Oxylabs AI Studio Data Processing Agreement

This Oxylabs AI Studio Data Processing Agreement  ("DPA") forms part of, and governs the processing of Personal Data by Oxylabs, acting as the Processor, on behalf of the Customer, acting as the Controller, in connection with the provision of Services by Oxylabs to the Customer. Oxylabs provides the services to the Customer under the Oxylabs AI Studio Terms of Service, together with any additional documents referenced therein (collectively, the "Agreement").

To the extent that this DPA conflicts with the terms of the Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data. This DPA reflects the Parties' agreement concerning the processing of Personal Data in accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

1.1. All definitions used in this DPA shall have the meaning set forth in the Agreement, unless otherwise defined herein. In addition, terms used in this DPA that are defined under Data Protection Legislation (as applicable) should be interpreted in accordance with such definitions.

1.2. “Services” means the services provided by Oxylabs to the Customer as described in the Agreement.

1.3. “Data Protection Legislation” means all applicable data protection and privacy laws and regulations in force from time to time in the European Union, including but not limited to the GDPR  as well as any national laws or regulations implementing, supplementing, or replacing the GDPR, and any applicable laws of other jurisdictions that may apply to the processing of Personal Data under this DPA.

1.4. “EEA” means the European Economic Area.

1.5. “Standard Contractual Clauses” means Standard Contractual Clauses means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914, or any successor clauses that amend, replace, or supersede these.

1.6. “Subprocessor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller under this DPA.

1.7.  “Supervisory Authority” means an independent public authority responsible for monitoring and enforcing compliance with Data Protection Legislation, including, where applicable, the lead supervisory authority as defined under the GDPR.

2. Processing of Personal Data

2.1. The Processor shall process Personal Data solely: (i) on behalf of the Controller for the purpose of providing and supporting the Services;  (ii) in accordance with the documented instructions of the Controller, as outlined in the Agreement and  this DPA; (iii) where required to do so by European Union or Member State law to which the Processor is subject. In such cases, the Processor shall, to the extent permitted by applicable law, inform the Controller of that legal requirement before processing the Personal Data. 

2.2. The details of the processing activities, including the categories of Personal Data, the categories of Data Subjects, and the purposes of the processing, are set out in Annex I (Details of Processing of Personal Data) to this DPA.

2.3. The Processor shall promptly inform the Controller if, in its opinion, an instruction from the Controller infringes Data Protection Legislation.

3. Personal Data Security

3.1. The Processor shall implement and maintain appropriate technical and organizational measures, as described in Annex II (Technical and Organizational Data Security Measures) to this DPA, to ensure a level of security appropriate to the risk, including measures relating to personnel, facilities, hardware, software, storage, networks, access controls, monitoring, logging, vulnerability management, breach detection, incident response, and encryption, to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, and to safeguard the rights of Data Subjects.

3.2. The Processor shall also take reasonable steps to ensure that any persons authorized to process Personal Data are subject to appropriate obligations of confidentiality and handle Personal Data in accordance with this DPA.

4. Obligations of the Controller

4.1. The Controller shall comply with all applicable obligations under Data Protection Legislation.

4.2. The Controller represents, warrants, and undertakes that it has obtained, and will maintain throughout the term of this DPA, all necessary rights, consents, and authorizations required to provide the Personal Data to the Processor and to permit the Processor to process, use, disclose, retain, and otherwise handle such Personal Data in accordance with this DPA, the Agreement, and the documented instructions provided by the Controller.

4.3. Without prejudice to the Processor's security obligations set out in Clause 3 of this DPA, the Controller acknowledges and agrees that it is solely responsible for certain configurations and design decisions relating to the Services, and for implementing such configurations and design decisions in a secure manner that complies with applicable Data Protection Legislation.

5. Subprocessors  

5.1. As of the moment the Customer becomes bound by the Agreement - which occurs upon registering on the Dashboard or commencing use of the Services - the Customer hereby grants the Processor a general written authorisation to engage Sub-processors on its behalf as necessary to fulfil the Processor’s obligations under this DPA. Parties acknowledge and agree that to the fullest extent allowed under Data Protection Legislation, this DPA will serve as the Client’s general written authorization for the Processor to subcontract the processing of the Customer’s Personal Data.  

5.2. The Processor shall maintain an up-to-date list of Sub-processors. This list shall be made available to the Customer (Controller) upon request.     

5.3. The Processor shall notify the Customer in writing of any intended additions or replacements of sub-processors at least 7 (seven) business days before such engagement, thereby allowing the Customer to object to such changes. If the Customer objects to the engagement of a new sub-processor on reasonable data protection grounds, the Processor shall make reasonable efforts to address the Customer’s concerns. If the Parties are unable to reach an agreement, the Customer shall have the right to terminate the Agreement concerning the affected processing.

5.4. The Processor shall: (i) ensure that a written contract is concluded with each sub-processor, imposing data protection obligations equivalent to those set out in this DPA; and (ii) upon request, provide the Customer with details of any engaged sub-processors.

6. Data Subject Rights and Requests from Authorities

6.1. The Processor shall promptly, and in any event no later than seven (7) working days after receipt, notify the Controller of any request it receives from a data subject concerning the exercise of their rights under Data Protection Legislation, where such request relates to Personal Data processed by the Processor on behalf of the Controller. The Processor shall provide the Controller with all details of the request. The Processor shall not respond to such a request directly, unless the Processor has been expressly authorized to do so in writing by the Controller.

6.2. Where the Controller, in its use of the Services, does not have the technical or practical means to address a data subject request, the Processor shall, upon the Controller’s documented request, provide reasonable assistance to the Controller to enable the fulfilment of the Controller's obligations to respond to such data subject requests, to the extent the response is required under Data Protection Legislation.

6.3. Taking into account the nature of the processing activities and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller to enable compliance with any legally required assessment, enquiry, notification, or investigation by a competent supervisory authority under applicable Data Protection Legislation, including but not limited to the GDPR.

6.4. The Processor shall promptly notify the Controller if it receives a legally binding request from a public authority, including judicial authorities, for access to or disclosure of Personal Data processed on behalf of the Controller. Such notifications shall include all information available to the Processor regarding the request or access, unless such notification is prohibited by applicable law.

6.5.  Where applicable law prohibits the Processor from notifying the Controller of a public authority request, the Processor undertakes to use its best efforts to obtain permission to inform the Controller, to provide the Controller with the maximum amount of information permitted by law, as soon as possible.

6.6. If the Processor has reasonable grounds to believe that a public authority request for access to or disclosure of Personal Data is unlawful or exceeds the authority's legal powers, the Processor shall, where reasonably possible and permissible under applicable law, challenge the request and seek interim protective measures. In all cases, the Processor shall interpret such requests narrowly and disclose only the minimum amount of Personal Data required to comply with the request.

7. Data Security Breaches

7.1.  Upon becoming aware of any actual or suspected personal data breach, including any unauthorized or unlawful processing, access, or other security incident affecting the Customer’s Personal Data (a “Data Breach”), the Processor shall, without undue delay, take all necessary steps to contain and mitigate the Data Breach and notify the Customer. The Processor shall use reasonable efforts to cooperate with and assist the Customer in fulfilling its obligations under applicable Data Protection Legislation, considering the nature of the processing and the information available to the Data Processor.

7.2. The Processor shall notify the Customer without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Data Breach affecting the Personal Data. Such notification shall provide the Customer with sufficient information to enable it to comply with its as controller’s obligations under applicable Data Protection Legislation. At a minimum, the notification shall include description of the Data Breach, including affected data subject categories and record estimates; contact details of the designated contact; likely consequences for data subjects; and actions taken or proposed by the Processor to address and mitigate the Data Breach, including, where appropriate, steps to mitigate its possible adverse effects.

7.3. The Processor shall use reasonable efforts to assist the Controller in fulfilling its obligations under the Data Protection Legislation applicable to notify the relevant supervisory authority and/or affected data subjects in connection with the Data Breach. 

7.4. The Processor shall not notify, disclose, or communicate any information regarding the Data Breach to any third party, including data subjects or supervisory authorities, without the prior written consent of the Controller, unless such notification is required by applicable EU or Member State law to which the Processor is subject. In such cases, and to the extent permitted by law, the Processor shall inform the Controller of the legal requirement, and consider any reasonable comments provided by the Controller before proceeding.

7.5. The Parties shall coordinate and cooperate in good faith regarding the content and timing of any public statements or legally required notifications to affected data subjects relating to the Data Breach.

8. Cooperation

8.1. The Processor shall provide commercially reasonable assistance to the Controller in connection with any data protection impact assessments, prior consultations with supervisory authorities, or similar assessments required under applicable Data Protection Legislation. Such assistance should be provided to the extent reasonably possible, taking into account the nature of the Processor’s processing of Personal Data and the information available to the Processor.

9. International Data Transfers

9.1. The Processor processes the Personal Data provided by the Controller within EEA. To the extent that the Processor transfers Personal Data to Subprocessors located in third countries that do not benefit from an adequacy decision issued by the European Commission, such transfers shall only take place in compliance with Chapter V of the GDPR, including through the use of Standard Contractual Clauses or other appropriate safeguards as required by applicable Data Protection Legislation. Upon request, the Processor shall provide the Controller with a copy of the relevant transfer mechanism, subject to appropriate redactions to protect confidential or commercially sensitive information.

10. Deletion of Personal Data

10.1. The Processor shall retain Personal Data submitted by the Controller as part of prompts, inputs, or other interactions with the Services for a maximum period of ninety (90) days, after which such Personal Data will be securely deleted, unless retention is required by applicable law or is otherwise necessary for legitimate purposes. In such cases, the Processor shall isolate and protect the Personal Data from any further processing, except to the extent required by applicable law. This provision does not affect the Processor’s right to process non-personal data or anonymized data related to the use of the Services.

11. Controller’s Audit Rights  

11.1. The Processor shall respond promptly to reasonable inquiries from the Controller regarding the processing of Personal Data under this DPA. Upon request, the Processor shall make available information reasonably necessary to demonstrate compliance with this DPA, including relevant certifications or audit reports.

11.2. If such information is insufficient, the Controller may, with reasonable prior notice and subject to appropriate confidentiality obligations, request that the Processor cooperate with assessments, audits, or other verification measures carried out by or on behalf of the Controller. These measures shall be conducted at the Controller’s expense, in a manner that is proportionate and minimally disruptive to the Processor’s operations. The results of such measures, as well as any third-party audit summaries or certification reports shared by the Processor, shall be considered the Processor’s confidential information.

12. Final Provisions  

12.1. Parties agree that this DPA shall automatically terminate upon termination of the Services.

12.2. Any obligations of the Processor relating to the processing of Personal Data that, by their nature, should survive termination shall remain in effect after the termination or expiry of this DPA. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be replaced or interpreted in a manner that best reflects the original intent of the Parties and ensures validity and enforceability.

Annex 1: Details of Processing of Personal Data

Subject matter of Personal Data processing: The Processor processes Personal Data on behalf of the Controller for the purpose of providing, maintaining, optimizing, and improving the Service as defined in the Agreement. This includes technical support, diagnostics, performance monitoring, service optimization, and other activities necessary to ensure the availability, quality, and security of the Service.

Duration of the processing: The processing of Personal Data shall occur continuously throughout the term of the Agreement.

Purpose of the processing: The processing of Personal Data is necessary for:

- Enabling access to and use of the Service by authorized users;

- Maintaining, monitoring, and supporting the Service;

- Improving the Service, including performance optimization and diagnostics;

- Ensuring security, availability, and operational integrity of the Service.

No processing will take place for purposes beyond those explicitly agreed upon or permitted by Data Protection Legislation.

Categories of data subjects: The Data Subjects whose Personal Data are processed under the Agreement are the "Users" of the Service. "Users" are individuals who are part of the Customer's organization or act on behalf of the Customer and who have been authorized, permitted, or otherwise allowed by the Customer to access or use the Service. This may include but is not limited to: employees of the Customer; contractors, consultants, temporary workers, or interns engaged by the Customer;  authorized representatives, agents, or other individuals acting under the instructions of the Customer. The Customer, as the Data Controller, determines which individuals are permitted to access and use the Service and is responsible for ensuring that only authorized individuals do so.

Categories of Personal Data processed: Identification details such as name and surname; contact details such as email address and phone number;  user account details and preferences; any additional Personal Data that users voluntarily provide through their use of the Service.

Processing of special categories of Personal Data (sensitive data): The Processor does not intentionally process special categories of Personal Data (e.g., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric). If the Customer and/ or users choose to include such special categories of Personal Data within the Service at their own discretion, the Customer shall ensure that the processing of such data complies with the requirements of Data Protection Legislation, including the existence of a valid legal basis for such processing.

Annex 2: Technical and Organizational Data Security Measures

1. The Processor ensures an adequate level of security for Personal Data as required by Data Protection Legislation. The Processor protects Personal Data from destruction, alteration, unauthorized disclosure, or unauthorized access, and safeguards it against any other unauthorized methods of processing.

2. Considering the level of development of technical capabilities, implementation costs, and the nature, scope, context, and objectives of data processing, as well as the risks to the rights and freedoms of individuals, the Processor implements appropriate technical and organizational measures to ensure a level of security that is proportionate to the risks. These measures include where applicable:

2.1. The pseudonymization and encryption of Personal Data.

2.2. Ensuring continued confidentiality, integrity, availability, and resilience of processing systems and Services.

2.3. Restoring availability and access to Personal Data promptly in the event of a physical or technical incident.

2.4. Regular assessments of the effectiveness of technical and organizational measures to verify and improve Personal Data security.

2.5. Protection of physical access: unattended premises containing computer equipment and Personal Data are locked to protect it from unauthorized use, exposure, or theft.

2.6. The Personal Data recovery process is designed to retrieve Personal Data from backups.

2.7. Control of access rights: access to Personal Data is controlled through a technical authorization system, with permissions limited to those whose work functions require access. Usernames and passwords remain confidential and non-transferable, with procedures for allocation and revocation of access rights in place.

2.8. Login tracking: it is possible to retrospectively review logins to Personal Data in databases, and the Processor checks databases and provides reports upon request.  

2.9. Secure communication: external Personal Data transmissions are protected by technical measures that enable logging of access and ensure encryption in transmission channels outside systems controlled by the Processor.

2.10. Personal Data destruction: processes are in place to securely destroy it when media containing it is no longer in use.

2.11. Confidentiality agreements: agreements are in place with service providers who maintain, and service equipment used to store Personal Data.

2.12. Supervision of service providers: service providers on the Processor premises are supervised, and media containing Personal Data is removed from the premises if on-site maintenance cannot be performed.  

2.13. The Processor trains and manages personnel with background checks (where legally permissible) and annual and supplemental security training.

3. This list of technical and organizational data security measures is not exhaustive. The Processor may decide and implement other necessary measures.