Data Processing Agreement
The terms under which MoonBase processes personal data on your behalf.
1. Definitions
- "GDPR" means Regulation (EU) 2016/679
- "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR
2. Scope and Purpose
MoxieAI processes Personal Data on behalf of the Controller only as necessary to provide the hosting Service described in the Terms of Service, in accordance with the Controller’s instructions, and for no other purpose.
3. Nature of Processing
Subject matter: Hosting and serving web projects uploaded by the Controller
Duration: For the duration of the Controller’s use of the Service, plus any applicable retention period, subject to the beta limitations described in the Terms of Service
Type of Personal Data: Any Personal Data included in the Controller’s Projects and processed by those Projects at runtime
Categories of Data Subjects: End users of the Controller’s hosted Projects
4. Controller’s Obligations
The Controller warrants that it has a lawful basis for Processing, has provided required notices to Data Subjects, and its instructions comply with applicable law.
5. Processor’s Obligations
MoxieAI agrees to:
(a) Process Personal Data only on the Controller’s documented instructions, unless required otherwise by applicable law
(b) Ensure persons authorized to process Personal Data are bound by confidentiality obligations
(c) Implement appropriate technical and organizational security measures
(d) Assist the Controller in responding to Data Subject requests
(e) Assist the Controller with security obligations, breach notifications, and data protection impact assessments as required
(f) At the Controller’s choice, delete or return Personal Data at the end of the Service relationship, unless retention is required by law
(g) Provide information necessary to demonstrate compliance with this DPA and support audits on reasonable notice (maximum once per year absent a security incident, at the Controller’s expense)
6. Sub-processors
The current list of approved sub-processors is published at moonbase.host/subprocessors. MoxieAI will provide at least 14 days' prior written notice of intended changes. The Controller may object in writing within 14 days; silence constitutes approval. MoxieAI imposes equivalent data protection obligations on all sub-processors.
7. International Transfers
Where Personal Data is transferred outside the EU/EEA, MoxieAI relies on Standard Contractual Clauses adopted by the European Commission or other approved transfer mechanisms.
8. Data Breach Notification
MoxieAI will notify the Controller without undue delay, and within 72 hours where feasible, upon becoming aware of a Personal Data breach. Notification will include available information about the nature, scope, likely consequences, and measures taken.
9. Beta Limitations
The Service is currently in beta. During beta, Personal Data processed through hosted Projects may be subject to data loss, unavailability, or deletion as described in the Terms of Service (Section 2). Controllers who require strict data integrity guarantees should not use the Service to host applications that process sensitive Personal Data until the Service exits beta.
10. Governing Law
This DPA is governed by the laws of the State of Israel, consistent with the Terms of Service, except where GDPR mandatory provisions require the application of EU law.
Requesting a Signed DPA
Enterprise customers who require a signed DPA: [email protected]