Data Processing Agreement

1. Definitions

• "Customer" — the natural or legal person who has accepted the Proxylang Terms of Service and on whose behalf Proxylang processes Personal Data.
• "Processor" — Proxylang, operated by TITUS TIMOTHY DAVID (Korean business registration 797-28-01733).
• "Customer Personal Data" — Personal Data that Customer makes accessible to the Service for translation, analytics, or sitemap delivery.
• "Data Protection Laws" — GDPR (EU 2016/679), UK GDPR, Korean PIPA, California CCPA/CPRA, and any other applicable privacy law.
• "Subprocessor" — any third party engaged by Processor to process Customer Personal Data on Processor's behalf.

2. Roles and Scope

Customer is the Controller of Customer Personal Data. Processor acts as Processor and processes Customer Personal Data only to provide the Service in accordance with Customer's documented instructions, the Terms of Service, and this DPA.

The categories of data subjects, types of Personal Data, and purposes of processing are described in the Privacy Policy and incorporated by reference. Processing lasts for the duration of the Customer's account plus any retention periods specified there.

3. Processor Obligations

• Process Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law.
• Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational measures (Section 6).
• Assist Customer with data subject requests, data protection impact assessments, and prior consultations with supervisory authorities (Sections 7–8).
• Notify Customer without undue delay after becoming aware of a Personal Data Breach (Section 9).
• Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits (Section 10).
• At Customer's choice, return or delete all Customer Personal Data after the end of provision, unless retention is required by law.

4. Customer Obligations

• Maintain a valid legal basis under applicable Data Protection Laws for all processing carried out via the Service.
• Provide notice to and obtain any required consent from data subjects (including website visitors, in Full Proxy mode).
• Configure the Service in accordance with Customer's compliance obligations.

5. Subprocessors

Customer authorizes Processor to engage Subprocessors to process Customer Personal Data. The current list is published at /docs/subprocessors.

Processor will notify Customer of any intended additions or replacements of Subprocessors at least 30 days in advance, giving Customer the opportunity to object. If Customer objects on reasonable grounds related to data protection, Customer may terminate the affected portion of the Service.

Processor remains liable for the acts and omissions of its Subprocessors with respect to obligations under this DPA.

6. Security Measures

• Encryption in transit (TLS 1.3) and at rest where supported by infrastructure.
• Strong authentication (PKCE OAuth flow), password hashing, MFA available.
• Principle of least privilege for personnel access; production access limited to authorized engineers.
• Salted SHA-256 hashing of visitor IP and User-Agent before storage; raw IPs are not retained.
• Automatic PII redaction before transmission to AI translation providers.
• DDoS protection, WAF, and bot management via Cloudflare.
• Logging and monitoring of administrative actions.
• Documented incident response procedures.

7. Data Subject Rights Assistance

Taking into account the nature of the processing, Processor will assist Customer by appropriate technical and organizational measures to fulfill Customer's obligation to respond to data subject requests. Customer can request such assistance by emailing hello@proxylang.dev.

8. International Transfers

Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country not deemed adequate, the parties agree to rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), and where applicable the UK International Data Transfer Addendum, which are incorporated into this DPA by reference. Module Two (Controller to Processor) applies as between the parties.

9. Personal Data Breach Notification

Processor will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

10. Audits

Processor will make available to Customer, upon written request, all information necessary to demonstrate compliance with Article 28 GDPR. This obligation may be satisfied by providing third-party audit reports (e.g. Cloudflare SOC 2, Supabase SOC 2). Customer may, no more than once per year and at Customer's expense, conduct a further audit on reasonable advance written notice, subject to Processor's confidentiality requirements.

11. Return or Deletion

Upon termination or expiry of the Service, Processor will, at Customer's choice, return or delete Customer Personal Data within 30 days, unless retention is required by applicable law (e.g. tax and billing records). Subprocessor copies will be deleted in accordance with their respective retention policies.

12. Liability

Each party's liability under this DPA is governed by the limitation of liability provisions of the Terms of Service.

13. Governing Law

This DPA is governed by the laws of the Republic of Korea. Where EU/UK/Swiss data protection law mandates a different governing law for the Standard Contractual Clauses, that law applies to those clauses.

14. Countersign

Customer's acceptance of the Terms of Service constitutes acceptance of this DPA. To request a signed counterpart for your records, email hello@proxylang.dev with your legal entity name, address, and signatory contact. We return a signed counterpart within five business days.

Contact