Data Processing Agreement

Last Updated: February 2026

Effective Date: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Coax ApS ("Processor" or "Coax") and the Customer ("Controller") and governs the processing of personal data by Coax on behalf of the Customer.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Danish Data Protection Act.

1. Definitions

In this DPA:

  • "Controller": The Customer entity that determines the purposes and means of processing personal data
  • "Data Subject": An identified or identifiable natural person whose personal data is processed
  • "Personal Data": Any information relating to a Data Subject as defined in GDPR Article 4(1)
  • "Processing": Any operation performed on Personal Data as defined in GDPR Article 4(2)
  • "Processor": Coax ApS, which processes Personal Data on behalf of the Controller
  • "Subprocessor": A third party engaged by the Processor to process Personal Data
  • "Data Protection Laws": GDPR and applicable Danish data protection legislation
  • "Security Incident": A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
  • "SCCs": Standard Contractual Clauses adopted by the European Commission
  • "TOMs": Technical and Organizational Measures

2. Scope and Purpose

2.1 Subject Matter

This DPA governs the processing of Personal Data by the Processor when providing the Coax SaaS management platform ("Service") to the Controller.

2.2 Duration

This DPA remains in effect for the duration of the Service agreement between the parties, plus any period during which Personal Data is retained.

2.3 Nature and Purpose of Processing

The Processor processes Personal Data to:

  • Authenticate users via Microsoft 365 OAuth
  • Access and analyze organization directory data
  • Monitor SSO sign-in activity for SaaS discovery
  • Search email metadata for billing detection
  • Process invoice attachments for cost extraction
  • Provide analytics and reporting features
  • Maintain and improve the Service

2.4 Types of Personal Data

The following categories of Personal Data are processed:

CategoryData Elements
Identity DataName, email address, user ID, profile photo
Directory DataJob title, department, phone number, manager relationships
Authentication DataOAuth tokens (encrypted), session identifiers
Activity DataSign-in timestamps, IP addresses, device information
Location DataApproximate geographic location (city/country from IP)
Email MetadataSender, recipient, subject line, date (NOT body content)
Billing DataInvoice amounts, billing cycles, vendor names

2.5 Categories of Data Subjects

Personal Data relates to the following categories of Data Subjects:

  • Controller's employees and contractors
  • Users with Microsoft 365 accounts in Controller's organization
  • Individuals appearing in organization directory

3. Controller Obligations

The Controller shall:

3.1 Lawful Basis

Ensure it has a valid legal basis under GDPR Article 6 for the processing of Personal Data by the Processor, including:

  • Legitimate interest for IT administration and security
  • Contract performance for providing IT services to employees
  • Compliance with legal obligations where applicable

3.2 Data Subject Notification

Inform Data Subjects about the processing of their Personal Data, including:

  • The use of third-party processors like Coax
  • The purposes of processing
  • Their rights under Data Protection Laws

3.3 Instructions

Provide documented instructions for the processing of Personal Data. The Service agreement and this DPA constitute the Controller's documented instructions.

3.4 Compliance

Ensure that its instructions comply with Data Protection Laws and do not cause the Processor to violate applicable laws.

4. Processor Obligations

4.1 Processing on Instructions (Article 28(3)(a))

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Inform the Controller if an instruction infringes Data Protection Laws
  • Not process Personal Data for any purpose other than providing the Service

Exception: Processing required by EU or Member State law, in which case the Processor shall inform the Controller before processing (unless prohibited by law).

4.2 Confidentiality (Article 28(3)(b))

The Processor shall ensure that persons authorized to process Personal Data:

  • Have committed themselves to confidentiality or are under statutory confidentiality obligations
  • Process Personal Data only as instructed
  • Receive appropriate training on data protection obligations

4.3 Security Measures (Article 28(3)(c))

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data at rest and in transit
  • Measures to ensure ongoing confidentiality, integrity, and availability
  • Regular testing and evaluation of security measures

See Annex A: Technical and Organizational Measures (TOMs)

4.4 Subprocessors (Article 28(3)(d))

The Processor shall:

  • Not engage another processor without prior specific or general written authorization
  • Maintain a list of approved Subprocessors (see Subprocessor List)
  • Inform the Controller of intended changes to Subprocessors
  • Impose equivalent data protection obligations on Subprocessors

Authorization: The Controller provides general authorization for the Processor to engage Subprocessors, subject to:

  • Advance notice of at least 14 days before engaging new Subprocessors
  • Controller's right to object within 14 days of notification
  • Resolution of objections in good faith

4.5 Data Subject Requests (Article 28(3)(e))

The Processor shall:

  • Assist the Controller in responding to Data Subject requests
  • Notify the Controller promptly of any requests received directly
  • Not respond to Data Subject requests without Controller authorization (except to direct them to the Controller)

The Processor provides the following capabilities:

RightProcessor Assistance
AccessExport of Data Subject's data
RectificationAdmin tools to update data
ErasureUser deletion functionality
RestrictionAccount suspension capability
PortabilityData export in structured format

4.6 Security Assistance (Article 28(3)(f))

The Processor shall assist the Controller in ensuring compliance with:

  • Article 32: Security of processing
  • Article 33: Notification of Security Incidents to supervisory authority
  • Article 34: Communication of Security Incidents to Data Subjects
  • Article 35: Data protection impact assessments (upon request)
  • Article 36: Prior consultation with supervisory authorities (upon request)

4.7 Deletion and Return (Article 28(3)(g))

At the end of the Service agreement, the Processor shall, at Controller's choice:

  • Delete: Permanently delete all Personal Data within 30 days
  • Return: Provide Personal Data export in a structured format within 30 days

The Controller must request return/export within 30 days of termination. After this period, the Processor will delete all Personal Data.

Exceptions: Retention required by EU or Member State law, in which case the Processor shall inform the Controller.

4.8 Audit Rights (Article 28(3)(h))

The Processor shall:

  • Make available all information necessary to demonstrate compliance
  • Allow for and contribute to audits and inspections

Audit Conditions:

  • Reasonable advance notice (minimum 30 days, except for urgent security matters)
  • Audits conducted during normal business hours
  • Auditor bound by confidentiality obligations
  • Controller bears costs of the audit
  • Maximum one audit per 12-month period (unless required by regulatory authority)

The Controller may request:

  • Security assessment reports (SOC 2 when available)
  • Completed security questionnaires
  • Evidence of Subprocessor compliance

5. Security Incident Notification

5.1 Notification Timing

The Processor shall notify the Controller of any Security Incident without undue delay and no later than 48 hours after becoming aware of the incident.

5.2 Notification Content

The notification shall include, to the extent known:

  • Description of the nature of the Security Incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Name and contact details of data protection point of contact
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the Security Incident

5.3 Cooperation

The Processor shall:

  • Cooperate with the Controller's investigation
  • Take reasonable steps to mitigate effects and prevent recurrence
  • Maintain records of Security Incidents
  • Assist with notifications to supervisory authorities and Data Subjects

5.4 Contact

Security Incident notifications shall be sent to the Controller's designated contact (as provided during account setup) and to: security@coaxsecurity.com

6. International Data Transfers

6.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA, the Processor ensures appropriate safeguards:

  • Standard Contractual Clauses: Applied to transfers to US-based Subprocessors
  • Adequacy Decisions: Used where applicable
  • Binding Corporate Rules: Where Subprocessors have approved BCRs

6.2 Transfer Impact Assessments

The Processor conducts and maintains Transfer Impact Assessments (TIAs) for international data transfers in accordance with the EDPB Recommendations 01/2020 and the CJEU Schrems II ruling. These assessments evaluate the legal framework in the destination country, the risk to data subjects, and the effectiveness of supplementary measures. TIAs are reviewed annually and upon any change to subprocessors or data flows. The current TIA is available upon request under NDA. See Transfer Impact Assessment.

6.3 Subprocessor Locations

See Subprocessor List for processing locations.

7. Liability

7.1 Compliance

Each party is liable for its own compliance with Data Protection Laws.

7.2 Allocation

Liability for breaches shall be allocated in accordance with GDPR Article 82 and the liability provisions in the Terms of Service.

7.3 Indemnification

The parties' indemnification obligations are set forth in the Terms of Service.

8. Term and Termination

8.1 Effective Date

This DPA is effective upon the Controller's acceptance of the Terms of Service.

8.2 Duration

This DPA remains in effect until all Personal Data is deleted or returned.

8.3 Survival

Provisions regarding data deletion, confidentiality, and liability survive termination.

9. General Provisions

9.1 Governing Law

This DPA is governed by the laws of Denmark.

9.2 Amendments

This DPA may be amended by Coax with 30 days' notice. Material changes affecting Controller rights require Controller consent.

9.3 Conflict

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters concerning Personal Data processing.

9.4 Severability

If any provision is found unenforceable, remaining provisions remain in effect.

10. Contact Information

Data Protection Contact: Email: privacy@coaxsecurity.com

Legal Inquiries: Email: legal@coaxsecurity.com

Security Incidents: Email: security@coaxsecurity.com

Annex A: Technical and Organizational Measures (TOMs)

The Processor implements the following security measures pursuant to GDPR Article 32:

A.1 Encryption

MeasureImplementation
Encryption at RestAES-256-CBC for sensitive data (tokens, credentials)
Encryption in TransitTLS 1.3 for all network communications
Key ManagementEncryption keys stored securely, separate from data

A.2 Access Controls

MeasureImplementation
AuthenticationMicrosoft OAuth 2.0 for user authentication
Session ManagementSecure, HttpOnly session cookies (24-hour expiry)
AuthorizationRole-based access control (RBAC)
Principle of Least PrivilegeUsers access only necessary data
Administrative AccessLimited to authorized personnel, logged

A.3 Infrastructure Security

MeasureImplementation
HostingGoogle Cloud Platform (EU region)
Network SecurityVirtual Private Cloud, firewall rules
DDoS ProtectionCloud-native DDoS mitigation
Container SecurityCloud Run with managed security patches

A.4 Data Protection

MeasureImplementation
Data MinimizationOnly necessary data collected and processed
Email ContentProcessed in-memory only, not stored
PseudonymizationInternal IDs used where possible
Data SegregationMulti-tenant isolation at database level

A.5 Monitoring and Logging

MeasureImplementation
Audit LoggingAll administrative actions logged
Security MonitoringReal-time alerting for suspicious activity
Log RetentionSecurity logs retained for 30 days

A.6 Incident Response

MeasureImplementation
Incident DetectionAutomated monitoring and alerting
Response PlanDocumented incident response procedures
Notification48-hour notification to Controller
Post-Incident ReviewRoot cause analysis and remediation

A.7 Personnel Security

MeasureImplementation
ConfidentialityAll personnel bound by confidentiality agreements
TrainingSecurity awareness training for all staff
Access TerminationPrompt access revocation upon termination

A.8 Business Continuity

MeasureImplementation
BackupsDaily automated backups
RecoveryDocumented recovery procedures
AvailabilityCloud-native high availability architecture

Annex B: Approved Subprocessors

See Subprocessor List for the current list of approved Subprocessors.

This Data Processing Agreement is also available at: https://coaxsecurity.com/legal/dpa