Data Processing Agreement (DPA)
Last Updated: 16 June 2026
This page sets out the data processing terms that apply to all VEXORS customers and forms part of your agreement with us. If your organisation requires a separately signed copy, contact us and we will arrange one.
This Data Processing Agreement describes how VEXORS FZC (“VEXORS”, “Processor”) processes personal data on behalf of customers (“Controller”) in the course of providing the VEXORS platform. It is supplemental to the Terms of Service and Privacy Policy.
Need a signed copy?
These terms apply to all VEXORS customers as part of your agreement. If your organisation requires a separately signed DPA, contact us and we will arrange one.
Roles
- Data Controller: The customer (the business entity that has subscribed to VEXORS). The Controller determines the purposes and means of processing personal data uploaded to or generated on the platform.
- Data Processor: VEXORS FZC. VEXORS processes personal data solely on the Controller's instructions and for the purpose of providing the VEXORS platform.
Data Processed
VEXORS processes the following categories of personal data on behalf of the Controller:
- User account data: name, email address, job title, hashed password
- Company profile data: company name, country, registration number, business categories
- Platform activity: requests, bids, messages, catalog items, timestamps of actions
- Technical data: IP address, device identifiers, session tokens (for authentication)
VEXORS does not process sensitive personal data (special categories under GDPR Article 9) except where the Controller uploads such data as part of procurement documents.
Processing Purposes
VEXORS processes personal data solely to:
- Provide and operate the VEXORS platform and its features
- Communicate service notifications, support responses, and security alerts
- Monitor platform performance and detect errors (using anonymised or aggregated data)
- Comply with legal obligations
VEXORS will not process personal data for its own commercial purposes, will not sell personal data, and will not use personal data for advertising.
Security Measures
VEXORS implements the following technical and organisational measures to protect personal data:
- Encryption of data in transit and at rest using industry-standard protocols
- Role-based access control and strict separation between organisations at the database layer
- Multi-factor authentication available on every account
- Append-only audit logging with actor, timestamp, and context
- Continuous monitoring and established secure-development practices, including the OWASP and ISO 27001 guidelines
Full details of our security posture are available on our Security & Trust page. We make reasonable information available to demonstrate compliance with these terms on request.
Sub-Processors
VEXORS uses the following sub-processors to provide the platform. Each has been reviewed for data protection compliance:
| Sub-Processor | Purpose |
|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database hosting, object storage, and email delivery |
| MongoDB Atlas | Managed database hosting |
| Stripe | Payment processing. No personal data beyond billing contact details is shared. |
| Anthropic | AI bid evaluation and scoring |
| OpenAI | Text embeddings for semantic supplier and catalog matching |
VEXORS will notify Controllers of any material changes to the sub-processor list with reasonable advance notice.
Data Subject Rights Assistance
VEXORS will assist the Controller in responding to Data Subject requests (access, correction, deletion, portability, restriction, and objection) by:
- Providing a copy of a data subject's personal data on request
- Processing verified deletion requests within 30 days, except for records we must retain for other parties or to meet legal obligations, which are retained or anonymised
- Supporting portability by providing personal data in a machine-readable format on request
- Responding to Controller instructions within reasonable timeframes
The Controller is responsible for handling Data Subject requests in the first instance. VEXORS will provide technical assistance where required.
Cross-Border Data Transfers
The VEXORS platform is available to customers anywhere, and these data processing terms apply regardless of where the Controller is located. Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, the transfer is protected by appropriate safeguards such as Standard Contractual Clauses.
Breach Notification
In the event of a personal data breach, VEXORS will:
- Notify the Controller without undue delay upon becoming aware of the breach
- Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
- Cooperate with the Controller to enable the Controller to meet any notification obligations to supervisory authorities or Data Subjects
Data Retention & Deletion on Termination
Upon termination of the subscription, VEXORS will:
- Retain personal data for the period specified in the Privacy Policy (Explore: 90 days after account closure; Grow: 1 year; Scale: by agreement)
- Delete or anonymise personal data after the retention period expires, unless retention is required by applicable law
- Provide a data export on request prior to deletion
You may request an earlier deletion or discuss a longer contractual retention period by contacting support@vexors.com.
Contact
DPA requests, data protection enquiries:
support@vexors.comVEXORS FZC · Business Centre, Sharjah Publishing City Free Zone, Sharjah, United Arab Emirates