Data Processing Agreement

“Personal data,” “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings given in applicable data-protection law (including the GDPR). “Applicable Data Protection Law” means all laws governing the processing of personal data that apply to the parties.

For personal data the Customer routes through the Service, the Customer is the Controller and Proxmint is the Processor. The Customer is responsible for establishing a lawful basis for its processing and for the legality of its instructions and Targets. Each party complies with its own obligations under Applicable Data Protection Law.

• Subject matter: provision of proxy access and account/billing operation.
• Duration: for the term of the Terms and as needed to provide the Service.
• Nature and purpose: routing connections, metering bandwidth, preventing abuse, and billing.
• Types of data: account email, hashed credentials, transaction references, connection metadata, and any personal data within the Customer’s own traffic.
• Data subjects: the Customer, its personnel, and individuals whose data the Customer chooses to process via the Service.

Proxmint will:

• Process personal data only on the Customer’s documented instructions, including the Terms and use of the Service, unless required by law (in which case we will inform you where permitted).
• Ensure persons authorized to process personal data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Section 6).
• Assist the Customer, to the extent reasonable, with data-subject requests and with security, breach, and impact-assessment obligations.

We keep personal data confidential and do not sell it or use it for our own purposes beyond providing and securing the Service.

We maintain measures appropriate to the risk, including encryption of dashboard traffic, hashing of credentials, access controls and least-privilege administration, network and infrastructure hardening, and logging for abuse prevention. Measures may evolve provided the level of protection is not reduced.

The Customer authorizes Proxmint to engage sub-processors to provide the Service, including our hosting and database providers and our upstream proxy network provider (which routes connections). We impose data-protection obligations on sub-processors no less protective than this DPA and remain responsible for their performance. A current list of sub-processors, including names, is available on request. We will give notice of intended changes and a reasonable opportunity to object. Our payment provider (Cryptomus) processes payment data as an independent controller under its own terms.

Taking into account the nature of the processing, we assist the Customer with appropriate measures to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). Customers can manage account data directly in the dashboard or contact support@proxmint.com.

Where personal data is transferred outside its country of origin, we rely on a lawful transfer mechanism (such as Standard Contractual Clauses) where required by Applicable Data Protection Law.

We notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, and provide information reasonably available to help the Customer meet its own notification obligations.

On reasonable written request, and no more than once per year unless required by a supervisory authority, we make available information necessary to demonstrate compliance with this DPA and contribute to audits conducted by the Customer or an appointed auditor, subject to confidentiality and the security of other customers.

On termination, we delete or return personal data processed on the Customer’s behalf, except where retention is required by law. Deleting your account removes your credentials and stops further metering; residual records are retained only as required.

Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

This DPA is governed by the laws of the United Kingdom and the Applicable Data Protection Law, and forms part of the Terms.

Data-protection enquiries: support@proxmint.com