IGENPAXY

Data Processing Agreement

Last updated May 1, 2026. This Data Processing Agreement ("DPA") forms part of the agreement between IGENPAXY and the Customer for the provision of marketing services. It applies where IGENPAXY processes Personal Data on behalf of the Customer subject to the GDPR, UK GDPR, or comparable laws.

1. Definitions

Capitalized terms not defined here have the meanings given in the GDPR. 'Customer' means the entity contracting with IGENPAXY for services. 'Personal Data' means any information relating to an identified or identifiable natural person.

2. Scope and roles

Customer is the Controller and IGENPAXY is the Processor with respect to Personal Data processed under the services agreement. Each party will comply with applicable data protection laws.

3. Processing instructions

IGENPAXY will process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required by law.

4. Confidentiality and personnel

IGENPAXY ensures personnel authorized to process Personal Data are bound by confidentiality obligations and trained on data protection.

5. Security

IGENPAXY implements appropriate technical and organizational measures to protect Personal Data, including encryption in transit and at rest, access controls, secure software development practices, and incident response procedures.

6. Sub-processors

Customer authorizes IGENPAXY to engage sub-processors as necessary to provide the services. A current list is maintained at igenpaxy.com/legal/dpa#subprocessors. IGENPAXY will provide notice of new sub-processors and an opportunity to object.

7. Data subject rights

IGENPAXY will provide reasonable assistance to Customer in responding to data subject requests, taking into account the nature of processing and the information available.

8. Breach notification

IGENPAXY will notify Customer without undue delay after becoming aware of a Personal Data breach and provide information reasonably required to comply with notification obligations.

9. International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the parties agree to rely on Standard Contractual Clauses or other adequate transfer mechanisms.

10. Audits

IGENPAXY will make available information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Customer or its mandated auditor, subject to reasonable notice and confidentiality obligations.

11. Deletion

Upon termination of services, IGENPAXY will delete or return Personal Data to Customer, subject to legal retention requirements.

12. Contact

Questions about this DPA: privacy@igenpaxy.com.