OXCODE
DocsAmbassadors
Request access
Legal

Data Processing Agreement

Last updated: July 8, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between ResoluteX Technology Labs Ltd, trading as Oxlo.ai, of Dubai AI Campus, DIFC, Dubai, United Arab Emirates ("Processor," "Oxlo," "we") and the customer or alpha participant using OxCode ("Controller," "you"), and applies whenever Oxlo processes personal data on your behalf in connection with OxCode. Where applicable data protection law (such as the DIFC Data Protection Law, the GDPR, or UK GDPR) requires a data processing agreement between the parties, this document satisfies that requirement.

On this page

  1. 1. Definitions
  2. 2. Roles of the parties
  3. 3. Subject matter and details of processing
  4. 4. Processor obligations
  5. 5. Sub-processors
  6. 6. International transfers
  7. 7. Security measures
  8. 8. Assistance and data subject requests
  9. 9. Personal data breach notification
  10. 10. Deletion and return of data
  11. 11. Audits
  12. 12. Term and termination
  13. 13. Contact

1. Definitions

Terms such as "Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Personal Data Breach" have the meanings given to them under applicable data protection law, including the EU General Data Protection Regulation ("GDPR"), where applicable. "Sub-processor" means any third party engaged by Oxlo to process Personal Data on behalf of the Controller.

2. Roles of the parties

When you use OxCode to process content that includes Personal Data (for example, personal data embedded in code, comments, or prompts), you act as Controller and Oxlo acts as Processor with respect to that Personal Data. For data Oxlo collects directly to administer the alpha access program and your account, Oxlo acts as an independent Controller, as described in our Privacy Policy.

3. Subject matter and details of processing

  • Subject matter: Oxlo's provision of OxCode to the Controller.
  • Duration: For as long as Oxlo provides OxCode to the Controller, plus any post-termination period described in Section 10.
  • Nature and purpose: Processing of code, prompts, voice input, and related content submitted to OxCode in order to generate plans, code, explanations, and other Output, and to operate, secure, and improve OxCode.
  • Categories of data: Any Personal Data the Controller or its authorized users choose to include within code, comments, prompts, or voice input submitted to OxCode.
  • Categories of data subjects:The Controller's personnel, contractors, and, where applicable, the Controller's own end users or customers, to the extent their Personal Data appears in content processed by OxCode.

4. Processor obligations

Oxlo will:

  • Process Personal Data only on the Controller's documented instructions, including as described in this DPA, unless required to do otherwise by law;
  • Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations;
  • Implement appropriate technical and organizational measures to protect Personal Data, as described in Section 7;
  • Not engage a new Sub-processor without providing notice as described in Section 5; and
  • Taking into account the nature of processing, assist the Controller in responding to data subject requests and in meeting its obligations under applicable data protection law.

5. Sub-processors

The Controller authorizes Oxlo to engage Sub-processors to provide OxCode, including cloud hosting providers and AI model providers used to generate Output. Oxlo remains responsible for the acts and omissions of its Sub-processors to the same extent Oxlo would be liable if performing their services directly, and imposes data protection obligations on Sub-processors that are no less protective than those in this DPA. Oxlo will provide a current list of material Sub-processors on request and will give reasonable notice of any intended changes, allowing the Controller to object on reasonable data protection grounds.

6. International transfers

Where Oxlo transfers Personal Data outside the jurisdiction in which it was originally collected, Oxlo will ensure the transfer is subject to appropriate safeguards required under applicable data protection law, such as the European Commission's Standard Contractual Clauses or an equivalent mechanism, which are incorporated into this DPA by reference where required.

7. Security measures

Oxlo maintains technical and organizational measures appropriate to the risk, including:

  • Encryption of data in transit;
  • Access controls limiting Personal Data access to personnel who need it to perform their duties;
  • Logging and monitoring of systems that process Personal Data;
  • A process for identifying, evaluating, and remediating vulnerabilities; and
  • Incident response procedures covering detection, containment, and notification.

8. Assistance and data subject requests

If Oxlo receives a request from a data subject relating to Personal Data processed on the Controller's behalf, Oxlo will promptly notify the Controller and will not respond directly except as required by law or as instructed by the Controller. Oxlo will provide reasonable assistance to the Controller in fulfilling such requests and in conducting data protection impact assessments, where applicable.

9. Personal data breach notification

Oxlo will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's Personal Data, and will provide information reasonably available to Oxlo to help the Controller meet any notification obligations it has under applicable law.

10. Deletion and return of data

On termination of the underlying agreement or on the Controller's written request, Oxlo will, at the Controller's election, delete or return Personal Data processed on the Controller's behalf, except to the extent applicable law requires Oxlo to retain some or all of it, in which case Oxlo will isolate and protect that data from further processing.

11. Audits

Oxlo will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for, and contribute to, audits or inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice, confidentiality, and no more than once per year absent a legal obligation or Personal Data Breach.

12. Term and termination

This DPA takes effect on the date you first submit Personal Data to OxCode and remains in effect for as long as Oxlo processes Personal Data on the Controller's behalf. This DPA is governed by, and should be read together with, our Terms & Conditions.

13. Contact

Questions about this DPA, or requests for a countersigned copy, can be sent to hello@oxlo.ai.

OXCODE
Privacy PolicyTerms & ConditionsData Processing Agreement
© 2026 ResoluteX Technology Labs Ltd · Alpha access program · All rights reserved