Data Processing Agreement

Effective October 6, 2025

1. Introduction

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service between you (“Customer”) and Qaxa Labs s. r. o. (“Qaxa,” “we,” or “us”). 

It applies when Qaxa processes personal data on your behalf in connection with your use of the Qaxa collaboration platform.

By using Qaxa to process personal data of others (for example, within shared encrypted spaces), you agree to this Agreement.

This Agreement applies only where Qaxa processes personal data on your behalf as a processor under Article 28 of the GDPR.

2. Roles and Responsibilities

Customer acts as the data controller for all personal data entered or uploaded into Qaxa workspaces. The Customer is responsible for ensuring that personal data is collected and processed lawfully, and for providing any required notices to data subjects.

Qaxa Labs s. r. o. acts as the data processor for such data, processing it only under the Customer’s instructions.

For account, billing, and service administration data, Qaxa acts as a data controller (as described in our Privacy Policy).

Both parties shall comply with their respective obligations under applicable data-protection laws.

3. Subject Matter and Duration

The subject matter of processing is the provision of the Qaxa collaboration platform.

Processing continues for as long as the Customer account is active.

Upon termination, data is deleted or anonymized in accordance with Section 7 of our Privacy Policy.

4. Nature and Purpose of Processing

Qaxa processes workspace data only to provide, secure, and maintain the service — including storage, synchronization, and encrypted communication between authorized users.

Processing includes temporary storage, encrypted transmission, and limited metadata (such as user identifiers, timestamps, and encryption key hashes) necessary for service operation.

We never access, read, or use workspace content for any other purpose.

5. Data Types and Data Subjects

Data types: spaces, messages, notes, files, tasks, and any personal data voluntarily entered by users.

Data subjects: workspace members and any individuals whose data may appear within workspace content.

All workspace content is end-to-end encrypted, and only the Customer and invited members hold the encryption keys.

6. Security and Confidentiality

Qaxa implements appropriate technical and organizational measures to protect personal data, including:

End-to-end encryption of all workspace content
Encrypted transport (TLS 1.2+ for all traffic)
Logical separation of encrypted content and account data
Strict internal access controls and security logging
Hosting on DigitalOcean infrastructure within the European Union (Droplets for application servers and Spaces Object Storage for encrypted file storage)
Network security and DDoS protection provided by Cloudflare, used only for traffic routing and threat mitigation on qaxa.com

Any personnel with potential access to unencrypted data (limited to account or billing information) are bound by confidentiality and undergo regular security training.

7. Sub-Processors

Qaxa minimizes third-party dependencies.

 Current sub-processors include:

DigitalOcean, LLC – Infrastructure and object storage provider (EU data centers)
Cloudflare, Inc. – Content delivery network and security services for qaxa.com
Stripe Payments Europe, Limited - Payment processing located in Ireland / EU
BTCPay Server (self-hosted) - Bitcoin payment processing located in EU (Qaxa infrastructure)

DigitalOcean and Cloudflare act as data processors under Standard Contractual Clauses and, where applicable, the EU–U.S. Data Privacy Framework, ensuring GDPR-level protection.

No other third-party service providers have access to workspace content.

Qaxa will notify Customers in advance (via email or dashboard notice) of any intended changes to sub-processors.

Customers may object in writing to a new sub-processor on reasonable grounds relating to data protection within 30 days of notification.

8. International Transfers

Qaxa does not transfer workspace data outside the European Union. 

If future transfers become necessary, they will comply with Chapter V of the GDPR, using appropriate safeguards such as Standard Contractual Clauses.

9. Assistance and Cooperation

Qaxa assists Customers in fulfilling their GDPR obligations, including responding to data subject requests and incident notifications, to the extent technically feasible given Qaxa’s zero-knowledge architecture.

Given Qaxa’s zero-knowledge design, assistance may be limited to metadata or account-level information.

10. Audit Rights

Upon reasonable written request, Qaxa will provide documentation necessary to demonstrate compliance with this Agreement. 

Because workspace data is end-to-end encrypted, direct audits of encrypted environments are not technically meaningful or permitted; however, Qaxa may satisfy audit obligations by providing independent third-party audit reports (e.g., ISO 27001, SOC 2) or equivalent documentation.

11. Data Breach Notification

In the event of a confirmed personal-data breach affecting Customer data, Qaxa will notify the Customer without undue delay, including relevant facts and mitigation measures.

12. Termination and Deletion

Upon termination of the Customer account, all encrypted workspace data is permanently deleted, and any related account or billing data is anonymized or erased in accordance with our retention policy.

Deletion occurs within 30 days of termination unless otherwise required by law.

13. Governing Law

This Agreement is governed by the laws of the Czech Republic and the applicable provisions of the EU General Data Protection Regulation (GDPR).

14. Contact

Qaxa Labs s. r. o. 
Křižíkova 213/44
 186 00 Prague 8 – Karlín 
Czech Republic
[email protected]