Data Processing Agreement (DPA)

Updated: November 12, 2021

This data processing agreement (DPA), pursuant to art. 28 General Data Protection Regulation (GDPR), is made between the following parties:

Controller: a customer of Panelfox (“Customer”, “you”);

Processor: Panelfox LLC ("Panelfox," "we," "our", or “us”).

Subject Matter

The subject matter of this DPA and the thereto related processing activities result from the Terms of Service Agreement (“Agreement”) between you and Panelfox. This DPA amends and supplements your Agreement and requires no further action on your part.

The parties agree that to the extent Panelfox operates and manages the Service, Panelfox is acting as a processor under data protection laws on the Customer’s behalf, and the Customer is acting as the controller under data protection laws for the Customer’s end users.


The term of this DPA corresponds to the term of the Agreement.

Categories of Personal Data

The categories of personal data processed are:

  • personal data
  • contact data
  • customer history
  • data related to user behavior within Customer’s software product (including, but not limited to, user events and properties)
  • data related to communication (email and other types of messages) between the Customer and their end users
  • aggregated data and analytics gained by processing any of the above data categories
  • other Customer and end user data required for fulfilling the purpose of the Service

Categories of Data Subjects

The personal data collected and processed related to:

  • customers
  • potential customers
  • employees, subcontractors, collaborators
  • processors
  • authorised agents

Data Transfers

The Customer acknowledges that, in connection with the Services, personal data will be transferred to Panelfox in United States or Germany (this is your choice during signup).

Rectification, Restriction and Erasure of Data

  1. The Processor may not rectify, erase or restrict the processing of data that is being processed on the Controller's behalf at its own initiative but only upon documented instructions by the Controller, unless the Controller violates the Terms of Service and their access to Service is terminated as a result of such violation.
  2. Should a Data Subject contact the Processor directly concerning a rectification, erasure, or restriction of processing, the Processor shall immediately forward such Data Subject’s request to the Controller. The requests of erasure, rectification, data portability and access shall be fulfilled by the Processor in accordance with documented instructions by the Controller without undue delay.

Quality Assurance and Other Duties of the Processor

In addition to complying with the provisions of this DPA, the Processor commits to meet all applicable statutory requirements set forth at Articles 28 to 33 GDPR. Therefore the Processor ensures, in particular, compliance with the following requirements:

  1. Appointment of a Data Protection Officer (DPO). The current DPO is:
    1. Michael Mukhin Email address:
    2. The Processor shall inform the Controller without delay about any changes of Data Protection Officer.
  2. Confidentiality. Processing activities under this DPA shall only be performed by such employees or collaborators and agents that have been instructed by the Processor about the appropriate dealing with personal data and have been contractually subjected to confidentiality pursuant to art. 28 par. 3 (b) and art. 32 GDPR. The Processor and any person acting under its authority who has access to personal data, shall not process that data unless upon instructions by the Controller, including the powers granted under this DPA, unless they are required to do so by statutory law.
  3. Technical and Organizational Measures. Implementation of and compliance with all appropriate Technical and Organisational Measures in the framework of this DPA, in particular as set forth at art. 32 GDPR. The Processor shall periodically monitor the internal processes and the technical and organisational measures to ensure that processing within its area of responsibility is in accordance with the requirements of applicable data protection law and the protection of data subjects' rights. The Processor shall grant verifiability of the technical and organisational measures to the Controller as part of the Controller’s supervisory powers referred to in sec. 7 of this contract.
  4. Cooperation with Supervisory Authorities. The Controller and the Processor shall cooperate, on request, with the supervisory authority. The Controller shall be informed immediately of any inspections and measures executed by the supervisory authority, insofar as they relate to the activities under this DPA. This also applies insofar as the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any provision regarding the processing of personal data in connection with the processing of this DPA. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative fine, a preliminary injunction or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the processing of data by the Processor as of this DPA, the Processor shall make every effort to support the Controller.


  1. The Processor may outsource part of the processing activities pursuant to this DPA to Subprocessors that, as far as legally required.
  2. The Processor currently commissions the following Subprocessors - list of Subprocessors.
  3. The transfer of personal data to any Subprocessor shall only take place after all above-mentioned conditions for the appointment of Subprocessors have been met.
  4. The Processor shall bear full responsibility and liability for the activities of its Subprocessors. Any change in the list of Subprocessors shall be notified to the Controller without undue delay, giving the Controller the option to object. In case of objection, the Processor retains the right to terminate the Contract with the Controller without notice.


Each party to this DPA commits to indemnify the other party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents. Furthermore, each party commits to indemnify the other party against any claim exerted by third parties due to or in connection with any culpable infringement by the respectively other party.

Deletion and Return of Personal Data

  1. The Processor shall not create copies or duplicates of the data without the Controller's knowledge and consent, except for backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory data retention requirements.
  2. After conclusion of the provision of services, the Processor shall, at the Controller's choice, delete in a data-protection compliant manner or return to the Controller all the personal data collected and processed under this DPA, unless any applicable legal provision requires further storage of the personal data. In any case the Processor may retain all information necessary to demonstrate orderly and compliant processing activities beyond termination of the Contract, in accordance with the statutory retention periods.
  3. Documentation which is used to demonstrate orderly data processing in accordance with the DPA shall be stored beyond the contract term by the Processor in accordance with the respective retention periods. It may hand such documentation over to the Controller at the end of the contract duration to relieve the Processor of this contractual obligation.


Should you have any questions, or need a signed version of this DPA, please contact us at

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us