Data Processing Agreement

Last Updated: November 26, 2025

---

This Data Processing Agreement ("Agreement") forms part of the Terms of Service and any other applicable agreements between valrixa ("Processor") and the user or entity accessing the services ("Controller"). This Agreement governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the provision of the services available at valrixa.online.

---

1. Definitions

For the purposes of this Agreement, the following terms shall have the meanings set out below:

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller under this Agreement.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Data Subject" means the natural person whose Personal Data is being processed.

"Sub-Processor" means any third party appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller.

"Applicable Data Protection Law" means all applicable laws and regulations governing the protection and processing of Personal Data that apply to the activities of either party under this Agreement.

"Security Incident" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

---

2. Scope and Purpose of Processing

2.1 Subject Matter

This Agreement applies to the processing of Personal Data by the Processor in the course of providing the services described in the applicable service agreement or terms of use. The Processor shall process Personal Data solely for the purpose of delivering, maintaining, and improving those services.

2.2 Nature of Processing

The nature of the processing activities includes, but is not limited to, storage, retrieval, analysis, and transmission of Personal Data as required for the provision of the agreed services.

2.3 Categories of Personal Data

The categories of Personal Data processed under this Agreement may include, but are not limited to: identification data, contact information, account credentials, usage data, technical data such as IP addresses and device identifiers, and any other data submitted by the Controller or its end users through use of the services.

2.4 Categories of Data Subjects

Data Subjects may include end users of the services, employees or representatives of the Controller, and any other individuals whose Personal Data is submitted to the services by the Controller.

---

3. Obligations of the Processor

3.1 Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such disclosure.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures shall take into account the state of the art, the nature of the Personal Data, and the risks associated with the processing.

3.4 Sub-Processing

The Processor shall not engage any Sub-Processor without prior written authorization from the Controller, which may be general or specific. Where Sub-Processors are engaged, the Processor shall impose data protection obligations on the Sub-Processor by way of a contract or other binding legal instrument, providing sufficient guarantees to implement appropriate technical and organizational measures. The Processor remains liable to the Controller for the performance of the Sub-Processor's obligations.

3.5 Assistance to Controller

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligations to respond to requests for exercising Data Subjects' rights under Applicable Data Protection Law.

3.6 Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Security Incident affecting Personal Data processed under this Agreement. Such notification shall include, to the extent known at the time: a description of the nature of the Security Incident, the categories and approximate number of Data Subjects and Personal Data records affected, the likely consequences of the Security Incident, and the measures taken or proposed to address the incident.

3.7 Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities where required by Applicable Data Protection Law, taking into account the nature of the processing and the information available to the Processor.

---

4. Obligations of the Controller

4.1 Lawful Basis

The Controller is solely responsible for ensuring that all processing of Personal Data carried out under this Agreement has a valid legal basis under Applicable Data Protection Law and that all required notices, consents, or other authorizations have been obtained from Data Subjects prior to processing.

4.2 Accuracy of Instructions

The Controller shall ensure that all instructions provided to the Processor are lawful, accurate, and complete. The Controller accepts responsibility for any consequences arising from erroneous or unlawful instructions.

4.3 Data Minimization

The Controller shall ensure that only the minimum necessary Personal Data is submitted to the services, consistent with the principle of data minimization under Applicable Data Protection Law.

---

5. Data Subject Rights

5.1 Handling Requests

The Processor shall, to the extent reasonably practicable, assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

5.2 Direct Requests

If the Processor receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Controller, the Processor shall promptly forward such request to the Controller without responding to the request directly, unless required to do so by applicable law.

---

6. International Data Transfers

6.1 Transfer Restrictions

The Processor shall not transfer Personal Data to a country or international organization outside of the jurisdiction without ensuring that appropriate safeguards are in place as required by Applicable Data Protection Law.

6.2 Transfer Mechanisms

Where applicable, the parties shall rely on recognized lawful transfer mechanisms, such as standard contractual clauses, adequacy decisions, binding corporate rules, or other mechanisms permitted under Applicable Data Protection Law, to authorize any international transfer of Personal Data.

---

7. Retention and Deletion of Personal Data

7.1 Retention Period

The Processor shall retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law, or as directed in writing by the Controller.

7.2 Deletion or Return

Upon termination or expiration of the underlying service agreement, or upon written request from the Controller, the Processor shall, at the Controller's election, either delete or return all Personal Data processed under this Agreement and delete all existing copies, unless retention is required by applicable law. The Processor shall provide written confirmation of such deletion or return upon request.

---

8. Audits and Inspections

8.1 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

8.2 Audit Conditions

Any audit conducted under this section shall be carried out with reasonable prior written notice, during normal business hours, at the Controller's expense, and in a manner that minimizes disruption to the Processor's business operations. The parties shall agree in good faith on the scope and timing of any such audit.

8.3 Third-Party Certifications

The Processor may satisfy audit obligations in whole or in part by providing relevant third-party certifications, audit reports, or other documentation demonstrating compliance with recognized security or data protection standards, where the Controller agrees such evidence is sufficient.

---

9. Liability and Indemnification

9.1 Mutual Liability

Each party shall be liable for damages caused by processing that fails to comply with this Agreement or with Applicable Data Protection Law. The Processor shall be exempt from liability if it demonstrates that it is not in any way responsible for the event that caused the damage.

9.2 Limitation of Liability

The total aggregate liability of either party under or in connection with this Agreement shall be subject to the limitations of liability set out in the main service agreement between the parties, to the extent permitted by applicable law.

9.3 Indemnification

Each party shall indemnify and hold harmless the other party from and against any claims, losses, costs, or expenses arising from that party's material breach of this Agreement or Applicable Data Protection Law, to the extent permitted by applicable law.

---

10. Term and Termination

10.1 Duration

This Agreement shall remain in effect for the duration of the main service agreement between the parties, unless terminated earlier in accordance with its terms or those of the main service agreement.

10.2 Termination for Breach

Either party may terminate this Agreement with immediate effect by written notice if the other party commits a material breach of this Agreement that is not capable of remedy, or if the other party fails to remedy a material breach within thirty (30) days of receiving written notice of such breach.

10.3 Survival

Provisions that by their nature should survive termination, including those relating to confidentiality, liability, data deletion, and audit rights, shall continue to apply after the termination or expiration of this Agreement.

---

11. General Provisions

11.1 Order of Precedence

In the event of any conflict or inconsistency between the terms of this Agreement and the main service agreement, the terms of this Agreement shall prevail with respect to the processing of Personal Data, unless expressly agreed otherwise in writing by both parties.

11.2 Amendments

This Agreement may be amended or updated from time to time to reflect changes in Applicable Data Protection Law, the nature of the services, or the processing activities. The Processor will endeavor to provide reasonable notice of material amendments. Continued use of the services following such notice constitutes acceptance of the updated Agreement.

11.3 Severability

If any provision of this Agreement is found to be unenforceable or invalid under applicable law, such provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

11.4 Entire Agreement

This Agreement, together with the main service agreement and any applicable annexes or schedules, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous understandings, agreements, or representations relating to the same subject matter.

11.5 Contact Information

For any questions, concerns, or requests relating to this Agreement or the processing of Personal Data, please contact us at:

valrixa
19 Stonelaw Rd, Rutherglen, Glasgow G73 3TW, United Kingdom
Email: help@valrixa.online
Phone: +447415782037

---

This Data Processing Agreement was last updated on November 26, 2025. Please review this Agreement periodically for any updates or changes.