Soryx
Legal

Data Processing Agreement

This DPA applies where Soryx processes personal data on behalf of a Business customer. It satisfies Article 28 GDPR and incorporates the EU Standard Contractual Clauses for any onward transfer.

Last updated

1. Scope and roles

This Data Processing Agreement (“DPA”) forms part of the agreement between the Business customer (“Customer”) and Soryx Data Protection Ltd (“Soryx”) for the provision of the Soryx service.

  • For personal data of the Customer’s end users that Soryx processes on the Customer’s instructions, the Customer is the controller and Soryx is the processor.
  • For data Soryx processes to operate, secure, and bill the service itself, Soryx acts as an independent controller under its Privacy Policy.

2. Subject-matter and details of processing

Article 28(3) processing details
ElementDetail
Subject-matterDetection and erasure of end users’ exposed personal data
DurationFor the term of the underlying agreement
Nature & purposeScanning data brokers and submitting Article 17 erasure requests
Categories of dataIdentity and contact identifiers, exposure findings, breach records
Categories of data subjectThe Customer’s employees and enrolled end users

3. Soryx's obligations as processor

  • Process personal data only on the Customer’s documented instructions, including for transfers, unless required by EU or Member State law.
  • Ensure personnel authorised to process the data are bound by confidentiality.
  • Implement the technical and organisational measures set out in Section 6 (Article 32).
  • Respect the conditions in Section 4 for engaging subprocessors.
  • Assist the Customer in responding to data-subject requests and with security, breach-notification, and DPIA obligations (Articles 32-36).
  • On termination, delete or return all personal data at the Customer’s choice, and delete existing copies unless retention is legally required.
  • Make available all information necessary to demonstrate compliance and allow for and contribute to audits.

4. Subprocessors

The Customer grants Soryx general authorisation to engage the subprocessors listed at /legal/subprocessors. Soryx imposes data-protection obligations on each subprocessor that are no less protective than this DPA, and remains liable for their performance. Soryx will give the Customer at least 30 days’ notice of any intended addition or replacement, during which the Customer may object on reasonable grounds.

5. International transfers - EU SCCs

Personal data is hosted in the EU (AWS eu-west-1, Ireland). Where any processing or transfer takes place outside the EEA without an adequacy decision, the parties incorporate the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 by reference.

Module Two (Controller-to-Processor) applies between the Customer (data exporter) and Soryx (data importer). For onward transfers to subprocessors, the relevant module applies between Soryx and that subprocessor.

SCC docking clauses

  1. Clause 7 (docking) applies.
  2. Clause 9 - Option 2 (general written authorisation) applies, with the 30-day notice period in Section 4.
  3. Clause 11 - the optional independent dispute-resolution body does not apply.
  4. Clause 17 - the Clauses are governed by the law of Ireland.
  5. Clause 18 - disputes are resolved before the courts of Ireland.
  6. Annexes I, II and III are completed by the details in this DPA, the security measures in Section 6, and the published subprocessor list respectively.

6. Security measures (Annex II)

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
  • Logical access controls, least-privilege roles, and multi-factor authentication for staff.
  • Network isolation within a private EU VPC; no public database access.
  • Audit logging of access to identity data and administrative actions.
  • Regular backups, tested restoration, and a documented incident-response plan.
  • Vendor due diligence and Article 28 contracts with every subprocessor.

7. No model training

Soryx does not use Customer personal data to train, fine-tune, or improve any machine-learning or artificial-intelligence model. Where Soryx uses AI features (e.g. via Amazon Bedrock), data is processed solely to deliver the requested output for that user, is not retained by the model provider for training, and is bound by Soryx’s AI Policy.

8. Data breaches

Soryx will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting Customer data, and will provide the information the Customer needs to meet its own Article 33/34 obligations.

9. Liability and term

Liability under this DPA is subject to the limitations in the underlying agreement. This DPA takes effect when the underlying agreement does and continues for as long as Soryx processes Customer personal data. It is governed by the laws of Ireland.

Encrypted · EU-hosted · Never sold · Delete anytime

Questions about this document? Email privacy@matrix.eu or write to our Data Protection Officer at dpo@matrix.eu. This page is provided for transparency and does not constitute legal advice.