Praxa

Legal

Data Processing Addendum

This addendum sets out how Praxa processes personal data on a customer's behalf. It forms part of the agreement between Praxa and the customer when personal data subject to data-protection law is processed.

Last updated · May 1, 2026

Plain-language note. This is a pre-launch template, not yet executed against a paying customer. The binding agreement for any contract is the signed MSA and order form. We publish these so your legal team can review the shape of the relationship before a call.

1. Roles of the parties

For personal data processed through the platform, the Customer is the controller and Praxa Labs, Inc. is the processor. Praxa processes personal data only on the Customer's documented instructions, which include the configuration of connectors, Skills, and retention settings in the platform, and any signed order form. Where a sub-processor is used, Praxa remains responsible for its compliance.

2. Subject matter and duration

The subject matter is the provision of the Praxa platform as described in the Terms of Service. Processing lasts for the term of the subscription and the retention windows that follow it.

3. Nature and purpose of processing

  • Observing artifacts in connected systems to generate a role profile and Skill.
  • Running deployed Skills, including evaluation, self-validation, and audit logging.
  • Providing the dashboard, support, billing, and security operations.

4. Categories of data and data subjects

  • Data subjects. The Customer's personnel whose work is observed, and individuals named in observed artifacts (for example, authors and commenters).
  • Categories. Identifiers and contact details, work-product content from connected systems, and operational records (run and audit logs). Customers should not configure connectors to ingest special-category data unless agreed in writing.

5. Praxa's obligations

  • Process personal data only on documented instructions, including for international transfers, unless required otherwise by law (in which case we notify the Customer where permitted).
  • Ensure personnel authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (section 7).
  • Assist the Customer, taking into account the nature of processing, with data-subject requests and with security, breach-notification, and impact-assessment obligations.
  • Make available information needed to demonstrate compliance and allow for audits as described in section 9.

6. Sub-processors

The Customer authorizes Praxa to engage sub-processors to provide the platform — including cloud, database, and payment infrastructure providers. Praxa imposes data-protection obligations on each sub-processor that are no less protective than this addendum, maintains a current list, and gives the Customer reasonable prior notice of additions so the Customer may object on reasonable data-protection grounds.

7. Security measures

  • Bot-user authentication — no human passwords, refresh tokens, or session cookies are requested.
  • Encryption at rest; BYOK model keys encrypted with a workspace-scoped key (AES-256-GCM) wrapped by a tenant-scoped KMS data key.
  • Tenant isolation enforced in code by workspace_id on every row, object key, and memory fact, with cross-tenant reads blocked at the query layer. Enterprise tenants receive infrastructure-level isolation.
  • Append-only, integrity-protected audit logging on every Skill action.
  • Runtime scope enforcement: trigger, tool allowlist, and memory namespace are validated before any model call.

8. International transfers

Skill-plan data is processed in the United States (us-east-1). Enterprise customers may select a dedicated tenant region (US, EU, or AU). Where personal data is transferred across borders, the parties rely on a lawful transfer mechanism, including the Standard Contractual Clauses where applicable, which are incorporated by reference when required.

9. Audits

Praxa will make available the information reasonably necessary to demonstrate compliance with this addendum and will contribute to audits conducted by the Customer or an agreed independent auditor, subject to reasonable confidentiality and scheduling. Where available, a current third-party report (such as a SOC 2 report — on the roadmap for Q4 2026) will satisfy audit requests.

10. Breach notification

Praxa will notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer's data, with the information reasonably available to support the Customer's own notification obligations.

11. Return and deletion

On termination, Praxa deletes personal data on the retention timelines in the Privacy Policy — a hard delete within 7 days of a customer-initiated erasure, and within the contracted window otherwise — except where retention is required by law. On request, Praxa confirms deletion in writing.

12. Precedence and contact

In case of conflict between this addendum and the Terms of Service on the processing of personal data, this addendum controls. A countersigned DPA executed with the Customer's MSA supersedes this published template. To execute a DPA, email legal@praxa.dev.