Legal

Data Processing Agreement (DPA)

Last Updated: 12 March 2026

This document describes VEXORS' data processing obligations. A countersigned DPA is available for Scale tier customers on request. This page does not constitute a binding agreement: contact us to execute a formal DPA.

This Data Processing Agreement describes how VEXORS FZC (“VEXORS”, “Processor”) processes personal data on behalf of customers (“Controller”) in the course of providing the VEXORS platform. It is supplemental to the Terms of Service and Privacy Policy.

Need a countersigned DPA?

A fully executed DPA is available for Scale tier customers. Contact us and we will provide a countersigned copy within 5 business days.

Request DPA

Roles

  • Data Controller: The customer (the business entity that has subscribed to VEXORS). The Controller determines the purposes and means of processing personal data uploaded to or generated on the platform.
  • Data Processor: VEXORS FZC. VEXORS processes personal data solely on the Controller's instructions and for the purpose of providing the VEXORS platform.

Data Processed

VEXORS processes the following categories of personal data on behalf of the Controller:

  • User account data: name, email address, job title, hashed password
  • Company profile data: company name, country, registration number, business categories
  • Platform activity: requests, bids, messages, catalog items, timestamps of actions
  • Technical data: IP address, device identifiers, session tokens (for authentication)

VEXORS does not process sensitive personal data (special categories under GDPR Article 9) except where the Controller uploads such data as part of procurement documents.

Processing Purposes

VEXORS processes personal data solely to:

  • Provide and operate the VEXORS platform and its features
  • Communicate service notifications, support responses, and security alerts
  • Monitor platform performance and detect errors (using anonymised or aggregated data)
  • Comply with legal obligations

VEXORS will not process personal data for its own commercial purposes, will not sell personal data, and will not use personal data for advertising.

Security Measures

VEXORS implements the following technical and organisational measures to protect personal data:

  • AES-256 encryption for all data at rest
  • TLS 1.3 encryption for all data in transit; HSTS enforced
  • Role-based access control (RBAC) and PostgreSQL Row-Level Security for tenant isolation
  • Multi-factor authentication (MFA) for all admin accounts; available for all users
  • AWS Secrets Manager with automatic credential rotation
  • Immutable audit logging with actor, timestamp, and context
  • Dependabot and CI pipeline blocking on HIGH/CRITICAL CVEs

Full details of our security posture are available on our Security & Trust page.

Sub-Processors

VEXORS uses the following sub-processors to provide the platform. Each has been reviewed for data protection compliance:

Sub-ProcessorLocationPurpose
Amazon Web Services (AWS)United States (us-east-1 primary)Cloud infrastructure, database hosting, object storage, email delivery (SES)
StripeUnited StatesPayment processing. No personal data beyond billing contact details is shared.
AnthropicUnited StatesAI bid evaluation and scoring. Only anonymised bid content is processed: no personal identifiers.
Sentry.ioUnited StatesError monitoring and performance tracking. Personal identifiers are scrubbed before transmission.

VEXORS will notify Controllers of any material changes to the sub-processor list with reasonable advance notice.

Data Subject Rights Assistance

VEXORS will assist the Controller in responding to Data Subject requests (access, correction, deletion, portability, restriction, and objection) by:

  • Providing data export functionality in the platform (Settings → Account)
  • Processing verified deletion requests within 30 days
  • Supporting portability via JSON data export
  • Responding to Controller instructions within reasonable timeframes

The Controller is responsible for handling Data Subject requests in the first instance. VEXORS will provide technical assistance where required.

Cross-Border Data Transfers

Personal data is processed primarily on AWS infrastructure in the United States (us-east-1). Transfers of personal data from the European Economic Area (EEA) to the United States are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission (2021/914).

EU region hosting (AWS eu-west-1) is planned for a future infrastructure phase. Enterprise customers with contractual data residency requirements should contact us to discuss arrangements.

Breach Notification

In the event of a personal data breach, VEXORS will:

  • Notify the Controller without undue delay upon becoming aware of the breach
  • Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
  • Cooperate with the Controller to enable the Controller to meet any notification obligations to supervisory authorities or Data Subjects

Data Retention & Deletion on Termination

Upon termination of the subscription, VEXORS will:

  • Retain personal data for the period specified in the Privacy Policy (Explore: 90 days after account closure; Grow: 1 year; Scale: by agreement)
  • Delete or anonymise personal data after the retention period expires, unless retention is required by applicable law
  • Provide a data export on request prior to deletion

Scale tier customers may request an expedited deletion or a longer contractual retention period by contacting privacy@vexors.com.

Contact

DPA requests, data protection enquiries:

privacy@vexors.com

VEXORS FZC · Business Centre, Sharjah Publishing City Free Zone, Sharjah, United Arab Emirates

Privacy PolicySecurity & TrustTerms of ServiceContact Us