Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is governed by, the Terms of Servicebetween you ("Customer," "you") and Zaxim, a sole proprietorship operated from Kenya ("Zaxim," "we," "us"). It applies whenever Zaxim processes personal data on your behalf in connection with the Service. Where this DPA and the Terms conflict on a data-protection matter, this DPA controls.

"Applicable Data Protection Law" means all privacy and data-protection laws that apply to the processing, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, Kenya's Data Protection Act, 2019, and the California Consumer Privacy Act ("CCPA"), each as amended. Terms such as "controller," "processor," "data subject," "personal data," and "processing" have the meanings given in Applicable Data Protection Law.

1. Roles of the parties

For personal data that Zaxim processes on your behalf to provide the Service — including your clients' and recipients' details and the engagement data collected through your share links — you act as the controller (or as a processor acting for your own client) and Zaxim acts as your processor. Zaxim processes that personal data only to provide and support the Service for you, not for its own independent purposes. Zaxim remains an independent controller for the limited data it processes for its own purposes (e.g. account administration, billing, security, and product analytics), as described in our Privacy Policy.

2. Details of the processing

• Subject matter & duration: processing personal data to provide the Service, for as long as your account is active and as set out in Section 7.
• Nature & purpose: hosting and storing your content; rendering proposals, contracts, and PDFs; delivering and tracking share links; collecting e-signatures; and generating AI drafts at your request.
• Types of personal data: names, email addresses, business and contact details, the proposal and contract content you create, share-link engagement data, and e-signature audit data (signer name, email, IP address, device, and timestamp).
• Categories of data subjects: your clients and the recipients of your share links and contracts, and your own personnel or contacts.

3. Our obligations as processor

• Instructions: we process personal data only on your documented instructions. Your use of the Service, together with the Terms and this DPA, constitutes those instructions. We will tell you if we believe an instruction infringes Applicable Data Protection Law.
• Confidentiality: anyone we authorise to process the data is bound by an appropriate duty of confidentiality.
• Security: we maintain technical and organisational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest where supported by our providers, scoped access tokens, and least-privilege administrative access.

4. Sub-processors

You give us general authorisation to engage sub-processors to help provide the Service. Our current sub-processors are listed at zaxim.app/subprocessors. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will update that page before a new sub-processor begins processing your data and, for material changes, give reasonable notice; if you reasonably object on data-protection grounds, you may stop using the affected part of the Service or terminate your account.

5. Data subject requests

Taking into account the nature of the processing, we will assist you, insofar as possible and by appropriate technical and organisational measures, to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will, where appropriate, direct the individual to you.

6. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting personal data we process on your behalf, and provide the information reasonably available to us to help you meet your own notification obligations.

7. Return or deletion

On termination of your account, we will delete or return the personal data we process on your behalf, except where Applicable Data Protection Law requires us to retain it. Backup copies are purged on a rolling basis after deletion.

8. International transfers

Personal data may be processed in countries other than your own, including the United States and within the European Union, by us and our sub-processors. Where required, we rely on appropriate safeguards — such as the relevant standard contractual clauses or the data-protection commitments of our sub-processors — to protect the data.

9. Audits and information

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA. Given the scale of our operations, we satisfy this by responding to your reasonable written requests to support@zaxim.app rather than through on-site audits, unless Applicable Data Protection Law requires otherwise.

10. Liability and governing law

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA is governed by the laws of the Republic of Kenya, and disputes are subject to the courts identified in the Terms.

11. Contact

Questions about this DPA, or to make a data-protection request? Email support@zaxim.app.