IOX Data Processing Addendum (DPA)

Version 1.0 — effective 2026-04-21 Attach this to the IOX Tenant Agreement when the Client processes personal data of individuals in the EU, UK, Switzerland, or any jurisdiction requiring a controller–processor agreement.

Purpose

When you (the Client / Controller) operate a tenant on IOX, some of the customer personal data moving through our platform belongs to you in the privacy-law sense — you decided to collect it, you chose the purpose. IOX (the Processor) runs the software that stores and moves it on your behalf.

This document is the contract that lets IOX process that personal data lawfully under:

  • GDPR (Regulation (EU) 2016/679) — Article 28
  • UK GDPR + Data Protection Act 2018
  • Swiss FADP
  • Applicable US state laws (CCPA/CPRA, CDPA, CTDPA, CPA, UCPA, etc.) where processor agreements are required

It supplements and does not replace the IOX Tenant Agreement. If any term conflicts, this DPA controls for personal-data matters; the Tenant Agreement controls for everything else.

1. The roles

  • Client = Controller of personal data collected through your tenant — you decide what, why, how long.
  • IOX = Processor of that data — we run the platform on your instructions (as set out in the Tenant Agreement and this DPA).
  • IOX = Independent Controller of the IOX identity layer (profile, friends, social features) — your customer is also an IOX customer for the platform-level features, and we process that shared identity on our own basis per the IOX Privacy Policy.
  • Each tenant is separate from every other tenant. IOX does not share your customer data with other tenants.

The two hats IOX wears are independent: we're your Processor for the data you control, and our own Controller for the IOX identity data. This DPA covers only the Processor hat.

2. Scope of processing (Annex 1 — see below)

Nature and purpose of processing: Hosting, storing, transmitting, and analyzing personal data as needed to provide the IOX tenant platform services.

Duration of processing: For as long as the Tenant Agreement is in effect, plus the 30-day post-termination export window in §5 of the Tenant Agreement.

Types of personal data processed:

  • Customer identifiers: name, email, phone, IOX account ID.
  • Transaction data: bookings, tickets, store orders, memberships, loyalty redemptions.
  • Custom fields the tenant collects through its booking or checkout flow.
  • Communication metadata: confirmation emails sent, SMS reminders dispatched.
  • Behavioral / analytical: booking patterns within your tenant.

Categories of data subjects:

  • Your end customers (individuals who book or buy from your tenant).
  • Your tenant members (staff accounts you give access to).

Sensitive / special-category data: IOX does not require any special-category data. If your tenant collects health data (e.g., waivers for an extreme sport), accessibility info, or other sensitive data through custom fields, you are responsible for the lawful basis and for limiting collection to what's strictly necessary.

3. IOX's obligations as Processor

3.1 Processing only on Client's documented instructions

IOX processes personal data only to deliver the platform services as described in the Tenant Agreement. If IOX is required to process data for a different purpose by law (e.g., a subpoena), we'll notify you before doing so unless the law prohibits notice.

3.2 Confidentiality

Everyone at IOX who accesses your data is under written confidentiality obligations. Access is on a need-to-know basis, logged, and limited to the personnel delivering the service or investigating incidents.

3.3 Security (Annex 2 — see below)

IOX maintains technical and organizational measures appropriate to the risk. These include but are not limited to:

  • Encryption of data in transit (TLS 1.2 or higher).
  • Encryption at rest for databases, backups, and sensitive fields (e.g., Growth Engine tax IDs use envelope encryption with AES-256-GCM).
  • Role-based access control with MFA for production system access.
  • Row-level security policies in the database that enforce per-tenant data isolation and super-user/agent scoping.
  • Regular security reviews and vulnerability management.
  • Written incident-response runbooks.
  • Supply-chain monitoring for dependencies.
  • Disaster recovery and tested backups (30-day retention).

3.4 Sub-processors (Annex 3 — see below)

  • IOX uses the sub-processors listed in Annex 3 to deliver the service.
  • You authorize those sub-processors by signing this DPA.
  • IOX will notify you at least 30 days before adding or replacing a sub-processor that processes personal data. You can object in writing; if we can't agree on an alternative, you may terminate the Tenant Agreement without penalty before the new sub-processor goes live.
  • IOX remains responsible to you for sub-processor performance. Each sub-processor is bound by a written contract imposing data-protection obligations no less protective than this DPA.

3.5 Data subject requests

When your customer exercises a data-subject right directly with IOX (access, deletion, correction, portability, objection, restriction):

  • IOX handles it directly as Controller of the identity layer (profile, friends, IOX account) per our Privacy Policy.
  • For the portions where IOX acts as your Processor — transaction data tied to your tenant — IOX forwards the request to you within 5 business days.
  • If the customer contacts you first about IOX-controlled data, you forward to IOX.
  • IOX provides reasonable assistance for you to meet your GDPR Articles 12–22 obligations: responding to data-subject requests, data protection impact assessments, and prior consultations with supervisory authorities.

3.6 Personal data breach notification

If IOX confirms a breach that affects personal data processed for you, IOX notifies you without undue delay and in any case within 72 hours of confirming the breach, with:

  • A description of what happened and when.
  • Categories and approximate number of data subjects and records affected.
  • Likely consequences.
  • Measures taken or proposed to address the breach.

You are responsible for notifying affected data subjects and your supervisory authority if required by law.

3.7 Data return and deletion on termination

On termination of the Tenant Agreement:

  • You have 30 days from the termination date to export all personal data you control (see Tenant Agreement §5.7).
  • After the 30-day window, IOX deletes or returns all personal data processed on your behalf, except where law requires retention (e.g., transaction records for tax compliance).
  • Retained data remains subject to this DPA until permanently deleted.
  • IOX provides written confirmation of deletion on request.
  • Backups are purged on the rolling schedule in our Privacy Policy (encrypted, deleted within 60 days of the corresponding live-system deletion).

3.8 Audits

  • IOX's security posture is documented and available on written request.
  • Once per year, with at least 30 days' notice, you may request reasonable audit information. IOX will provide:
    • Our most recent SOC-style self-assessment, external audit report, or security questionnaire response.
    • Written answers to reasonable follow-up questions.
  • In-person audits of IOX facilities are only permitted where required by your supervisory authority and must be scheduled and conducted at your cost with at least 60 days' notice and a signed NDA.

4. International transfers

Personal data processed under this DPA is transferred to and hosted on servers in the United States (primarily via Amazon Web Services, the underlying infrastructure of our hosting providers).

To legitimize these transfers from the EEA / UK / Switzerland:

  • IOX and the Client incorporate the EU Standard Contractual Clauses (Module 2 — Controller to Processor) as if set out in full in this DPA, as adopted by Commission Implementing Decision (EU) 2021/914.
  • IOX and the Client incorporate the UK International Data Transfer Addendum (IDTA) to the SCCs, as issued by the UK ICO, for UK-originating data.
  • IOX relies on equivalent safeguards where available for Swiss-originating data under the revised FADP.
  • Any sub-processor processing outside the EEA/UK is bound by equivalent transfer safeguards.

The parties agree that in the event of a conflict between the SCCs and any term of this DPA or the Tenant Agreement, the SCCs prevail for transfer-related matters.

Clause-by-clause selections under the SCCs:

  • Docking clause (Clause 7): enabled.
  • Redress clause (Clause 11): option not selected.
  • Governing law (Clause 17): law of Ireland (selected for broad enforceability with Tennessee-governing parent agreement).
  • Jurisdiction (Clause 18): courts of Ireland.
  • Annex I.A (parties): IOX LLC (data importer / processor) and the Client (data exporter / controller) as identified in the Tenant Agreement signature block.
  • Annex I.B (description of transfer): see §2 above.
  • Annex I.C (competent supervisory authority): the supervisory authority of the EU member state where the Client is established, or if not in the EU, the Irish Data Protection Commission.
  • Annex II (technical measures): see §3.3 + Annex 2 below.
  • Annex III (sub-processors): see Annex 3 below.

5. Your obligations as Controller

You warrant that:

  • You have a lawful basis to process the personal data you put through IOX.
  • You've provided appropriate privacy notices to your customers covering how IOX processes their data on your behalf.
  • You've collected any consents required for processing you instruct IOX to perform.
  • You will not instruct IOX to process personal data in a way that breaches applicable law.
  • Sensitive or special-category data you choose to collect through your tenant is necessary and lawfully based; you accept responsibility for that collection.

6. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Tenant Agreement, except that neither party can cap or exclude liability for:

  • Damages suffered by a data subject that a supervisory authority or court awards against that party under applicable privacy law.
  • Penalties imposed by a supervisory authority for that party's own breach of privacy law.

Where joint liability is imposed on both parties for a single event, each party bears the portion attributable to its own fault.

7. Term and termination

  • This DPA takes effect when signed (or deemed signed by acceptance of the Tenant Agreement after 2026-04-21 with this DPA attached).
  • It remains in force as long as IOX processes personal data on your behalf.
  • It survives termination of the Tenant Agreement to the extent needed for data return, deletion, and final breach obligations.
  • If IOX can no longer meet its obligations under this DPA (e.g., a change in law makes continued processing unlawful), IOX will notify you and you may terminate the Tenant Agreement without penalty.

8. Miscellaneous

  • Amendments. If applicable privacy law changes and this DPA needs updating to remain compliant, IOX will propose an update with 30 days' notice. Reasonable updates required by law are deemed accepted if you continue using the service; material reductions to your rights require written acceptance.
  • Precedence. If any provision of this DPA conflicts with the Tenant Agreement, this DPA controls for personal-data matters. The SCCs control over both on transfer matters.
  • No separate fee. IOX does not charge extra for DPA compliance; it's part of the platform service.
  • Language. English is the authoritative language. Translations are for convenience.

Sign here

Client

  • Business name: ____________________________
  • Signer name + title: ____________________________
  • Signer email: ____________________________
  • Signature: ____________________________
  • Date: ____________________________

IOX LLC

  • Signer: Matt Haynes, Founder
  • Signature: ____________________________
  • Date: ____________________________

Annex 1 — Description of processing

Subject matter: Delivery of the IOX tenant platform services to the Client.

Duration: Term of the Tenant Agreement + 30-day post-termination export window.

Nature and purpose: Hosting, storing, transmitting, and analyzing personal data so the Client can run bookings, ticketing, merchandise, memberships, events, and loyalty programs on IOX spokes.

Type of personal data:

  • Contact identifiers: name, email, phone.
  • Account identifiers: IOX account ID, login timestamps.
  • Transaction data: booking/order IDs, amounts, dates, times, seat/room/bay assignments.
  • Communications data: confirmations, reminders, receipts.
  • Custom fields the Client collects through its tenant (e.g., age of attendees, waiver acceptance, gift messages).
  • Behavioral data: within-tenant browsing and conversion patterns.

Special categories of data: None required by IOX. Client bears responsibility for any special-category data it elects to collect via custom fields.

Categories of data subjects: Customers of the Client's tenant, and staff accounts the Client provisions.

Annex 2 — Technical and organizational measures

Pseudonymization and encryption:

  • All data in transit protected by TLS 1.2 or higher.
  • Database encrypted at rest (AES-256 via Supabase / AWS RDS).
  • Sensitive fields (e.g., tax IDs, payout method details for Growth Engine Referrers) encrypted with envelope encryption (AES-256-GCM) in addition to storage-level encryption.

Ongoing confidentiality, integrity, availability, resilience:

  • Row-level security policies enforce per-tenant data isolation.
  • Principle-of-least-privilege access with separate production and development environments.
  • MFA required for all production-access staff accounts.
  • Weekly automated backups, daily incremental; 30-day retention.
  • Monitored uptime with alerting; documented incident-response runbooks.

Ability to restore availability:

  • Tested backup restoration procedures.
  • Rolling deployment strategy minimizing single-failure outages.
  • Disaster-recovery plan with recovery-time objective (RTO) and recovery-point objective (RPO) targets documented internally; targets available to Client on request.

Regular testing, assessment, and evaluation:

  • Dependency and container scanning on every deploy.
  • Annual third-party security review.
  • Internal security audit reviews scheduled quarterly.

Access control:

  • Single-sign-on for staff; all staff access logged.
  • Production database access gated behind short-lived credentials.
  • Immediate revocation on employment termination.

Transmission control:

  • No personal data transmitted over unencrypted channels.
  • Webhook signatures verified on every spoke-to-Hub transmission.
  • Idempotency keys prevent replay of sensitive requests.

Input, availability, separation of processing purposes:

  • Separate staging, preview, and production environments.
  • Per-tenant logical separation via database row-level security.
  • Retention and deletion handled per §3.7.

Annex 3 — Approved sub-processors

Current as of 2026-04-21. IOX will notify the Client in advance of changes per §3.4.

Sub-processor Purpose Location of processing
Supabase Hosted PostgreSQL + authentication United States (AWS, us-east-1 region)
Amazon Web Services Underlying cloud infrastructure for Supabase + other services United States (us-east regions by default)
Vercel Application hosting, CDN, serverless function runtime Global CDN, primary compute in United States
Stripe Payment processing for IOX 5% fee and tenant payouts United States; global data transfers per Stripe's own DPA
Resend Transactional email delivery United States
Twilio SMS delivery (phone verification, notifications) United States; additional regional POPs per Twilio's DPA

Out of scope — tenant-chosen sub-processors: Services the Client elects to connect via integrations (e.g., the Client's own marketing email tool, CRM, or third-party tax calculator) are not sub-processors of IOX. The Client is responsible for the data-protection terms with those providers directly.

Document version: v1.0 · effective 2026-04-21 · questions to support@iox.llc.

Questions about this document? Email support@iox.llc.