Legal
Data Processing Agreement
Last updated: April 13, 2026
This Data Processing Agreement (“DPA”) supplements the Terms of Service between the Customer (“Controller”) and Foxtcon One LLC, a Missouri limited liability company (“Processor” or “FoxtInn”). This DPA governs the processing of personal data by FoxtInn on behalf of Customer.
1. Definitions
“Personal data,” “processing,” “data controller,” “data processor,” and “data subject” have the meanings under applicable Data Protection Laws. “Data Protection Laws” means GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, PIPEDA, and other applicable privacy legislation.
2. Scope and Roles
2.1 Controller-Processor Relationship
Customer is the data controller. FoxtInn is the data processor, processing personal data on Customer’s behalf per documented instructions. Where FoxtInn determines purposes and means of processing (e.g., billing, security), FoxtInn acts as an independent controller per its Privacy Policy.
2.2 Subject Matter and Duration
Processing covers personal data submitted by Customer and Authorized Users, including staff data and Guest Data. Processing continues for the Agreement duration plus any post-termination retention period.
3. Categories of Data and Data Subjects
| Data Subject Category | Types of Personal Data |
|---|---|
| Customer Employees/Staff | Name, email, phone, role, department, profile photo, schedule, time clock entries, device info, chat messages |
| Guests/Visitors/Patrons | Name, contact info, room/table number, service requests, feedback, complaints, language preference |
| Account Owners/Admins | Name, email, phone, billing address, payment metadata, login activity, financial data inputs |
4. Customer Instructions
FoxtInn shall process personal data only on documented instructions from Customer, unless required by law. The Agreement (including this DPA) constitutes complete instructions. Additional instructions require mutual agreement and may incur fees.
5. Security Measures
FoxtInn implements appropriate technical and organizational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS)
- Role-based access controls with least-privilege defaults
- Multi-factor authentication for administrative access
- Network segmentation isolating customer workloads
- 24/7 monitoring, anomaly detection, and audit logging (min. 180-day retention)
- Regular third-party penetration testing
- Documented incident response procedures
- Background checks for personnel with access to customer data
- Annual security awareness training
6. Subprocessors
6.1 Authorized Subprocessors
Customer provides general authorization to engage subprocessors. Current list:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure, hosting, storage, compute | United States |
| Stripe | Payment processing (PCI Level 1) | United States |
| OpenAI / Anthropic | AI infrastructure for LALA Virtual GM | United States |
| Google LLC | Analytics (GA4), advertising measurement | United States |
| Microsoft | Analytics (Clarity), email services | United States |
| Firebase (Google) | Push notifications (FCM) | United States |
6.2 Subprocessor Changes
FoxtInn will notify Customer at least 30 days before engaging a new subprocessor. Customer may object within 15 days with documented basis. If unresolved, Customer may terminate without penalty.
6.3 Subprocessor Obligations
FoxtInn enters written agreements with each subprocessor imposing equivalent data protection obligations. FoxtInn remains fully liable for subprocessor acts and omissions.
7. Data Subject Rights
FoxtInn shall promptly notify Customer of data subject requests and assist in fulfilling them. FoxtInn will not independently respond unless authorized by Customer or required by law.
8. Data Breach Notification
FoxtInn shall notify Customer within 72 hours of becoming aware of a personal data breach, including:
- Nature of the breach, categories/numbers of data subjects affected
- Contact information for FoxtInn’s point of contact
- Likely consequences and mitigation measures taken or proposed
9. Data Retention and Deletion
Upon Agreement termination, FoxtInn shall:
- Provide 30 days for Customer to export data (CSV, JSON, PDF)
- Delete from production within 30 days after the export window
- Purge backups within 90 days of production deletion
- Provide written certification of deletion upon request
Data may be retained if required by applicable law, with continued DPA protections.
10. International Data Transfers
FoxtInn stores Customer data in the United States (AWS US regions). For international transfers, the following mechanisms apply:
10.1 European Economic Area (GDPR)
- EU SCCs: Standard Contractual Clauses (Commission Decision 2021/914), Module Two (Controller to Processor), incorporated by reference.
- Transfer Impact Assessment: Conducted and documented, confirming adequate protection with supplementary technical and organizational measures.
- Supplementary measures: Encryption in transit (TLS 1.2+) and at rest (AES-256), pseudonymization, strict access controls, and data minimization.
10.2 United Kingdom (UK GDPR)
- UK IDTA: UK International Data Transfer Agreement incorporated for UK-to-US transfers, as approved by the ICO.
- UK Addendum: Where SCCs are used, the UK Addendum to the EU SCCs is incorporated per ICO guidance.
10.3 Switzerland (nFADP)
- Swiss SCCs: EU SCCs apply with Swiss Federal Act on Data Protection (nFADP) modifications as recognized by the FDPIC.
10.4 Brazil (LGPD)
- Contractual safeguards: LGPD-adapted Standard Contractual Clauses ensuring adequate data protection for transfers to the United States.
- ANPD guidance: FoxtInn monitors ANPD adequacy determinations and updates transfer mechanisms as required.
10.5 CCPA/CPRA (California)
- Service Provider designation: FoxtInn acts as a “Service Provider” (as defined in CCPA §1798.140(ag)) when processing personal information on behalf of Customers. FoxtInn does not sell, share, or use personal information for any purpose other than performing the services specified in the Agreement.
- Certification: FoxtInn certifies it understands and will comply with the restrictions in CCPA §1798.140(ag)(1)(A)–(B).
10.6 Canada (PIPEDA & Quebec Law 25)
- Contractual protections: Comparable level of protection maintained through this DPA and supplementary security measures.
- Privacy Impact Assessment: Available for Quebec Law 25 requirements on request.
10.7 Asia-Pacific
- APEC CBPR: FoxtInn supports the APEC Cross-Border Privacy Rules framework for transfers involving APEC member economies (Japan, Singapore, South Korea, Australia, and others).
- Japan (APPI): Transfers comply with PPC guidance and APEC CBPR certification requirements. Separate consent obtained where required for cross-border transfer.
- South Korea (PIPA): Contractual safeguards equivalent to SCCs in place; data subject consent obtained where required.
- Singapore (PDPA): Contractual obligations ensuring comparable standard of protection per PDPA Transfer Limitation Obligation.
- India (DPDP Act): Transfers permitted unless destination country is on the Government of India’s restricted list. FoxtInn monitors the notification of restricted countries and will cease transfers as required.
- Australia (APPs): Reasonable steps taken to ensure US recipients comply with Australian Privacy Principles per APP 8.
10.8 Middle East & Africa
- UAE (PDPL): Transfers comply with UAE Data Office adequacy determinations or appropriate contractual safeguards.
- Saudi Arabia (PDPL): Contractual safeguards and risk assessment conducted for transfers to the United States.
- South Africa (POPIA): Transfers made under binding agreement ensuring adequate protection per Section 72 of POPIA.
- Turkey (KVKK): Transfers to the United States with adequate contractual safeguards and notification to the Turkish DPA where required.
For complete jurisdiction-specific details, see our International Privacy Rights page.
11. Audits
Customer (or authorized third-party auditor) may conduct one audit per year with 30 days’ written notice, during business hours, under confidentiality obligations. FoxtInn may satisfy audit requirements by providing SOC 2 Type II reports, penetration test results, or security questionnaire responses.
12. Data Protection Impact Assessments
FoxtInn shall provide reasonable assistance for DPIAs and prior consultations with supervisory authorities (GDPR Articles 35–36).
13. General
- Precedence: This DPA prevails over the Agreement for personal data processing conflicts.
- Governing Law: State of Missouri (US); EU/UK data protection provisions governed by respective applicable law.
- Amendments: By mutual written agreement or as required by Data Protection Law changes, with 30 days’ notice.
14. Contact
Privacy & DPA: privacy@foxtcon.com
Data Protection Officer: dpo@foxtcon.com
Security: security@foxtcon.com