Data Processing Agreement (DPA)
Pxl is a European company, and our data infrastructure is based in Europe adhering to the EU’s strong data privacy laws. This Data Processing Agreement (“DPA”) is an addendum to the Terms and Conditions between Pxl (represented by Waterglass FlexCo) and the customer.
By using our product and accepting our Terms and Conditions, the customer is accepting our DPA and does not need to sign a separate document. We provide the same privacy rights and protection to all customers. If accepting this DPA on behalf of a customer, the individual warrants that:
- They have full legal authority to bind the customer to this DPA.
- They have read and understand this DPA; and
- They agree on behalf of the customer to this DPA.
Definitions
- "Customer": Refers to the company or organization that signs up to use Pxl to manage our link management solutions. Collectively referred to as "parties."
- "Data Protection Legislation": General Data Protection Regulation (Regulation (EU) 2016/679) and all other applicable laws relating to the processing of data and privacy that may exist in any relevant jurisdiction.
- "Data controller," "Data processor," "Data subject," "Personal data," and "Processing": Interpreted in accordance with applicable Data Protection Legislation.
For any further definitions, please refer to our Terms and Conditions as well as the Privacy Policy.
Relationship Between the Parties
The parties agree that the customer is the data controller and that Pxl is its data processor in relation to data processed in the course of providing the service. In the course of providing the Pxl service to customers pursuant to the agreement, Pxl may process visitor data on behalf of the customer.
As the controller, the customer is responsible for determining the lawfulness of any processing, performing required data protection impact assessments, and accounting to regulators and individuals as needed; providing relevant privacy notices to data subjects as required in their jurisdiction; implementing appropriate technical and organizational measures to ensure and demonstrate compliance with this DPA; and notifying relevant regulators or authorities of any incidents as required by law in their jurisdiction.
Each party indemnifies the other and holds them harmless against all claims, actions, third-party claims, losses, damages, and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.
Privacy and Security of Customer Data
We take many measures to protect and secure customer data through backups, redundancies, and encryption. When the customer uses our service, Pxl will collect information about their activities. The customer agrees that Pxl can process their data as described in our Privacy Policy. We work hard to be transparent about who we are, how we operate, and we always welcome feedback.
- The customer owns all rights, title, and interest to their data. We obtain no rights from the customer to their data. We do not sell or share customer data with any third parties.
- Pxl tracks visitor data without collecting or storing personal data or using cookies, ensuring visitor privacy. All site measurements are anonymous. Each request from visitors sends their IP address. We use this and some more available attributes to create an anonymized identifier. This creates a random string for our analytics. This identifier cannot be used to trace back individual visitors and hence does not count as personally identifiable information (PII).
- Data subjects affected are Pxl visitors (end-users of short links, QR codes, or Microsites) using our service.
Processor’s Obligations with Respect to the Controller
- Pxl will process data only in accordance with instructions from the customer: Pxl ensures that all data processing activities are strictly carried out based on the specific instructions provided by the customer. This means we do not use, access, or process customer data in any way that deviates from their explicit directives.
- Pxl shall notify the customer at the earliest if an instruction infringes applicable Data Protection Legislation: If any customer instruction conflicts with data protection laws, Pxl commits to promptly notifying the customer. This proactive approach ensures compliance with all applicable legal requirements and helps the customer adjust their instructions to align with regulatory standards.
- Pxl guarantees the confidentiality of data processed hereunder: We guarantee the confidentiality of all data processed on behalf of our customers. Strict confidentiality agreements are in place, and we take every measure to ensure that customer data remains private and secure.
- Pxl implements and maintains appropriate technical and organizational security measures to protect data against unauthorized processing and accidental loss: Pxl employs a comprehensive set of technical and organizational security measures to safeguard data. This includes advanced encryption methods, secure access controls, regular security audits, and robust data backup protocols to prevent unauthorized processing and accidental data loss. These measures are continually updated to adapt to new security threats and technological advancements.
- Use of Sub-Processors: We work with sub-processors to provide our services. With each vendor, we assess their commitment to privacy and sign a data processing agreement that includes the controller-processor Standard Contractual Clauses. The list of sub-processors is available in our Privacy Policy. The controller has the right to object and may terminate the agreement if necessary. We continuously monitor our sub-processors and strive to minimize their number whenever possible.
- Breach Notification: If Pxl becomes aware of any accidental, unauthorized, or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data processed by Pxl while providing the service, it will notify the customer by email without undue delay (no later than 48 hours after becoming aware of it). Pxl will provide a description of the incident and periodic updates, including its impact on customer content. Additionally, Pxl will take action to investigate the incident and reasonably prevent or mitigate its effects.
- Deletion Requests: Pxl retains personal data for 10 years after the relationship between the parties has ended unless the customer requests the data to be removed. Data subjects can exercise their rights by contacting Pxl at privacy@pxl.to. It will be permanently deleted immediately when we receive a deletion request. We cannot recover this information once it has been permanently deleted.
Technical and Organizational Measures (TOM)
Pxl is committed to transparency and openness. We regularly review our practices to ensure data privacy and security. Below is a summary of the technical and organizational measures we have implemented to further protect customer data:
- Digital Access Control: Access to our servers and systems is strictly digital, eliminating the risks associated with physical access.
- Legal Contracts in Place: We have comprehensive legal contracts with all our partners and service providers to ensure data protection and compliance with relevant laws.
- Data Minimization Practices: We adhere to data minimization principles, collecting only the data necessary for our services and no more.
- Encryption at Rest: All data is encrypted at rest to protect it from unauthorized access and breaches. Where relevant, we implement encryption at rest.
- Firewalls: Our systems are protected by robust firewalls that guard against unauthorized access and cyber threats.
- Password-Secured Work Devices: All employee work devices are secured with strong passwords that meet minimum strength requirements.
- Two-Factor Authentication (2FA): Access to our systems and data requires two-factor authentication, adding an extra layer of security.
- No Visitors Policy: We maintain a strict no visitors policy in areas where sensitive data is handled to prevent unauthorized access.
- Access Logs: We keep detailed access logs to monitor and review all access to our systems and data.
- Digital Access Concepts: We employ digital access control concepts to ensure only authorized personnel have access to sensitive data.
- Regular Backups: We perform regular backups of all critical data to ensure data integrity and availability in case of a system failure or data loss.
- Multi-Tenancy Architecture: Our multi-tenancy architecture ensures that each client’s data is isolated and protected from other clients, providing an additional layer of security.
Amendments
Pxl reserves the right to amend this DPA. Continued use of Pxl's services after the changes take effect constitutes acceptance of the updated DPA. The DPA is effective as of 18. July 2024 and replaces and supersedes any previously agreed data processing agreement between the customer and Pxl relating to the GDPR.
Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.