Data Processing Agreement — NoxReg

Reference: NXR-DPA-001Version: 1.0Date: April 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between NoxReg S.à r.l. (“Processor”) and the subscribing organisation (“Controller”), and governs the processing of personal data in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1. Definitions

Personal DataAny information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).

ProcessingAny operation performed on personal data, including collection, storage, use, disclosure, and deletion.

ControllerThe subscribing organisation that determines the purposes and means of processing personal data.

ProcessorNoxReg S.à r.l., which processes personal data on behalf of the Controller.

Sub-processorAny third party engaged by NoxReg to process personal data in connection with the services.

2. Subject Matter and Details of Processing

Subject matterOperation of the NoxReg Regulatory Intelligence Platform.

DurationFor the duration of the active subscription, plus 2 years post-cancellation retention.

NatureHosting, storage, authentication, email delivery, and AI-assisted classification of regulatory content.

PurposeDelivering regulatory intelligence monitoring services to the Controller's authorised users.

Data subjectsThe Controller's employees and authorised users who access NoxReg.

Categories of dataWork email address, name (if provided), usage logs, filter preferences, and saved watch terms. No special categories of personal data are processed.

3. Processor Obligations

NoxReg, acting as Processor, undertakes to:

Process personal data only on documented instructions from the Controller (the Terms of Service constitute such instructions), and notify the Controller if an instruction infringes GDPR.
Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: TLS 1.3 in transit, AES-256 at rest, row-level security at the database layer, and access controls requiring auditable justification for NoxReg staff access.
Not engage a sub-processor without prior specific or general written authorisation from the Controller. NoxReg operates under the general authorisation model — the current sub-processor list is provided in Section 5.
Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) insofar as possible given the nature of the processing.
Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation).
At the Controller's choice, delete or return all personal data upon termination of the service, and delete existing copies unless EU law requires retention.
Make available all information necessary to demonstrate compliance with Article 28, and allow and contribute to audits conducted by the Controller or an auditor mandated by the Controller.

4. Controller Obligations

Ensure there is a lawful basis for processing personal data via NoxReg (typically GDPR Article 6(1)(b) — contract performance, or Article 6(1)(f) — legitimate interests).
Ensure that data subjects whose data is processed via NoxReg have been informed of such processing in accordance with GDPR Articles 13–14.
Authorise only legitimate users to access NoxReg, and promptly notify NoxReg of any unauthorised access or suspected breach.

5. Sub-processors

NoxReg uses the following sub-processors. The Controller grants general authorisation for their use. NoxReg will notify the Controller of changes with 14 days advance notice.

Sub-processor	Purpose	Location	Transfer Mechanism
Supabase	Database & Authentication	EU West (Ireland)	EU Data Residency
Vercel	Application Hosting	Global CDN (data processed in EU)	SCCs
Resend	Transactional Email	EU	EU Data Residency
Anthropic	AI Classification (regulatory text only — no personal data)	USA	SCCs

Note: Anthropic processes only anonymised regulatory document text — no subscriber personal data is transmitted to Anthropic's API.

6. Security Measures

NoxReg implements the following technical and organisational measures (TOMs) pursuant to GDPR Article 32:

Encryption in transitTLS 1.3 for all connections.

Encryption at restAES-256 via Supabase managed PostgreSQL.

Access controlRow-level security at the database layer. Principle of least privilege applied to all NoxReg staff access.

AuthenticationEmail/password with bcrypt hashing via Supabase Auth. OAuth (Google) available.

AvailabilityHosted on Vercel with 99.9% SLA. Daily database backups via Supabase with point-in-time recovery.

Incident responseSecurity incidents affecting subscriber data reported within 72 hours per GDPR Article 33.

7. Data Subject Rights

NoxReg will, upon written request from the Controller, assist in responding to data subject rights requests within the timeframes required by GDPR. Data subjects may exercise the following rights: access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), portability (Article 20), and objection (Article 21). Requests should be directed to the Controller in the first instance, who may then engage NoxReg for technical assistance.

8. Data Breach Notification

NoxReg will notify the Controller without undue delay upon becoming aware of a personal data breach affecting data processed under this DPA. Notification will include: (a) the nature of the breach and categories of data affected; (b) the likely consequences; (c) measures taken or proposed to address the breach. The Controller remains responsible for notifying the relevant supervisory authority within 72 hours per GDPR Article 33.

9. Audit Rights

The Controller may request an audit of NoxReg's data processing activities. Audits must be requested in writing with at least 30 calendar days notice, conducted during normal business hours, and carried out no more than once per calendar year unless a specific incident warrants additional review. NoxReg may satisfy audit requests by providing relevant certifications, third-party audit reports, or questionnaire responses.

10. Governing Law

This DPA is governed by the laws of the Grand Duchy of Luxembourg and the GDPR as implemented in Luxembourg law. Any disputes shall be subject to the exclusive jurisdiction of the courts of Luxembourg City, without prejudice to any mandatory provisions of the Controller's jurisdiction that cannot be contractually excluded.

Request signed DPA ← Back to Compliance