Legal
Data Processing Agreement
Last updated: March 2026
1. Scope and Applicability
This Data Processing Agreement (“DPA”) applies to the processing of personal data by Fexyn (“Processor”) on behalf of the subscribing organization (“Controller”) under a Fexyn VPN Teams or Enterprise plan. This DPA supplements and is incorporated into the Teams Terms of Service.
2. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person as defined by applicable data protection laws including GDPR, CCPA, and equivalent legislation.
3. Data Processing Details
Fexyn processes the following categories of personal data solely to provide the VPN service:
- Account identifiers (email address, display name)
- Device metadata (device name, platform, app version)
- Connection metadata (timestamps, protocol used, bytes transferred)
- Authentication tokens (short-lived, non-reversible)
Fexyn does not process, store, or log VPN traffic content, browsing history, or DNS queries.
4. Controller Obligations
The Controller is responsible for ensuring it has a lawful basis for processing its users’ personal data and for providing appropriate privacy notices to its end users.
5. Processor Obligations
Fexyn shall process personal data only on documented instructions from the Controller, implement appropriate technical and organizational security measures, and assist the Controller in responding to data subject access requests.
Breach Notification (GDPR Art. 33)
In the event of a personal data breach, Fexyn shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:
- The nature of the personal data breach, including where possible the categories and approximate number of data subjects and records concerned
- The name and contact details of Fexyn’s data protection point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
Fexyn shall document all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken, and shall make this documentation available to the Controller upon request.
6. Sub-Processors
Fexyn may engage sub-processors to assist in providing the service. The Controller will be notified of any changes to sub-processors with a 30-day advance notice period.
Authorized Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Hetzner Online GmbH | Server infrastructure | Connection metadata (transit only) | Germany, Finland |
| Contabo GmbH | Web application hosting, VPN server infrastructure | Account data, connection metadata (transit only) | Germany |
| MVPS.net | VPN server infrastructure | Connection metadata (transit only) | Cyprus |
| Stripe, Inc. | Payment processing | Name, email, payment details | USA (EU data available) |
| Resend, Inc. | Transactional email | Email address, name | USA |
| Keycloak | Authentication | Email, credentials | Self-hosted (Fexyn infrastructure) |
| Cloudflare, Inc. | CDN, DDoS protection, and DNS proxy | IP address, request metadata (transit only) | United States (EU-US Data Privacy Framework) |
| HashiCorp Vault (planned) | Secret management & PKI | Public keys only | Self-hosted (Fexyn infrastructure) — not yet deployed |
7. International Data Transfers
Where personal data is transferred outside the European Economic Area, Fexyn ensures adequate safeguards are in place through Standard Contractual Clauses or equivalent mechanisms approved by the relevant supervisory authority.
8. Data Retention and Deletion
Upon termination of this Agreement, and at the Controller's written direction within thirty (30) days, the Processor shall either: (a) return all Personal Data to the Controller in a commonly used, machine-readable format (JSON or CSV) via the data export API, and subsequently delete all copies; or (b) delete all Personal Data and provide written certification of deletion. If no written instruction is received within thirty (30) days of termination, the Processor shall delete all Personal Data in accordance with its standard retention policies. In all cases, deletion shall be completed within ninety (90) days unless retention is required by applicable law.
9. Security Measures
Fexyn maintains industry-standard security practices including encryption at rest and in transit, access controls, regular security assessments, and incident response procedures. See our Security Overview for details.
10. Audit Rights
The Controller has the right to audit Fexyn’s compliance with this DPA subject to the following conditions:
- Audits may be conducted no more than once per 12-month period, unless required by a supervisory authority or following a confirmed data breach
- The Controller shall provide at least 30 days’ written notice prior to any audit
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt Fexyn’s operations
- The Controller bears all costs associated with third-party auditors; Fexyn bears its own internal costs of facilitating the audit
- At Fexyn’s discretion, a current SOC 2 Type II report or equivalent independent certification may be provided in lieu of an on-site audit
Fexyn will provide reasonable cooperation and access to relevant documentation, records, and processing facilities necessary to demonstrate compliance with this DPA.