Data Processing Agreement
How RGX Systems processes, stores, and protects your data — in plain language and legal terms.
Effective Date: January 1, 2025 · Version 1.0
1. Overview
This Data Processing Agreement ("DPA") is entered into between RGX Systems ("Processor") and the customer entity that has agreed to the Terms of Service ("Controller"). This DPA describes how RGX Systems processes personal data on your behalf.
This DPA is incorporated into and forms part of the RGX Systems Terms of Service. By using RGX Systems, you agree to the terms of this DPA.
2. Definitions
- Controller — the entity that determines the purposes and means of processing personal data (you, the customer).
- Processor — the entity that processes personal data on behalf of the Controller (RGX Systems).
- Personal Data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on personal data, including collection, storage, use, or deletion.
- Sub-processor — a third party engaged by RGX Systems to process personal data.
- Data Subject — the individual to whom personal data relates.
3. Data We Process
3.1 Categories of Personal Data
In the course of providing the RGX Systems service, we may process the following categories of personal data:
- Account information (name, email address, company name)
- Email content and metadata (when email integration is enabled)
- Calendar events and meeting information (when calendar integration is enabled)
- CRM data (contacts, deals, notes — when CRM integration is enabled)
- File and document content (when storage integration is enabled)
- Chat and conversation history with the AI assistant
- Usage analytics and audit log data
- Authentication data (hashed passwords, MFA secrets, session tokens)
- Technical data (IP addresses, browser/device information)
3.2 Purpose of Processing
All personal data is processed solely for the purpose of providing the RGX Systems AI assistant service, including:
- Delivering AI-generated briefings, task management, and workflow automation
- Authenticating users and maintaining session security
- Generating analytics and usage reports for your workspace
- Maintaining audit logs for compliance and security purposes
4. Our Obligations as Processor
RGX Systems commits to the following as your data processor:
- Process personal data only on your documented instructions
- Ensure that authorized personnel are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in fulfilling data subject rights (access, correction, deletion, portability)
- Delete or return all personal data upon termination of the service
- Provide all information necessary to demonstrate compliance with this DPA
- Never sell, rent, or monetize your data or your customers' data
- Never use your data to train AI models
5. Security Measures
We implement the following technical and organizational measures to protect your data:
- Encryption at rest: AES-256-GCM encryption for all credentials and sensitive tokens
- Encryption in transit: TLS 1.2+ for all data transmissions
- Access controls: Role-based access (admin, member, viewer), multi-factor authentication
- Tenant isolation: Complete data segregation between customer accounts
- Audit logging: All security and data access events are logged
- Session management: Cryptographically secure session tokens with automatic expiration
- Brute force protection: Rate limiting and account lockout on failed authentication
- Password security: Bcrypt hashing with 12 rounds for all stored passwords
For a detailed description of our security practices, see our Security page.
6. Sub-processors
RGX Systems uses the following sub-processors to provide the service:
- Anthropic (Claude API) — AI language model processing. Data is processed under Anthropic's API terms which prohibit training on API inputs by default.
- Render / Cloud Infrastructure — Hosting and infrastructure provider.
- PostgreSQL (Neon/Supabase) — Database storage.
- Stripe — Payment processing (billing data only, no AI-processed data).
We will notify you at least 30 days before adding any new sub-processor that processes personal data. You may object to new sub-processors within 14 days of notice.
7. Data Subject Rights
We will assist you in responding to data subject requests. You can exercise the following rights directly through the RGX Systems dashboard:
- Right to Access: Export all your data via Settings → Data & Privacy → Export Data
- Right to Deletion: Delete your account and all associated data via Settings → Delete Account
- Right to Portability: Your exported data is provided in machine-readable JSON format
- Right to Correction: Update your account information via the Settings page
For data subjects whose data is processed through your use of RGX Systems, contact us at privacy@rgxsystems.com and we will respond within 30 days.
8. Data Retention
- Active account data is retained for the duration of your subscription
- Audit logs are retained for 12 months
- Upon account deletion, all personal data is permanently deleted within 30 days
- Backups containing your data are destroyed within 90 days of account deletion
- Some data may be retained longer where required by law
9. International Data Transfers
RGX Systems is based in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your data may be transferred to and processed in the United States.
Where required, such transfers are conducted under:
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission
- The UK International Data Transfer Agreement (IDTA)
Contact us at privacy@rgxsystems.com to request Standard Contractual Clauses.
10. Breach Notification
In the event of a personal data breach, RGX Systems will:
- Notify you without undue delay and no later than 72 hours after becoming aware of the breach
- Provide a description of the nature of the breach, categories and approximate number of data subjects affected
- Provide contact details for our data protection point of contact
- Describe likely consequences of the breach and measures taken to address it
11. Audit Rights
On reasonable written notice (minimum 30 days), RGX Systems will provide information reasonably necessary to demonstrate compliance with this DPA. Enterprise customers may request a third-party security audit; we will cooperate reasonably with such audits at the customer's cost.
12. Termination
Upon termination of the Terms of Service:
- You may export your data before termination using the in-app export feature
- RGX Systems will delete all personal data within 30 days of termination
- RGX Systems will provide written confirmation of deletion upon request
13. Contact
For data privacy questions, DPA inquiries, or to exercise data subject rights:
We aim to respond to all privacy-related requests within 5 business days.