This Data Processing Agreement ("DPA") forms part of and is incorporated by reference into the Proxiant Terms of Service (available at proxiant.co/terms) between Proxiant, Inc. and the business customer ("Controller" or "Firm") that has agreed to those Terms. This DPA sets out the terms under which Proxiant processes personal data on behalf of the Controller in connection with providing the Proxiant platform and services.
In the event of any conflict between this DPA and the Terms of Service with respect to the processing of personal data, the terms of this DPA shall govern.
1. Definitions
For the purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings given in the Proxiant Terms of Service or Privacy Policy.
- "Applicable Data Protection Law" means any law, regulation, or binding regulatory guidance applicable to the processing of Personal Data under this DPA, including (where applicable): the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the UK GDPR and Data Protection Act 2018; the California Consumer Privacy Act (Cal. Civil Code § 1798.100 et seq.) and its implementing regulations ("CCPA"); and any state or federal privacy laws that may apply to the Controller's or Processor's activities.
- "Controller" means the Firm — the entity that determines the purposes and means of the processing of Personal Data. For purposes of CCPA, the Controller is the "business."
- "Processor" means Proxiant, Inc., which processes Personal Data on behalf of and under the instructions of the Controller. For purposes of CCPA, Proxiant acts as a "service provider."
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Proxiant on behalf of the Controller in connection with the provision of the Platform, as further described in Sections 4 and 5.
- "Processing" (and cognate terms) means any operation or set of operations performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, and destruction.
- "Security Incident" or "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by the Processor.
- "Sub-Processor" means any third party appointed by or on behalf of the Processor to process Personal Data in connection with providing the Platform.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission under Commission Implementing Decision (EU) 2021/914, or any successor instrument.
2. Subject Matter of Processing
Proxiant processes Personal Data on behalf of the Controller solely to the extent necessary to provide the Proxiant platform and related services as described in the Terms of Service. Proxiant acts as a Processor (data processor) with respect to Personal Data that the Controller submits to or generates through the Platform in connection with its own process serving operations. The Controller retains the role of Controller (data controller) with respect to that Personal Data.
Proxiant does not use Personal Data processed on behalf of one Controller for the benefit of, or in connection with the services provided to, any other Controller.
3. Nature and Purpose of Processing
Proxiant processes Personal Data on behalf of the Controller for the following purposes, each of which is inherent to the provision of the Platform:
- Job Management: Storing, organizing, and providing access to job records, including recipient information, attempt records, and associated case data entered by the Controller's authorized users.
- Affidavit Generation: Processing job data to generate Affidavits, Proofs of Service, and other legal documents based on information submitted by the Controller.
- Client Portal: Making job status, documents, and communications available to Clients authorized by the Controller through the client portal feature.
- The Hive Marketplace: Facilitating the posting and assignment of jobs between Firms and independent Servers, including the controlled disclosure of job details to assigned Servers.
- Email Intake: Parsing inbound emails directed to the Controller's Proxiant intake address to extract job information on the Controller's behalf.
- AI-Assisted Processing: Using AI tools to assist with document parsing, data extraction, and automation features, as described in the Privacy Policy.
- Communications: Sending notifications, status updates, and documents to parties authorized by the Controller.
4. Types of Personal Data Processed
Depending on how the Controller uses the Platform, Proxiant may process the following categories of Personal Data on behalf of the Controller:
- Identity data: Full names of recipients, defendants, respondents, witnesses, attorneys, and firm staff
- Contact data: Physical addresses (residential and business), email addresses, telephone numbers
- Location data: GPS coordinates and timestamped location data captured at each service attempt
- Physical description data: Physical descriptions of individuals served or with whom service was attempted (entered by Servers)
- Legal case data: Court names, case numbers, case types, attorney names and bar numbers, law firm information, document types being served
- Documentary data: Photographs taken during service attempts; scanned or uploaded legal documents (summonses, complaints, subpoenas, etc.); generated Affidavits
- Employment and credential data: Process server license numbers, registration information, geographic service areas (for Server accounts)
- Communication data: Email communications parsed through the inbound email intake feature; notes and communications associated with jobs
- Financial data: Billing information for Firm accounts (processed by Stripe; Proxiant does not store full payment card numbers)
5. Categories of Data Subjects
Personal Data processed under this DPA relates to the following categories of Data Subjects:
- Process service recipients: Individuals who are the subject of service of process (defendants, respondents, witnesses, registered agents) — the individuals whose names, addresses, and physical descriptions are captured in job records
- Clients of the Firm: Attorneys, paralegals, law firm staff, and other legal professionals who submit jobs to the Firm or access the client portal
- Firm team members: Employees, contractors, and other authorized users who access the Platform on behalf of the Controller
- Independent process Servers: Independent contractors who use The Hive to accept and complete jobs on behalf of the Controller
6. Obligations of the Processor (Proxiant)
6.1 Processing Only on Documented Instructions
Proxiant shall process Personal Data only on documented instructions from the Controller, which are set out in these Terms of Service, this DPA, and any additional written instructions provided by the Controller through the Platform's configuration features. If Proxiant is required to process Personal Data under applicable law, Proxiant will inform the Controller of that legal requirement before processing, unless prohibited by law.
6.2 Confidentiality of Processing Personnel
Proxiant shall ensure that all personnel authorized to process Personal Data under this DPA are subject to appropriate confidentiality obligations and are aware of their responsibilities under Applicable Data Protection Law and this DPA.
6.3 Security Measures
Proxiant shall implement and maintain the technical and organizational security measures described in Section 8 of this DPA and in the Privacy Policy, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons.
6.4 Sub-Processor Engagement
Proxiant may engage Sub-Processors as set out in Section 7. Proxiant shall enter into written agreements with each Sub-Processor that impose data protection obligations no less protective than those set out in this DPA. Proxiant remains responsible to the Controller for the acts and omissions of its Sub-Processors.
6.5 Assistance with Data Subject Rights
Proxiant shall, taking into account the nature of processing, assist the Controller by implementing appropriate technical and organizational measures to fulfill the Controller's obligations to respond to Data Subject requests. Where a Data Subject submits a request directly to Proxiant relating to Personal Data controlled by the Controller, Proxiant will promptly notify the Controller and will not respond to the request on the Controller's behalf without the Controller's authorization, except as required by law.
6.6 Assistance with Controller Compliance Obligations
To the extent reasonably required and taking into account the information available to Proxiant, Proxiant shall assist the Controller in fulfilling its obligations under Applicable Data Protection Law, including obligations relating to: security of processing; notification and communication of Personal Data Breaches; data protection impact assessments; and prior consultation with supervisory authorities.
6.7 Deletion or Return on Termination
Upon termination of the Terms of Service for any reason, Proxiant shall, at the Controller's election: (a) make Personal Data available for export during the 30-day Export Window described in the Terms of Service and Privacy Policy; and (b) thereafter delete or destroy all Personal Data in Proxiant's possession or control in accordance with the data retention schedule in the Privacy Policy, except to the extent required to be retained by applicable law. Proxiant will confirm completion of deletion upon request.
6.8 Audit Assistance
Proxiant shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and, upon reasonable written notice (not less than 30 days), shall permit and contribute to audits and inspections conducted by the Controller or a third-party auditor appointed by the Controller, subject to reasonable confidentiality obligations. Audits must be conducted during normal business hours, shall not unreasonably disrupt Proxiant's operations, and shall not occur more than once per calendar year except where required by a supervisory authority. Proxiant may satisfy audit requests by providing relevant certifications, third-party audit reports, or other documentation demonstrating compliance.
7. Sub-Processors
7.1 Current Sub-Processors
The Controller hereby provides general authorization for Proxiant to engage the following Sub-Processors, each of which Proxiant relies upon to deliver the Platform. Each Sub-Processor processes only the categories of Personal Data necessary for the services they provide:
| Sub-Processor | Service | Personal Data Processed | Location |
|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication, real-time services | All Personal Data stored in the Platform (job data, account data, documents) | United States (primary) |
| Cloudflare, Inc. | Object storage (R2), CDN, network security | Uploaded documents, photographs, generated affidavits, attachments | United States (primary) |
| Stripe, Inc. | Payment processing | Billing name, email, payment card data (Stripe stores card data; Proxiant does not) | United States / Global |
| Anthropic, PBC | AI model API (Claude) | Document content, email content, and structured job data submitted for AI-assisted processing | United States |
| Resend, Inc. | Transactional email delivery | Recipient email addresses, names, job summary data included in email content | United States |
| Wildbit, LLC (Postmark) | Email delivery and inbound email processing | Email addresses, email content (inbound intake emails) | United States |
| Vercel, Inc. | Application hosting, serverless compute | Data passing through application requests (IP address, request content) | United States / Global CDN |
| Functional Software, Inc. (Sentry) | Error monitoring and crash reporting | Error context (may include session identifiers and limited request data; configured to minimize PII) | United States |
| Checkly, Inc. | Uptime and API monitoring | API endpoint responses (synthetic monitoring; minimal PII) | United States / EU |
7.2 Changes to Sub-Processors
Proxiant shall provide at least thirty (30) days' advance notice to the Controller of any intended addition or replacement of a Sub-Processor. Such notice will be provided by email to the Controller's account email address or via notification within the Platform. The Controller may object to the new or replacement Sub-Processor within 15 days of the notice by notifying Proxiant in writing at privacy@proxiant.co. If the Controller objects and Proxiant cannot reasonably accommodate the objection, the Controller may terminate the applicable services upon 30 days' notice to Proxiant, with a pro-rata refund of any prepaid fees for the unused period.
7.3 Updated Sub-Processor List
An up-to-date list of current Sub-Processors is available upon request at privacy@proxiant.co.
8. Security Measures
Proxiant implements the following technical and organizational measures to protect Personal Data processed on behalf of Controllers. These measures are designed to provide a level of security appropriate to the risk, taking into account the nature of the data, the volume of data subjects, and the categories of Personal Data involved:
8.1 Encryption
- Encryption at rest: All Personal Data stored in Proxiant's production database and file storage is encrypted at rest using AES-256 encryption.
- Encryption in transit: All data transmitted between end-user clients (browsers, mobile apps, API consumers) and Proxiant infrastructure is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled. Proxiant enforces HTTPS-only access across all Platform endpoints.
8.2 Access Controls
- Tenant isolation: Row-Level Security (RLS) policies are enforced at the database level to ensure that one Controller's data is inaccessible to other Controllers' accounts.
- Personnel access: Access to production systems containing Personal Data is limited to Proxiant personnel who require it to perform their job functions. All personnel with production system access are required to use multi-factor authentication.
- Principle of least privilege: Proxiant applies least-privilege access principles, granting personnel only the minimum level of access required for their responsibilities.
- Access logging: Access to production infrastructure is logged and subject to periodic review.
8.3 Availability and Resilience
- Proxiant uses redundant infrastructure and automated backup procedures to maintain availability and recoverability of Personal Data.
- Database backups are performed on a regular schedule with point-in-time recovery capability.
8.4 Incident Detection and Response
- Proxiant uses automated monitoring tools (including Sentry for error detection and Checkly for uptime monitoring) to detect anomalous activity that may indicate a security incident.
- Proxiant maintains an internal security incident response process for assessing, containing, and notifying affected parties of Personal Data Breaches, as described in Section 10.
8.5 Penetration Testing
Proxiant plans to conduct periodic penetration testing of production infrastructure. Results of penetration tests are treated as confidential and used to guide remediation efforts. Penetration test summaries may be made available to Controllers upon request, subject to reasonable confidentiality conditions.
8.6 Vendor Security
Proxiant reviews the security practices of Sub-Processors prior to engagement and on an ongoing basis to ensure they maintain appropriate safeguards for Personal Data.
9. Data Subject Rights Assistance
9.1 Processor Assistance
To the extent that Data Subjects whose Personal Data is processed through the Platform exercise their rights under Applicable Data Protection Law — including rights of access, rectification, erasure, restriction of processing, data portability, and objection — and direct such requests to Proxiant, Proxiant will:
- Promptly (within 5 business days) notify the Controller of the request;
- Not respond to the request on the Controller's behalf without the Controller's authorization, except where required by applicable law; and
- Cooperate with the Controller to provide whatever assistance is reasonably required to enable the Controller to fulfill its obligations to the Data Subject, including by providing the Controller with tools to export, correct, or delete Personal Data.
9.2 Controller Responsibility
The Controller is responsible for ensuring that it can fulfill its own obligations to Data Subjects under Applicable Data Protection Law. The Controller must maintain appropriate privacy notices for individuals whose data it submits to the Platform, including process service recipients, and must have a lawful basis for processing Personal Data in connection with its process serving activities.
9.3 Legal Process Directed to Proxiant
If a Data Subject obtains a court order or other legal process directed to Proxiant requiring the disclosure of Personal Data controlled by the Controller, Proxiant will promptly notify the Controller (to the extent legally permitted) and will cooperate reasonably with the Controller in seeking appropriate relief before disclosing such data.
10. Data Breach Notification
10.1 Notification Obligation
In the event that Proxiant becomes aware of a confirmed Personal Data Breach affecting Personal Data processed on behalf of the Controller, Proxiant shall notify the Controller without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach, to the extent permitted by law.
10.2 Content of Notification
Proxiant's notification will include, to the extent then known:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate volume of Personal Data records affected;
- The name and contact details of Proxiant's data protection contact (privacy@proxiant.co);
- A description of the likely consequences of the breach;
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
Where all required information is not available at the time of initial notification, Proxiant will provide it in phases as it becomes available, without undue further delay.
10.3 Controller Notification Obligations
The Controller is responsible for determining whether a breach requires notification to supervisory authorities or Data Subjects under Applicable Data Protection Law, and for making any such notifications. Proxiant will reasonably cooperate with the Controller in fulfilling these obligations.
10.4 No Admission of Fault
Proxiant's notification of a Personal Data Breach does not constitute an acknowledgment of fault or liability for the breach.
11. International Data Transfers
11.1 Primary Data Location
Proxiant's primary infrastructure is located in the United States. Personal Data processed through the Platform is primarily stored and processed in the United States.
11.2 Sub-Processor Transfers
Some Sub-Processors listed in Section 7 may operate infrastructure in the European Union or other jurisdictions. Where Personal Data originating from the European Economic Area, United Kingdom, or Switzerland is transferred to a Sub-Processor in a country not subject to an adequacy decision, Proxiant shall ensure that such transfers are made subject to appropriate transfer mechanisms, such as Standard Contractual Clauses or equivalent safeguards.
11.3 Controller Instructions for Transfer Restrictions
If the Controller requires that Personal Data not be transferred outside a specific jurisdiction, the Controller must notify Proxiant in writing at privacy@proxiant.co. Proxiant will use commercially reasonable efforts to accommodate such restrictions, but cannot guarantee that all Sub-Processor infrastructure can be geographically restricted. Where Proxiant cannot accommodate a requested restriction, it will notify the Controller and the Controller may terminate affected services.
11.4 Standard Contractual Clauses
Where required by Applicable Data Protection Law, Proxiant is willing to enter into Standard Contractual Clauses (as approved by the European Commission under Commission Implementing Decision (EU) 2021/914) with Controllers subject to GDPR. To request SCCs, contact privacy@proxiant.co.
12. Term and Termination
12.1 Term
This DPA shall remain in effect for so long as the Terms of Service are in effect between Proxiant and the Controller. This DPA automatically terminates upon termination of the Terms of Service.
12.2 Survival of Deletion Obligations
Proxiant's obligations regarding the deletion or return of Personal Data under Section 6.7 survive the termination of this DPA and the Terms of Service. Proxiant shall complete the deletion of Personal Data from production systems within the timeframe described in the Privacy Policy (within 90 days following the end of the 30-day Export Window).
12.3 Ongoing Legal Obligations
Nothing in this Section 12 shall affect Proxiant's obligations to retain data as required by applicable law or as necessary for defense of legal claims.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of [State TBD], consistent with the governing law provisions of the Terms of Service. Notwithstanding the foregoing, where the Controller is subject to GDPR or UK GDPR, the parties agree that: (a) the provisions of this DPA shall be interpreted in accordance with applicable data protection law; and (b) Standard Contractual Clauses, if executed, shall be governed by the law specified therein.
14. Contact
For questions about this DPA, data protection practices, or to exercise rights under this DPA, please contact:
- Email (data protection): privacy@proxiant.co
- General support: hello@proxiant.co
- Website: proxiant.co/contact
To request Standard Contractual Clauses, a formal DPA countersignature, a copy of the current Sub-Processor list, or a summary of penetration test results, submit your request to privacy@proxiant.co with the subject line "DPA Request."
This Data Processing Agreement is incorporated into and forms part of the Proxiant Terms of Service. In the event of any conflict between the terms of this DPA and the Terms of Service with respect to processing of Personal Data, this DPA shall prevail. The invalidity or unenforceability of any provision of this DPA shall not affect the validity or enforceability of any other provision.