Data Processing Agreement
Table of Contents
Key Points
- This DPA governs personal data processing by Lexx Software Co. Ltd. as Data Processor on behalf of the Customer (Data Controller)
- Fully compliant with GDPR Article 28 and Regulation (EU) 2016/679
- International transfers governed by EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914)
- Sub-processor changes require 14-day prior notice with objection right
- Data breach notification without undue delay (supporting the Controller's 72-hour GDPR obligation)
- Governing law: Malta
- Data Protection Contact: legal@lexxsoft.com
Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement ("Main Agreement") between Lexx Software Co. Ltd., a company registered in Malta under registration number C 100540, with LEI 984500EAD1O715C6C507, having its registered office at Office 2, Room 2, Blue Angel, Triq Belvedere, Gzira, GZR 1112, Malta ("Processor", "we", "us"), and the Customer ("Controller", "you") who has entered into the Main Agreement for the use of the LEXX platform Services.
This DPA reflects the parties' agreement regarding the processing of Personal Data by the Processor on behalf of the Controller, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, "GDPR") and applicable Data Protection Laws.
This DPA is effective from the date the Controller accepts the Main Agreement and remains in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller.
1. Definitions
Capitalised terms used but not defined in this DPA have the meanings given in the Main Agreement. In this DPA, the following terms apply:
| Term | Definition | |------|-----------| | Affiliate | Any entity controlling, controlled by, or under common control with a party, where "control" means ownership of at least 50% of voting interests or the power to direct management and policies. | | Controller | The Customer, who determines the purposes and means of the processing of Personal Data, as defined in Article 4(7) GDPR. | | Data Protection Laws | All applicable laws and regulations relating to the processing of Personal Data, including the GDPR, the Data Protection Act (Cap. 586 of the Laws of Malta), and any national implementing legislation within the EEA. | | Data Subject | An identified or identifiable natural person whose Personal Data is processed under this DPA. | | Data Incident | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA. Unsuccessful attempts that do not compromise the security of Personal Data (such as unsuccessful login attempts, pings, port scans, or denial-of-service attacks repelled by firewalls) do not constitute a Data Incident. | | EEA | The European Economic Area, comprising all EU Member States together with Iceland, Liechtenstein, and Norway. | | GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. | | Main Agreement | The Terms of Service or other agreement between the Processor and the Controller governing the provision of the Services. | | Personal Data | Any information relating to a Data Subject, as defined in Article 4(1) GDPR, that is processed by the Processor on behalf of the Controller under this DPA. | | Processing | Any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) GDPR, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. | | Processor | Lexx Software Co. Ltd. (C 100540, Malta), which processes Personal Data on behalf of the Controller in accordance with the Controller's documented instructions. | | Services | The SaaS platform services, maintenance, support, and any other services provided by the Processor under the Main Agreement, being a trading interface to cryptocurrency exchanges (including Binance and OKX). | | Standard Contractual Clauses or SCCs | The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021. | | Sub-Processor | Any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Services. | | Technical and Organisational Measures or TOMs | The security measures described in Annex 3 to this DPA, implemented and maintained by the Processor to protect Personal Data. |
The terms "personal data", "data subject", "processing", "controller", "processor", and "supervisory authority" as used in this DPA carry the meanings given under the GDPR.
2. Subject Matter and Duration
2.1 Subject Matter
This DPA governs the rights and obligations of the parties regarding the Processor's processing of Personal Data on behalf of the Controller in the performance of the Main Agreement. It applies to all activities within the scope of the Main Agreement in which the Processor's employees, agents, or Sub-Processors may come into contact with Personal Data.
2.2 Duration
This DPA takes effect on the date the Controller enters into the Main Agreement and remains in effect until the Processor ceases all processing of Personal Data on behalf of the Controller, including any post-termination retention period required by applicable law. Upon deletion of all Personal Data as described in Section 12, this DPA automatically expires.
2.3 Precedence
In the event of a conflict between this DPA and the Main Agreement, this DPA prevails with respect to the processing of Personal Data.
3. Scope and Purpose of Processing
3.1 Roles of the Parties
The parties acknowledge and agree that:
- The Controller determines the purposes and means of processing Personal Data
- The Processor processes Personal Data solely on behalf of and in accordance with the Controller's documented instructions
- The Processor does not determine the purposes of processing and acts only as a data processor within the meaning of Article 4(8) GDPR
3.2 Purpose Limitation
The Processor processes Personal Data exclusively for:
- (a) Performing its obligations under the Main Agreement and applicable service orders
- (b) Complying with documented instructions provided by the Controller (including via support tickets), provided such instructions are consistent with the Main Agreement
- (c) Complying with applicable law to which the Processor is subject, including Data Protection Laws — in which case the Processor will inform the Controller of such legal requirement before processing, unless the law prohibits such notification on important grounds of public interest
3.3 Description of Processing
The purposes of processing, categories of Data Subjects and Personal Data, processing operations, and retention periods are specified in Annex 1 to this DPA.
3.4 Controller's Responsibilities
The Controller is solely responsible for:
- The lawfulness of the processing, including the legal basis for processing under Article 6 GDPR
- The accuracy, quality, and legality of Personal Data provided to the Processor
- Compliance with Data Protection Laws regarding the disclosure and transfer of Personal Data to the Processor
- Ensuring that its processing instructions comply with applicable Data Protection Laws
- Informing the Processor without undue delay of any errors or irregularities related to the processing of Personal Data
4. Obligations of the Processor
The Processor undertakes the following obligations in accordance with Article 28(3) GDPR:
4.1 Documented Instructions
The Processor processes Personal Data only on the basis of the Controller's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or Member State law to which the Processor is subject. In such a case, the Processor informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2 Confidentiality
The Processor ensures that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Such confidentiality obligations survive the termination of the individual's engagement with the Processor.
4.3 Security
The Processor implements and maintains appropriate technical and organisational measures as described in Annex 3 and in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk presented by the processing.
4.4 Sub-Processing
The Processor complies with the conditions set out in Section 7 regarding the engagement of Sub-Processors.
4.5 Assistance with Data Subject Rights
The Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data Subject requests as set out in Section 5.
4.6 Assistance with Controller Obligations
Taking into account the nature of processing and the information available, the Processor assists the Controller in ensuring compliance with:
- Security obligations under Article 32 GDPR
- Data breach notification obligations under Articles 33 and 34 GDPR
- Data protection impact assessment obligations under Article 35 GDPR
- Prior consultation obligations under Article 36 GDPR
4.7 Deletion and Return of Data
Upon termination of the Main Agreement, the Processor deletes or returns all Personal Data in accordance with Section 12.
4.8 Audit Cooperation
The Processor makes available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits as described in Section 10.
4.9 Notification of Unlawful Instructions
The Processor immediately informs the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other EU or Member State data protection provisions.
4.10 Processing Records
The Processor maintains records of processing activities carried out on behalf of the Controller in accordance with Article 30(2) GDPR, including:
- The name and contact details of the Processor and each Controller on behalf of which the Processor acts
- The categories of processing carried out on behalf of each Controller
- Where applicable, transfers of Personal Data to a third country, including documentation of suitable safeguards
- Where possible, a general description of the Technical and Organisational Measures
5. Rights of Data Subjects
5.1 Notification of Requests
The Processor notifies the Controller without undue delay if it receives a request from a Data Subject to exercise any right under Chapter III of the GDPR, including the rights to:
- Access (Article 15 GDPR)
- Rectification (Article 16 GDPR)
- Erasure ("right to be forgotten") (Article 17 GDPR)
- Restriction of processing (Article 18 GDPR)
- Data portability (Article 20 GDPR)
- Object to processing (Article 21 GDPR)
- Not be subject to automated individual decision-making (Article 22 GDPR)
5.2 Assistance
Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Controller's obligation to respond to Data Subject requests.
5.3 No Direct Response
The Processor does not respond to a Data Subject request except to confirm that the request relates to the Controller, unless:
- The Controller provides prior written consent for the Processor to respond
- The Processor is required to respond by applicable law
5.4 Costs
Where the Controller's use of the Services does not provide the ability to address a Data Subject request directly, the Processor provides commercially reasonable assistance. Any costs arising from such additional assistance are the responsibility of the Controller to the extent permitted by law.
6. Personnel
6.1 Confidentiality and Training
The Processor ensures that its personnel engaged in the processing of Personal Data:
- Are informed of the confidential nature of Personal Data
- Have received appropriate training on their data protection responsibilities
- Are bound by obligations of confidentiality that survive the termination of their engagement
- Process Personal Data only in accordance with the Controller's instructions
6.2 Reliability
The Processor takes commercially reasonable steps to ensure the reliability of any personnel who have access to Personal Data.
6.3 Access Limitation
Access to Personal Data is limited to those personnel who require such access to perform the Services under the Main Agreement.
6.4 Data Protection Contact
The Processor has designated a Data Protection Contact who can be reached at:
- Email: legal@lexxsoft.com
- Address: Office 2, Room 2, Blue Angel, Triq Belvedere, Gzira, GZR 1112, Malta
7. Sub-Processors
7.1 General Authorisation
The Controller provides a general written authorisation to the Processor to engage Sub-Processors for the performance of the Services. The current list of authorised Sub-Processors is set out in Annex 2 to this DPA.
7.2 Notification of Changes
Before engaging a new Sub-Processor or replacing an existing Sub-Processor, the Processor:
- (a) Notifies the Controller in writing (email to the Controller's registered email address is sufficient) at least 14 calendar days before the new Sub-Processor begins processing Personal Data. In urgent cases where a Sub-Processor must be replaced to address security incidents or legal compliance requirements, the Processor may provide shorter notice and will inform the Controller as soon as practicable.
- (b) Provides the Controller with the name, location, and processing activities of the proposed Sub-Processor
7.3 Right to Object
The Controller may object to the engagement of a new Sub-Processor by notifying the Processor in writing within 14 calendar days of receiving the notification. The objection must be based on reasonable, documented grounds relating to data protection concerns. If the Controller objects:
- (a) The Processor uses commercially reasonable efforts to make available to the Controller a change in the Services or recommend a commercially reasonable change to the Controller's configuration or use of the Services to avoid processing by the objected-to Sub-Processor
- (b) If the Processor cannot accommodate the objection within 30 calendar days, either party may terminate the Main Agreement by providing written notice to the other party
- (c) The Controller retains access to the Services until the end of the current billing period
7.4 Sub-Processor Obligations
When engaging any Sub-Processor, the Processor:
- (a) Enters into a written contract with the Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA, in accordance with Article 28(4) GDPR
- (b) Ensures that the Sub-Processor accesses and uses Personal Data only to the extent required to perform the obligations subcontracted to it
- (c) Imposes the data protection obligations set out in Article 28(3) GDPR on the Sub-Processor
- (d) Remains fully liable to the Controller for the performance of the Sub-Processor's obligations
7.5 Sub-Processor Audit Rights
Upon written request, the Controller may obtain information from the Processor about the substance of the Sub-Processor contract and the implementation of data protection obligations, including by inspecting relevant contract documents (subject to reasonable confidentiality restrictions).
8. Data Security and Technical and Organisational Measures
8.1 Security Measures
The Processor implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access, as described in Annex 3 (the "Security Measures"). The Security Measures include measures designed to:
- Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Restore timely access to Personal Data following a physical or technical incident
- Regularly test, assess, and evaluate the effectiveness of the measures
8.2 Updates to Security Measures
The Processor may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Services.
8.3 Personnel Compliance
The Processor takes appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Sub-Processors.
8.4 Controller's Security Responsibilities
The Controller is responsible for:
- (a) Using the Services appropriately to ensure a level of security appropriate to the risk to Personal Data
- (b) Securing account authentication credentials, systems, and devices used to access the Services
- (c) Maintaining backups of Personal Data as the Controller deems necessary
- (d) Evaluating whether the Services and the Security Measures meet the Controller's needs, including any security obligations under Data Protection Laws
9. Data Incidents (Breach Notification)
9.1 Notification
If the Processor becomes aware of a Data Incident, the Processor:
- (a) Notifies the Controller without undue delay and sufficiently promptly to enable the Controller to comply with its obligation to notify the supervisory authority within 72 hours under Article 33 GDPR
- (b) Promptly takes reasonable steps to contain, investigate, and mitigate the Data Incident and to secure the affected Personal Data
9.2 Content of Notification
The Processor's notification includes, to the extent reasonably available:
- The nature of the Data Incident, including (where possible) the categories and approximate number of Data Subjects and Personal Data records affected
- The name and contact details of the Processor's data protection contact point
- The likely consequences of the Data Incident
- The measures taken or proposed to address the Data Incident, including measures to mitigate possible adverse effects
9.3 Ongoing Information
Where it is not possible to provide all information at the same time, the Processor provides the information in phases without undue further delay, in accordance with Article 33(4) GDPR.
9.4 Delivery of Notification
Notifications are delivered to the Controller's registered email address or, at the Processor's discretion, by direct communication (such as telephone). The Controller is responsible for ensuring that the contact information on file with the Processor is current and valid.
9.5 Cooperation
The Processor cooperates with the Controller and takes reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of the Data Incident.
9.6 No Acknowledgement of Fault
The Processor's notification of or response to a Data Incident does not constitute an acknowledgement by the Processor of any fault or liability with respect to the Data Incident.
10. Audits
10.1 Audit Rights
The Controller (or an independent third-party auditor appointed by the Controller and bound by confidentiality obligations) may conduct audits, including inspections, to verify the Processor's compliance with this DPA, subject to the following conditions:
- (a) The Controller provides the Processor with at least 30 calendar days prior written notice of an audit
- (b) Audits are conducted during normal business hours and do not unreasonably disrupt the Processor's operations
- (c) Audits are limited to no more than once per calendar year, unless required more frequently by a supervisory authority or following a Data Incident
- (d) The Controller bears all costs and expenses of the audit, including auditor fees, travel, and legal costs
10.2 Processor Cooperation
The Processor makes available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR and contributes to audits and inspections.
10.3 Audit Reports
Where the Processor has obtained a relevant third-party audit report or certification (such as ISO 27001 or SOC 2), the Processor may provide such report or certification as an alternative to an on-site audit, provided the Controller's reasonable data protection concerns are addressed.
10.4 Supervisory Authority Audits
Nothing in this Section 10 limits the rights of any competent supervisory authority to conduct audits or inspections as permitted under applicable Data Protection Laws.
11. Data Transfers
11.1 Processing Within the EEA
The Processor processes Personal Data primarily within the EEA. A current list of processing locations is maintained in the Sub-Processor list in Annex 2.
11.2 Transfers Outside the EEA
Where the processing of Personal Data involves a transfer to a country outside the EEA that has not received an adequacy decision from the European Commission under Article 45 GDPR ("Third Country Transfer"), the Processor ensures that appropriate safeguards are in place in accordance with Article 46 GDPR, including:
- (a) Standard Contractual Clauses: The Processor enters into Standard Contractual Clauses as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 with the relevant data importer. The applicable module is:
- Module 3 (Processor to Sub-Processor) — where the Processor engages a Sub-Processor in a third country
- (b) Supplementary Measures: Where required following a transfer impact assessment, the Processor implements supplementary technical, organisational, or contractual measures to ensure that the level of protection of Personal Data is not undermined, in accordance with the guidance of the European Data Protection Board (EDPB)
11.3 Adequacy Decisions
Where a Third Country Transfer is made to a country or territory that is the subject of an adequacy decision by the European Commission under Article 45 GDPR, the transfer may proceed on the basis of that decision without the need for additional safeguards.
11.4 Transfer Impact Assessments
Before making any Third Country Transfer relying on Standard Contractual Clauses, the Processor conducts a transfer impact assessment to evaluate whether the laws and practices of the destination country ensure an essentially equivalent level of protection for Personal Data. The Processor documents such assessments and makes them available to the Controller upon request.
11.5 Changes in Law
If the Processor becomes aware that the laws or practices of a third country to which Personal Data has been transferred no longer ensure an essentially equivalent level of protection, the Processor promptly notifies the Controller and takes appropriate measures, including suspending the transfer if necessary.
12. Term and Termination
12.1 Duration
This DPA remains in effect for the duration of the Main Agreement and until all Personal Data has been deleted or returned as described in this Section.
12.2 Deletion During Term
The Processor enables the Controller to delete Personal Data during the term of the Main Agreement in a manner consistent with the functionality of the Services.
12.3 Post-Termination
Upon expiry or termination of the Main Agreement:
- (a) The Controller may request the return of Personal Data in a structured, commonly used, and machine-readable format within 30 calendar days of the effective date of termination
- (b) The Processor deletes all Personal Data (including existing copies) from its systems within 90 calendar days of the effective date of termination, unless Data Protection Laws require continued storage
- (c) The Processor provides written confirmation of deletion upon the Controller's request
12.4 Retained Data
Where applicable law requires the Processor to retain certain Personal Data beyond the termination date, the Processor:
- Limits the processing of such retained data to the purpose required by applicable law
- Continues to protect such data in accordance with this DPA
- Deletes the data as soon as the applicable retention obligation expires
12.5 Data Export Responsibility
The Controller is responsible for exporting any Personal Data it wishes to retain before the expiry or termination of the Main Agreement. The Processor is not obliged to maintain Personal Data after the deletion period specified in Section 12.3(b).
13. Governing Law and Dispute Resolution
13.1 Governing Law
This DPA is governed by and construed in accordance with the laws of Malta, without regard to conflict-of-law principles, to the extent such principles would result in the application of the laws of another jurisdiction.
13.2 Supervisory Authority
The competent supervisory authority for the purposes of this DPA is the Information and Data Protection Commissioner (IDPC), Malta.
13.3 Dispute Resolution
Any dispute arising out of or in connection with this DPA that cannot be resolved through good faith negotiations within 30 calendar days is subject to the exclusive jurisdiction of the courts of Malta, unless the parties agree in writing to submit the dispute to arbitration in accordance with the Arbitration Act (Cap. 387 of the Laws of Malta).
13.4 Data Subject Rights Preserved
Nothing in this Section limits a Data Subject's right to lodge a complaint with a supervisory authority or to seek a judicial remedy under Articles 77–79 GDPR.
13.5 Severability
If any provision of this DPA is found by a competent court or authority to be invalid or unenforceable, such provision is modified to the minimum extent necessary to make it valid and enforceable, and the remaining provisions continue in full force and effect.
13.6 Amendments
No amendment to this DPA is effective unless made in writing and signed or otherwise agreed by both parties. The Processor may update this DPA from time to time to reflect changes in Data Protection Laws, provided the Processor notifies the Controller at least 30 days in advance and the updates do not materially diminish the level of data protection.
Annex 1: Description of Processing
This Annex forms part of the DPA and describes the processing of Personal Data by the Processor on behalf of the Controller.
A. Purposes of Processing
| # | Purpose | Legal Basis (Controller) | |---|---------|-------------------------| | 1 | SaaS Platform Operation — Provision and maintenance of the LEXX trading interface platform, enabling the Controller to interact with cryptocurrency exchanges (Binance, OKX) | Performance of contract (Art. 6(1)(b) GDPR) | | 2 | Account Management — User registration, authentication, session management, and account lifecycle management | Performance of contract (Art. 6(1)(b) GDPR) | | 3 | Payment Processing — Processing subscription payments, invoicing, refunds, and maintaining transaction records | Performance of contract (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR) | | 4 | Customer Support — Handling support tickets, troubleshooting, and responding to user enquiries | Performance of contract (Art. 6(1)(b) GDPR) | | 5 | Server-Side Performance Monitoring — Aggregated platform performance monitoring, error tracking, and service optimisation | Legitimate interest (Art. 6(1)(f) GDPR) | | 6 | Website Analytics (GA4) — Anonymised website usage analysis via Google Analytics 4 | Consent (Art. 6(1)(a) GDPR) — analytics cookies require prior opt-in consent in accordance with the ePrivacy Directive and CJEU Case C-673/17 (Planet49) | | 7 | Security and Fraud Prevention — Monitoring for unauthorised access, detecting anomalies, maintaining platform integrity | Legitimate interest (Art. 6(1)(f) GDPR) and legal obligation (Art. 6(1)(c) GDPR) | | 8 | Legal Compliance — Fulfilling legal and regulatory obligations, including recordkeeping under Malta tax and commercial law | Legal obligation (Art. 6(1)(c) GDPR) |
B. Categories of Personal Data
| Category | Data Elements | Sensitivity | |----------|--------------|-------------| | Identification Data | Display name, email address, username, profile information | Standard | | Authentication Data | Hashed passwords, two-factor authentication tokens, session tokens | Standard (security-sensitive) | | Payment Data | Subscription plan, transaction records, invoice data, payment method identifiers (no full card numbers stored) | Standard (financial) | | Usage Data | Platform activity logs, feature usage, trading interface interactions, preferences and settings | Standard | | Technical Data | IP address, browser type and version, device type, operating system, access timestamps, referral source | Standard | | Communication Data | Support ticket content, email correspondence, in-platform notifications | Standard |
Note: The Processor does not process special categories of Personal Data (Article 9 GDPR) or Personal Data relating to criminal convictions and offences (Article 10 GDPR) as part of the Services.
C. Categories of Data Subjects
- Registered users and subscribers of the LEXX platform
- Trial users who have created an account
- Former users whose data is retained during the applicable retention period
D. Processing Operations
| Operation | Description | |-----------|-------------| | Collection | Receiving Personal Data submitted by Data Subjects during registration and platform use | | Storage | Maintaining Personal Data in encrypted databases and storage systems | | Access Management | Managing user authentication, authorisation, and session control | | Retrieval and Use | Accessing Personal Data to provide the Services, including rendering the trading interface | | Analytics | Aggregating and analysing usage patterns for service improvement (anonymised/pseudonymised where possible) | | Support Ticket Processing | Accessing Personal Data as needed to respond to and resolve user support requests | | Transmission | Transmitting Personal Data via encrypted channels to Sub-Processors as required for service delivery | | Backup | Creating and maintaining encrypted backup copies for disaster recovery purposes | | Deletion | Securely erasing Personal Data upon expiry of retention periods or upon Controller instruction |
E. Retention Periods
| Data Category | Retention Period | Legal Basis | |---------------|-----------------|-------------| | Account Data (identification, authentication) | Duration of the account + 3 years after account deletion | Limitation periods under Malta law; contractual claims | | Transaction Records (payment, invoicing) | 7 years from the end of the financial year in which the transaction occurred | Income Tax Act (Cap. 123), VAT Act (Cap. 406), Laws of Malta | | Platform Activity Logs (usage, technical data) | 90 days from date of collection | Legitimate interest in security and service improvement | | Support Communications | 3 years after ticket resolution or account deletion, whichever is later | Contractual and legal claims | | Security Logs (access logs, authentication events) | 90 days from date of creation | Legitimate interest in security and incident investigation |
Annex 2: Sub-Processors
The following Sub-Processors are authorised by the Controller to process Personal Data in connection with the Services:
| # | Sub-Processor Name | Service Provided | Location | Processing Purpose | |---|-------------------|-----------------|----------|-------------------| | 1 | Amazon Web Services, Inc. (AWS) | Cloud infrastructure and hosting | EU (Frankfurt, Ireland) | Platform hosting, data storage, compute, backup | | 2 | Google LLC (Google Analytics 4) | Web analytics | EU / US (SCCs 2021/914) | Depersonalised website usage analytics — IP anonymisation enabled, Google Signals disabled, data retention set to 14 months. No advertising features enabled. | | 3 | Freshworks Inc. (Freshdesk) | Customer support platform | EU / US (SCCs 2021/914) | Support ticket management — users voluntarily register and submit tickets. Processing is initiated by the Data Subject's own request. | | 4 | Stripe, Inc. | Payment processing | US (SCCs 2021/914) | Subscription payment processing — Stripe acts as a data processor for payment transaction data. LEXX does not store full card numbers; Stripe is PCI DSS Level 1 certified. |
Note: The current list of Sub-Processors is maintained by the Processor and updated in accordance with Section 7.2 of this DPA. To request the latest version of this list, contact legal@lexxsoft.com.
Notification mechanism: The Controller will be notified of any changes to this list at least 14 calendar days before a new Sub-Processor begins processing Personal Data, in accordance with Section 7.2 of this DPA. Notifications are sent to the Controller's email address on file.
Annex 3: Technical and Organisational Measures (TOMs)
The Processor implements and maintains the following technical and organisational measures to protect Personal Data in accordance with Article 32 GDPR. The Processor may update these measures from time to time, provided that the overall level of security is not materially diminished.
1. Encryption
| Measure | Standard | Details | |---------|----------|---------| | Encryption at rest | AES-256 | All Personal Data stored in databases and backups is encrypted using AES-256. API keys and sensitive credentials are encrypted at rest using AES-256 as stated on the LEXX platform. | | Encryption in transit | TLS 1.3 | All data transmitted between the platform, users, and Sub-Processors is encrypted using TLS 1.3 (minimum TLS 1.2). HSTS (HTTP Strict Transport Security) is enforced. | | Key management | Industry standard | Encryption keys are managed using industry-standard key management practices, with regular rotation schedules. |
2. Access Controls
| Measure | Details | |---------|---------| | Role-Based Access Control (RBAC) | Access to Personal Data is restricted based on the principle of least privilege. Personnel are granted access only to the data necessary for their role. | | Multi-Factor Authentication (MFA) | MFA is required for all administrative access to systems containing Personal Data. | | Password Policy | Strong password policies are enforced, including minimum length, complexity requirements, and prohibition of password reuse. | | Session Management | Automatic session timeout after periods of inactivity. Session tokens are securely generated and invalidated upon logout. | | Access Reviews | Periodic reviews of access rights are conducted to ensure access remains appropriate. Access is revoked promptly upon personnel departure or role change. |
3. Network Security
| Measure | Details | |---------|---------| | Firewalls | Network and application-level firewalls protect infrastructure from unauthorised access. | | Intrusion Detection/Prevention | Intrusion detection and prevention systems (IDS/IPS) monitor network traffic for suspicious activity. | | Network Segmentation | Production environments are isolated from development and testing environments. | | DDoS Protection | Distributed denial-of-service mitigation measures are in place. |
4. Logging and Monitoring
| Measure | Details | |---------|---------| | Audit Logging | All access to and modifications of Personal Data are logged with timestamps, user identifiers, and actions performed. | | Centralised Monitoring | Centralised log management and monitoring tools are used to detect and alert on security anomalies. | | Log Retention | Security logs are retained for a minimum of 90 days. | | Log Integrity | Logs are protected against tampering and unauthorised modification. |
5. Data Minimisation and Pseudonymisation
| Measure | Details | |---------|---------| | Data Minimisation | Only Personal Data that is necessary for the specified purposes is collected and processed. | | Pseudonymisation | Where technically feasible and consistent with the purposes of processing, Personal Data is pseudonymised (e.g., replacing identifiers with tokens in analytics data). | | Anonymisation | Aggregated analytics data is anonymised so that individuals cannot be re-identified. |
6. Backup and Disaster Recovery
| Measure | Details | |---------|---------| | Regular Backups | Automated, encrypted backups of Personal Data are performed on a regular schedule. | | Geographic Redundancy | Backups are stored in geographically separate locations within the EEA (where applicable). | | Recovery Testing | Disaster recovery procedures are tested periodically to ensure timely restoration of access to Personal Data. | | Recovery Time Objective | The Processor targets a recovery time consistent with the 99.9% uptime SLA stated in the Main Agreement. |
7. Incident Response
| Measure | Details | |---------|---------| | Incident Response Plan | A documented incident response plan is maintained, covering identification, containment, eradication, recovery, and post-incident review. | | Response Team | Designated personnel are responsible for managing Data Incidents. | | Notification Procedures | Procedures ensure the Controller is notified without undue delay of the Processor becoming aware of a Data Incident, in accordance with Section 9 of this DPA. | | Post-Incident Review | A root-cause analysis is conducted following each Data Incident, and findings are used to improve security measures. |
8. Personnel Security
| Measure | Details | |---------|---------| | Background Checks | Background checks are conducted on personnel with access to Personal Data, to the extent permitted by applicable law. | | Security Training | Personnel receive data protection and information security training upon onboarding and at regular intervals thereafter. | | Confidentiality Agreements | All personnel with access to Personal Data are bound by written confidentiality obligations. |
9. Physical Security
| Measure | Details | |---------|---------| | Data Centre Security | Personal Data is hosted in data centres with physical access controls, including badge access, CCTV monitoring, and 24/7 security personnel. | | Clean Desk Policy | Personnel are required to secure physical documents and devices when unattended. | | Visitor Controls | Visitor access to facilities containing processing equipment is controlled and logged. |
10. Sub-Processor Security
| Measure | Details | |---------|---------| | Pre-Engagement Assessment | Security and privacy practices of Sub-Processors are assessed before engagement. | | Contractual Obligations | Sub-Processors are contractually required to implement security measures no less protective than those described in this Annex. | | Ongoing Monitoring | Sub-Processor compliance with security requirements is monitored on an ongoing basis. |
11. Vulnerability Management
| Measure | Details | |---------|---------| | Vulnerability Scanning | Regular vulnerability assessments are conducted on systems processing Personal Data. | | Patch Management | Security patches are applied in a timely manner in accordance with a defined patch management policy. | | Penetration Testing | Periodic penetration testing is performed by qualified personnel or third-party specialists. |
Contact Information
For questions, concerns, or requests related to this Data Processing Agreement, please contact:
Lexx Software Co. Ltd. Office 2, Room 2, Blue Angel, Triq Belvedere Gzira, GZR 1112, Malta Registration: C 100540 LEI: 984500EAD1O715C6C507
| Contact | Email | |---------|-------| | Legal / Data Protection | legal@lexxsoft.com | | Support | support@lexxsoft.com | | General | office@lexxsoft.com |
Supervisory Authority: Information and Data Protection Commissioner (IDPC) Level 2, Airways House, High Street, Sliema SLM 1549, Malta Website: https://idpc.org.mt
This Data Processing Agreement was last updated in June 2026. Version 2.0 — Full rewrite replacing the prior DPA (v1.0) to remove outdated references, correct entity information, and ensure full GDPR Article 28 compliance.