Data Processing Agreement

1. Overview

This DPA is incorporated into and forms part of the RGX Systems Terms of Service. By activating VAR node access, you agree to the terms of this DPA.

Important: This DPA governs data RGX Systems processes about VAR operators and their API usage. VARs are independently responsible for their own data processing obligations toward their end clients — RGX Systems has no direct data relationship with VAR end clients.

2. Definitions

• Controller — the VAR operator entity that determines the purposes and means of processing (you).
• Processor — the entity that processes data on behalf of the Controller (RGX Systems).
• Personal Data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data, including collection, storage, use, or deletion.
• Sub-processor — a third party engaged by RGX Systems to process personal data.
• VAR Node — the provisioned infrastructure node assigned to your account, identified by your Master API Key.
• API Usage Data — metadata logged per API request: endpoint, timestamp, payload size, token counts, status code, and source IP.

3. Data We Process

3.1 Categories of Data

In the course of providing VAR infrastructure access, we process the following categories of data:

• VAR operator account information (company name, contact name, business email)
• API usage metadata per request (see Section 2 — API Usage Data)
• Monthly billing aggregates (total requests, messages, active seats, seat charges, estimated invoice)
• API key metadata (key prefix, creation date, last-used timestamp, status)
• Technical data (source IP addresses of API callers, processing times)
• Authentication data (SHA-256 hash of Master API Key — plaintext is never stored)

We do not persistently store the content of API payloads (message text, contact data, or other business content you transmit). Payload content is processed in memory to fulfill the API request and is not written to our database unless explicitly included in metadata fields you pass.

3.2 Purpose of Processing

All data is processed solely for the purpose of providing VAR infrastructure services, including:

• Authenticating API requests by verifying your key hash
• Tracking usage for accurate monthly billing (base fee + per-seat charges)
• Generating usage summaries accessible via the /usage endpoint
• Detecting misuse, abuse, or security incidents on your node
• Maintaining audit logs for compliance and security purposes

4. Our Obligations as Processor

RGX Systems commits to the following as your data processor:

• Process data only on your documented instructions and as necessary to provide the Service
• Ensure that authorized personnel are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist you in fulfilling data subject rights (access, correction, deletion, portability) for any personal data we hold about your authorized contacts
• Delete or return all personal data upon termination of the service upon written request
• Provide all information necessary to demonstrate compliance with this DPA
• Never sell, rent, or monetize your data
• Never use payload data for model training or third-party profiling

5. Security Measures

We implement the following technical and organizational measures to protect your data:

• API key security: Master API Keys are SHA-256 hashed — we store only the hash, never the plaintext key
• Encryption at rest: AES-256-GCM encryption for sensitive configuration data and credentials
• Encryption in transit: TLS 1.2+ for all data transmissions
• Node isolation: Complete data segregation between VAR nodes — no cross-node data access is possible
• Access controls: Production system access restricted to authorized RGX Systems personnel only
• Audit logging: All API authentication events and security-relevant actions are logged
• Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks

For a full description of our security practices, see our Security page.

6. Sub-processors

RGX Systems uses the following sub-processors to provide the infrastructure service:

• Processing Pipeline Provider — Automated text processing for /process endpoint requests where process_with_ai: true. Data is processed under a data processing agreement that prohibits use of submitted data for model training.
• Render — Cloud hosting and infrastructure provider (SOC 2 Type II certified).
• Neon / PostgreSQL — Database storage for usage events and billing aggregates.
• Stripe — Payment processing for monthly invoicing (billing data only).

We will notify you at least 30 days before adding any new sub-processor that processes personal data. You may object to new sub-processors within 14 days of notice.

7. Data Subject Rights

For personal data we hold about authorized VAR operator contacts, you may exercise the following rights by contacting us:

• Right to Access: Request a copy of all data we hold about your VAR node and account — email privacy@rgxsystems.com
• Right to Deletion: Request deletion of your account data upon node termination
• Right to Portability: Request your usage and billing data in machine-readable JSON format via the /usage endpoint or by contacting us
• Right to Correction: Contact us to correct inaccurate account information

We will respond to all data subject requests within 30 days. For urgent matters, email privacy@rgxsystems.com with subject line "Data Subject Request."

8. Data Retention

• VAR account data is retained for the duration of your active node access
• API usage event logs are retained for 12 months for billing and audit purposes, then purged
• Monthly billing aggregates are retained for 7 years as required by applicable financial regulations
• Upon node termination, all personal data is permanently deleted within 30 days of written request
• RGX Systems will provide written confirmation of deletion upon request

9. International Data Transfers

RGX Systems is based in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your data may be transferred to and processed in the United States.

Where required, such transfers are conducted under:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission
• The UK International Data Transfer Agreement (IDTA)

Contact us at privacy@rgxsystems.com to request Standard Contractual Clauses.

10. Breach Notification

In the event of a personal data breach affecting VAR operator data, RGX Systems will:

• Notify you without undue delay and no later than 72 hours after becoming aware of the breach
• Provide a description of the nature of the breach, categories and approximate number of data subjects affected
• Provide contact details for our data protection point of contact
• Describe likely consequences of the breach and measures taken to address it

11. Audit Rights

On reasonable written notice (minimum 30 days), RGX Systems will provide information reasonably necessary to demonstrate compliance with this DPA. Enterprise VAR operators may request a third-party security audit; we will cooperate reasonably with such audits at the operator's cost.

12. Termination

Upon termination of your VAR node access:

• Your Master API Key is revoked immediately — all subsequent API requests will be rejected
• You may request a data export before or within 30 days of termination
• RGX Systems will delete all personal data within 30 days of written termination request
• Billing aggregates required by law will be retained per Section 8
• RGX Systems will provide written confirmation of deletion upon request

13. Contact

For data privacy questions, DPA inquiries, or to exercise data subject rights:

• Email: privacy@rgxsystems.com
• Subject line: "DPA Request" or "Data Subject Request"

We aim to respond to all privacy-related requests within 5 business days.