This Data Processing Policy (“Policy”) provides additional terms that apply regarding the Processing of data on Oxen and for the occasions when Oxen Processes Personal Data as a Processor on behalf of Customer when providing the Solution to Customer pursuant to the Oxen Master Subscription Agreement (“Agreement”). Oxen may update or change this agreement from time to time but will never materially decrease the level of security or privacy rights as set out in this Policy.
Oxen is an infrastructure platform and does not provide legal or compliance advice. Customers should consult with qualified legal counsel to ensure all processing on Oxen is compliant with relevant laws and regulations.
1. Definitions
Unless otherwise defined herein, all capitalized terms have the meaning given to them in the Oxen Information Security Policy (available at https://www.Oxen.ai/info-sec-policy) or the body of the Agreement.
“CCPA” means the California Consumer Privacy Act of 2018 (as amended by the California Consumer Privacy Act (CPRA)).
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Subject” means the individual to whom Personal Data relates.
“Data Protection Laws” means, to the extent they are applicable, (a) the GDPR; (b) the UK GDPR; and (c) the CCPA.
“GDPR” means the General Data Protection Regulation ((EU) 2016/679), as it has effect in EU law.
“Process” or Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the entity which processes Personal Data on behalf of the Controller.
“SCCs” means, where the GDPR applies, the Controller to Processor Standard Contractual Clauses adopted under the GDPR (“GDPR Controller to Processor SCCs”) available at https://www.Oxen.ai/legal/GDPR_C2P_SCCs, and, where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK IDTA Addendum”) available at http://www.Oxen.ai/legal/UK_IDTA.
“Subprocessor” means a third-party entity engaged by Oxen as a Data Processor under this Policy.
“Third Country” means (a) to the extent that the GDPR applies to the processing, a country outside the European Economic Area or Switzerland not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR); (b) to the extent the UK GDPR applies to the processing, a country outside the United Kingdom not recognized by the UK Government as providing an adequate level of protection for personal data (as described in the UKGDPR).
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
2. Purpose & Scope
This Policy applies to all data Processed on Oxen by Customers and their users, including but not limited to datasets, model weights, source code, and any outputs generated through the platform.
3. Roles and Responsibilities
Oxen as Service Provider - Oxen operates as a service provider and infrastructure platform. Oxen does not monitor, validate, or control the content, nature, or legality of any data submitted by customers.
Customer as Data Controller - Customers are solely responsible for the data they input, store, and Process within the Oxen platform. This includes responsibility for datasets, source code, model artifacts, and any outputs, as well as for any actions performed by their users.
4. Customer Data Compliance Obligations
Customers must ensure that all data submitted to Oxen complies with all applicable local, state, national, and international laws and regulatory requirements, including but not limited to those related to privacy, data protection, intellectual property, and export controls (e.g., GDPR, CCPA, UK GDPR, etc.).
Customers are responsible for obtaining all necessary consents, permissions, and rights for the lawful use and processing of data within Oxen.
Customers must not use the Oxen platform to store, process, or transmit data that is unlawful, infringing, or otherwise prohibited under applicable law.
5. Oxen’s Reliance on Customer Assurances
Oxen operates based on the representations and warranties provided by customers regarding the legality and compliance of all data processed on the platform.
Oxen neither accesses nor examines the content or substance of customer data, and does not provide any compliance advice or assistance with regulatory obligations.
By using Oxen services, customers affirm that all data and processing activity are compliant with all relevant legal and regulatory requirements.
6. Security
Oxen implements commercially reasonable technical and organizational measures to secure the platform and protect accounts from unauthorized access and accidental loss or alteration.
Security of the content of customer data is the responsibility of the customer. Customers are expected to utilize platform features, such as access controls and repository versioning, to manage and safeguard data.
7. Data Retention and Deletion
All datasets, model weights, code, and outputs are versioned and retained as part of the customer’s repository unless or until the customer requests their deletion, in accordance with Oxen’s retention procedures.
Upon account termination or deletion request, Oxen will use reasonable efforts to promptly erase customer data from the platform, except where retention is required by law or for legitimate business purposes.
8. Cross-Border Data Transfers
As a global, cloud-based platform, Oxen may store or transmit data across jurisdictions. Customers are responsible for ensuring that such transfers are permitted and compliant with relevant data transfer regulations.
9. Data Subject Rights
Oxen shall promptly notify Customer of any request it receives from Data Subjects. It shall not respond to the request itself, unless authorized to do so by Customer.
Oxen shall assist Customer in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the Processing. In fulfilling its obligations in accordance with (a) and (b), Oxen shall comply with Customer’s instructions.
In addition to Oxen’s obligation to assist Customer pursuant to 9(b), Oxen shall furthermore assist Customer in ensuring compliance with the following obligations, taking into account the nature of the Processing and the information available to Oxen:
The obligation to carry out an assessment of the impact of the envisaged Processing on the protection of Personal Data (a “Data Protection Impact Assessment”) where a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons;
the obligation to consult the competent supervisory authority/ies prior to Processing where a Data Protection Impact Assessment indicates that the Processing would result in a high risk in the absence of measures taken by Customer to mitigate the risk;
the obligation to ensure that Personal Data is accurate and up to date, by informing Customer without delay if Oxen becomes aware that Personal Data it is Processing is inaccurate or has become outdated;
the obligations in the Data Protection Laws.
10. Contact
For questions about this Policy or to make data-related requests, customers should contact Oxen via legal@oxen.ai.