the meanings given in the GDPR. Molixa Forge acts as Processor for the Personal Data you store in, or route through, the service.

We process Personal Data on your behalf only as necessary to provide the service and for the duration of your subscription, plus the retention periods described in our Privacy Policy.

The Personal Data processed is whatever you choose to route through the service: primarily IP addresses, usernames, and email addresses of your end-users who appear in server logs or databases you connect. Special categories of data should not be deliberately ingested.

We process Personal Data only on your documented instructions, maintain confidentiality, implement the security measures in the Security page, assist you in responding to data-subject requests, and notify you of any personal-data breach without undue delay and within 72 hours where feasible.

A current list of subprocessors (payments, email, hosting, CDN) is published at /subprocessors. You may subscribe to notifications when we add or remove a subprocessor; material changes carry a 30-day objection window.

Where Personal Data leaves the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses (Module Two) with additional safeguards, the UK International Data Transfer Addendum, and the Swiss FDPIC approved clauses. Customers may opt into EU-only processing on Enterprise agreements.

Technical and organizational measures are described in the Security page and include encryption at rest and in transit, least-privilege access, quarterly key rotation, annual penetration testing, and a documented incident-response process.

If we receive a request from a data subject directly, we will forward it to you rather than answer it. We will assist you, at no additional charge, in responding within the legal timeframe.

You may request a copy of our latest SOC 2 Type I report or equivalent assurance documentation under NDA, once per year. On-site audits are available for Enterprise customers at their expense, with reasonable notice.

On termination you may export all Personal Data through our API or CLI within 30 days. After that window we permanently delete it from primary storage; encrypted backup copies cycle out within 90 days under our standard retention schedule.

The liability provisions of the Terms of Service apply to this DPA. Where local law imposes additional limits (e.g. under Article 82 GDPR), the higher standard applies.

To execute this DPA or request a signed copy, email privacy@molixa.app. Our Data Protection Officer can be reached at the same address.