10 Days Free · No Credit CardBook My Call
Back to home
Legal

Data Processing Agreement

Effective date: January 1, 2026Last updated: April 15, 2026

This Data Processing Agreement ("DPA") forms part of the Agreement between Gixodia ("Processor") and the Customer ("Controller") for the provision of Gixodia software and related services. It reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and, where applicable, the UK GDPR, the Swiss FADP, and other applicable data protection laws. Gixodia is a software company. We are not a broker, fund, custodian, or financial advisor.

Gixodia is a software company. We sell licensed trading bot software — we are not a broker, custodian, fund, financial advisor, or investment manager. We do not hold client funds, do not give financial advice, and do not guarantee profits. All trading is conducted by the customer on their own broker account, and 100% of trading results (positive or negative) belong to the customer.

1. Parties

This DPA is entered into between:

  • Controller — the Customer identified in the underlying Agreement or Order Form, acting as the data controller of the Personal Data processed under this DPA ("Controller", "you").
  • Processor — Gixodia, the software licensor, acting as a data processor on behalf of the Controller ("Processor", "Gixodia", "we").

By accepting the Gixodia Terms and Conditions and/or entering into an Order Form, the Controller is deemed to have entered into this DPA. A countersigned version can be provided on request to support@gixodia.com.

2. Definitions

For the purposes of this DPA, the following terms have the meaning given to them below. Capitalised terms not defined here have the meaning given in the GDPR.

  • "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the Swiss FADP, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and any implementing or successor legislation.
  • "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as defined in GDPR Article 4(7).
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates (GDPR Article 4(1)).
  • "Personal Data" means any information relating to a Data Subject that is Processed by the Processor on behalf of the Controller under the Agreement (GDPR Article 4(1)).
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed (GDPR Article 4(12)).
  • "Processing" means any operation or set of operations performed on Personal Data, as defined in GDPR Article 4(2).
  • "Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller (GDPR Article 4(8)).
  • "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
  • "SCCs" means the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

3. Subject Matter and Duration

3.1 Subject matter. The subject matter of this DPA is the Processing of Personal Data by Gixodia on behalf of the Controller in connection with the provision of the Gixodia software, license management, customer support, and related services described in the underlying Agreement.

3.2 Duration. This DPA applies from the effective date of the underlying Agreement and remains in force for as long as Gixodia Processes Personal Data on behalf of the Controller. Clauses that by their nature are intended to survive termination (confidentiality, liability, return/deletion of data) shall survive.

4. Nature and Purpose of Processing

The Processor shall Process Personal Data only for the following purposes, which are necessary to provide the services contracted by the Controller:

  • Creating, managing, and authenticating Controller accounts and end-user licenses.
  • Delivering software downloads, updates, and patches.
  • Providing technical support and troubleshooting.
  • Processing payments and issuing invoices (via payment sub-processors).
  • Ensuring security, integrity, and availability of the services (including fraud and abuse prevention).
  • Complying with legal obligations to which the Processor is subject.

The Processor shall not Process Personal Data for any other purpose unless expressly instructed in writing by the Controller or required by Union or Member State law, in which case the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

5. Categories of Data Subjects and Personal Data

5.1 Categories of Data Subjects: - Controller's employees, contractors, and authorised users of the Gixodia software. - Controller's administrators, billing contacts, and technical contacts.

5.2 Categories of Personal Data: - Identity data: full name, job title. - Contact data: email address, phone number, postal address. - Account data: username, encrypted password, license key, activation status. - Technical data: IP address, device identifier, operating system, software version, log files. - Usage data: feature usage, error reports, support ticket history. - Payment data: billing contact, VAT number, invoice history. (Card data is handled directly by PCI-DSS certified payment processors and never touches Gixodia systems.)

5.3 Special categories of Personal Data. The services are not intended for the Processing of special categories of Personal Data (GDPR Article 9) or criminal-conviction data (Article 10). The Controller shall not submit such data to the services.

6. Obligations of the Processor (GDPR Art. 28(3))

The Processor shall:

  • (a) Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union or Member State law.
  • (b) Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • (c) Take all measures required pursuant to Article 32 GDPR (security of processing) — see Section 8 below.
  • (d) Respect the conditions referred to in paragraphs 2 and 4 of Article 28 GDPR for engaging another processor — see Section 9 below.
  • (e) Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III GDPR.
  • (f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of Processing and the information available to the Processor.
  • (g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage.
  • (h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller — see Section 14 below.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

7. Confidentiality

The Processor shall ensure that all personnel authorised to Process Personal Data are bound by written confidentiality obligations or are subject to statutory obligations of confidentiality. Access to Personal Data is granted on a strict need-to-know basis. Confidentiality obligations shall survive termination of the Agreement.

8. Security Measures (GDPR Article 32)

Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, as well as the risks to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • Encryption in transit: TLS 1.3 for all data in transit between the Controller, end users, and the Processor's infrastructure.
  • Encryption at rest: AES-256 encryption for Personal Data stored in databases and backups.
  • Access control: Role-based access control (RBAC), least-privilege principle, multi-factor authentication (MFA) required for all Processor personnel with access to production systems.
  • Network security: Web Application Firewall (WAF), DDoS mitigation, intrusion detection, vulnerability scanning.
  • Logging and monitoring: Centralised audit logs retained for at least 12 months; anomaly detection; 24/7 monitoring of critical systems.
  • Business continuity: Daily encrypted backups, geographically redundant storage, tested disaster-recovery procedures.
  • Secure development: Code review, static analysis, dependency scanning, secrets management, secure SDLC.
  • Physical security: All production infrastructure is hosted in Tier III+ data centres operated by sub-processors holding SOC 2 Type II and ISO/IEC 27001 certifications.
  • Personnel security: Background checks where legally permitted, security training, signed confidentiality agreements.
  • Incident response: Documented and regularly tested incident-response plan.
  • Pseudonymisation and data minimisation: where technically feasible and appropriate to the risk.
  • Regular testing and evaluation: of the effectiveness of technical and organisational measures.

A detailed description of current security measures is available on request to support@gixodia.com under a mutual NDA.

9. Sub-processors

9.1 General authorisation. The Controller grants the Processor general authorisation to engage Sub-processors for the Processing of Personal Data, subject to the requirements of this Section 9.

9.2 Current Sub-processors. The current list of Sub-processors is published at https://gixodia.com/legal/subprocessors and forms an integral part of this DPA.

9.3 Notification of changes. The Processor shall notify the Controller of any intended addition or replacement of Sub-processors at least 30 days in advance by updating the Sub-processors page and, where the Controller has subscribed, by email.

9.4 Right to object. The Controller may object, on reasonable data-protection grounds, to any new Sub-processor within 15 days of notification. If the objection cannot be resolved, the Controller may terminate the affected services without penalty as its sole and exclusive remedy.

9.5 Flow-down obligations. The Processor shall impose on each Sub-processor data-protection obligations that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

9.6 Liability for Sub-processors. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

10. Assistance with Data Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as reasonably possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects to exercise their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). If a Data Subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller without responding to the Data Subject (unless legally required to do so).

11. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach, and in any event within 72 hours where feasible. The notification shall, at minimum and to the extent available at the time:

  • Describe the nature of the breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned.
  • Communicate the name and contact details of the Processor's Data Protection contact (support@gixodia.com).
  • Describe the likely consequences of the breach.
  • Describe the measures taken or proposed to address the breach and mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

12. Data Protection Impact Assessments (DPIA) and Prior Consultation

Taking into account the nature of Processing and information available, the Processor shall provide reasonable assistance to the Controller with any data-protection impact assessments (Article 35 GDPR) and with prior consultations with supervisory authorities (Article 36 GDPR) that the Controller reasonably considers necessary.

13. Deletion or Return of Personal Data

Upon termination or expiry of the Agreement, or at any earlier time on the Controller's written request, the Processor shall, at the Controller's choice:

  • Return all Personal Data to the Controller in a commonly used, machine-readable format; or
  • Delete all Personal Data and certify to the Controller that it has done so.

Deletion shall occur within 30 days of termination, unless Union or Member State law requires storage of the Personal Data, in which case the Processor shall inform the Controller of that requirement and shall protect the confidentiality of the Personal Data and not actively Process it. Standard encrypted backups will be overwritten in the normal backup rotation cycle (no longer than 90 days).

14. Audits and Inspections

14.1 Audit rights. The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or a mutually agreed third-party auditor.

14.2 Audit procedure. Audits shall be conducted: (a) at the Controller's expense; (b) during normal business hours with at least 30 days' prior written notice; (c) no more than once per 12-month period, except where required following a Personal Data Breach or by a supervisory authority; (d) in a manner that does not unreasonably interfere with the Processor's operations and respects the confidentiality and security of other customers' data.

14.3 Third-party reports. The Processor may satisfy its audit obligations by providing the Controller with the most recent SOC 2 Type II reports, ISO/IEC 27001 certificates, or equivalent independent assessments of the Processor and its Sub-processors.

15. International Transfers

15.1 Transfers outside the EEA. Where Personal Data is transferred from the EEA, UK, or Switzerland to a third country that has not been the subject of an adequacy decision by the European Commission, the parties shall rely on:

  • the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller-to-Processor), which are hereby incorporated into this DPA by reference and deemed executed by the parties;
  • for UK transfers, the International Data Transfer Addendum issued by the UK Information Commissioner (version B1.0) as a supplement to the SCCs;
  • for Swiss transfers, the SCCs with the amendments recommended by the FDPIC.

15.2 Module selection. Module Two (Controller to Processor) applies where Gixodia acts as a Processor for the Controller. Module Three (Processor to Processor) applies between the Processor and its Sub-processors.

15.3 Additional safeguards. Where required by the Schrems II decision and EDPB Recommendations 01/2020, the Processor shall implement supplementary technical, contractual, and organisational measures to ensure an essentially equivalent level of protection.

16. Liability and Indemnities

The liability of each party under this DPA is subject to the limitations of liability set forth in the underlying Agreement. Nothing in this DPA shall limit or exclude either party's liability to Data Subjects under Article 82 GDPR or under any other Applicable Data Protection Law to the extent such limitation is prohibited.

17. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the underlying Agreement, save that where this DPA gives effect to the GDPR or other mandatory data-protection law, the mandatory provisions of such law shall apply. The parties submit to the exclusive jurisdiction of the courts specified in the Agreement, without prejudice to Data Subjects' rights to bring claims in their place of habitual residence.

18. Order of Precedence

In the event of any conflict between this DPA and the underlying Agreement, this DPA shall prevail to the extent of the conflict in matters relating to the Processing of Personal Data. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

19. Contact

For any matter relating to this DPA, including requests for a countersigned copy, audit requests, or Personal Data Breach notifications, please contact:

Email: support@gixodia.com Subject line: DPA — [Controller name] — [matter]

Version History

  • v1.0 — 2026-04-15 — Initial publication incorporating 2021/914 SCCs, UK IDTA, and Swiss FDPIC guidance.

Other legal documents

Privacy Policy
Terms and Conditions
Risk Disclaimer
End User License Agreement
Cookie Policy
Accessibility Statement
Anti-Money Laundering & Counter-Terrorism Financing Policy
Subprocessors