Skip to content

Effective Date: 2026-02-09

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the FoxNose User Agreement between Alexander Lukashov PR Beograd ("FoxNose," "Processor," "we," "us," or "our"), a registered entrepreneur in the Republic of Serbia, and the customer ("Controller," "you," or "your") who uses the FoxNose service ("Service").

This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the extent that FoxNose processes Personal Data on behalf of the Controller in the course of providing the Service.

1. Definitions

Terms used in this DPA that are defined in the GDPR shall have the same meaning as set out in the GDPR. In addition:

  • Personal Data: Any information relating to an identified or identifiable natural person that the Controller stores, uploads, or transmits through the Service.
  • Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
  • Sub-processor: Any third party engaged by FoxNose to process Personal Data on behalf of the Controller.
  • Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose of Processing

FoxNose processes Personal Data solely for the purpose of providing the Service as described in the User Agreement. The nature of processing includes:

  • Storage and retrieval of content submitted by the Controller through the Service;
  • Indexing and search operations, including full-text search, structured filtering, and semantic (vector) search;
  • Generation of vector embeddings for content marked as vectorizable by the Controller;
  • Delivery of content through auto-generated APIs configured by the Controller;
  • Logging of access and modification events for audit purposes;
  • Product usage analytics for authenticated users within the application dashboard, for the purposes of improving the Service, identifying issues, and prioritizing development.

FoxNose does not determine the purposes or means of processing Personal Data stored as project content. The Controller is solely responsible for ensuring that any Personal Data submitted to the Service is processed lawfully.

3. Types of Personal Data

The types of Personal Data processed depend entirely on what the Controller stores in the Service. This may include but is not limited to:

  • Names, email addresses, and contact information;
  • User-generated content and metadata;
  • Any other categories of data the Controller chooses to store.

In addition, FoxNose processes the following data as a Controller (not as a Processor) for the purpose of providing and improving the Service:

  • Product usage data: page views, feature interactions, session duration, and navigation patterns within the application dashboard, collected via PostHog (EU-hosted) for authenticated users only.

FoxNose does not require the Controller to store Personal Data in the Service and recommends avoiding the storage of special categories of data (Article 9 GDPR) unless the Controller has ensured appropriate legal grounds and safeguards.

4. Categories of Data Subjects

Data subjects may include any individuals whose Personal Data is stored by the Controller in the Service, such as the Controller's customers, employees, users, or other individuals.

5. Obligations of the Processor

FoxNose shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EU/EEA, unless required to do so by applicable law;
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security assessments;
  • Assist the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, and objection);
  • Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities;
  • At the Controller's choice, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless applicable law requires storage;
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits and inspections.

6. Obligations of the Controller

The Controller shall:

  • Ensure that there is a lawful basis for the processing of Personal Data submitted to the Service;
  • Provide documented instructions to FoxNose regarding the processing of Personal Data;
  • Be responsible for the accuracy, quality, and legality of Personal Data stored in the Service;
  • Inform data subjects about the processing of their data through the Service, as required by GDPR.

7. Sub-processors

The Controller provides general authorization for FoxNose to engage Sub-processors to assist in providing the Service. FoxNose maintains a current list of Sub-processors at foxnose.net/sub-processors.

FoxNose shall:

  • Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA;
  • Remain fully liable to the Controller for the performance of each Sub-processor's obligations;
  • Notify the Controller of any intended changes to the list of Sub-processors, giving the Controller the opportunity to object. Notification will be provided by updating the Sub-processor list page. The Controller is responsible for reviewing this page periodically.

8. International Data Transfers

FoxNose stores core platform data (organization metadata, user accounts, system backups) in the European Union. Project data is stored in the data region selected by the Controller at project creation.

If a transfer of Personal Data to a country outside the EU/EEA is necessary for the provision of the Service, FoxNose shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission, or that the transfer is to a country with an adequate level of data protection as determined by the European Commission.

9. Security Measures

FoxNose implements and maintains appropriate technical and organizational security measures, including:

  • Encryption of data in transit (TLS) and at rest;
  • Access controls and authentication mechanisms;
  • Isolated environments with independent data stores and API keys;
  • Audit logging of all data access and modification events;
  • DDoS protection at the infrastructure level;
  • Regular security reviews and vulnerability assessments.

10. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, FoxNose shall:

  • Notify the Controller without undue delay and in any event within 72 hours after becoming aware of the breach;
  • Provide the Controller with sufficient information to enable the Controller to meet its obligations to report the breach to the relevant supervisory authority and to notify affected data subjects, as applicable;
  • Take reasonable steps to contain, investigate, and mitigate the effects of the breach.

11. Data Subject Requests

If FoxNose receives a request from a data subject regarding Personal Data processed on behalf of the Controller, FoxNose shall promptly notify the Controller and shall not respond to the request directly unless authorized by the Controller or required by applicable law.

The Controller may use the Management API or Dashboard to fulfill data subject requests (access, rectification, erasure, portability) for project data directly.

12. Audit Rights

FoxNose shall make available to the Controller information necessary to demonstrate compliance with the obligations under this DPA. The Controller may conduct an audit of FoxNose's data processing activities, subject to reasonable notice and during normal business hours. The Controller may also appoint a qualified third-party auditor to conduct the audit on its behalf, provided that such auditor is bound by confidentiality obligations.

13. Data Deletion and Return

Upon termination of the Service or upon the Controller's request, FoxNose shall, at the Controller's choice:

  • Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format via the Management API; or
  • Delete all Personal Data, including all existing copies, unless applicable law requires retention.

After account termination, Personal Data will be retained for 30 days before deletion, as specified in the User Agreement, to allow the Controller to retrieve their data.

14. Term and Termination

This DPA shall remain in effect for the duration of FoxNose's processing of Personal Data on behalf of the Controller. It shall automatically terminate when FoxNose ceases to process Personal Data on behalf of the Controller.

The obligations of FoxNose regarding confidentiality and data security shall survive the termination of this DPA.

15. Governing Law

This DPA is governed by the laws of the Republic of Serbia. For matters related to GDPR compliance, the provisions of the GDPR shall take precedence over any conflicting provisions of this DPA or applicable national law.

16. Contact

For any questions regarding this DPA or data protection matters, please contact us at:
Alexander Lukashov PR Beograd
Email: support@foxnose.net

By using the Service, you acknowledge that this DPA applies to FoxNose's processing of Personal Data on your behalf and forms an integral part of the User Agreement.