The Platform offers both dedicated IP plans and rotating residential pools. Dedicated plans assign IPs exclusively to a single customer for the duration of the plan, while rotating pools intentionally reuse IPs across customers over time. We maintain assignment records to support accountability, abuse response, and operational support.

This architecture is designed to provide clear attribution for dedicated resources and predictable behavior for rotating pools, while supporting lawful business use cases such as market research, ad verification, brand protection, and QA testing.

Dedicated IP plans provide exclusive assignments for the duration of service.

• Exclusive assignment (dedicated plans) — IPs are assigned to a single customer while active. • Rotating pools (residential) — IPs are shared across customers over time by design. • Assignment records — We maintain internal records of IP assignments and durations for billing, support, and abuse response. • Source transparency — IP sourcing varies by product and region; high-level sourcing information is available on request.

This model helps separate dedicated workflows from rotating workflows while keeping accountability clear.

Our services are structured to support clear data role boundaries under GDPR and other data protection frameworks:

• Customer as controller — The Customer determines the purposes and means of data processing conducted through the proxy infrastructure. • Operator as processor (for service data) — The Operator processes account, billing, and service metadata to provide the service. • Operator as controller (for its own operations) — The Operator may act as a controller for its own security, abuse prevention, and compliance obligations. • Data Processing Agreement available — Enterprise customers can request a signed DPA that defines processing scope, data categories, subprocessors, and security obligations.

This structure helps customers align compliance responsibilities with their specific use case.

Under the EU Digital Services Act and eCommerce Directive (Article 12), our infrastructure model is designed to align with conditions commonly associated with mere-conduit protection:

• We do not initiate transmissions — All traffic through our infrastructure is initiated by the Customer, not by the Operator. • We do not select the receiver of transmissions — The Customer determines which destinations to connect to through the proxy infrastructure. • We do not select or modify the information transmitted — Traffic passes through our infrastructure without inspection, modification, or filtering of content. • Our role is passive, technical, and automatic — The Operator's infrastructure routes packets according to standard networking protocols without human intervention in individual transmissions. • We do not inspect or store customer traffic content as a standard practice — No deep packet inspection, content caching, or payload logging occurs in normal operations.

Legal treatment depends on the specific facts of a case, applicable law, and competent authority interpretation. Customers should obtain independent legal advice for their specific use case.

The following comparison is illustrative and may vary by provider, product type, and legal context:

IP Attribution: Dedicated — Single customer per IP | Shared — Multiple customers share IPs

Abuse Liability: Dedicated — Isolated to the responsible customer | Shared — Cross-contamination risk across all pool users

Data Processing Chain: Dedicated — 2 parties (operator + customer) | Shared — 3+ parties (SDK provider, device owner, aggregator, operator, customer)

GDPR Controller Role: Dedicated — Clear processor role for the operator | Shared — Complex joint controller analysis required

Consent Requirements: Dedicated — Standard service consent | Shared — May require peer device consent from residential device owners

IP Verification: Dedicated — WHOIS/RDAP verifiable by any third party | Shared — Often obscured, pooled, or behind opaque routing layers

Traffic Inspection: Dedicated — No payload inspection by default (conduit-style routing model) | Shared — May involve routing, load balancing, or traffic shaping that touches content

Regulatory Risk: Dedicated — Often lower when controls are implemented and documented | Shared — Often higher due to multi-party and content-adjacent operational models

Organizations with stringent compliance requirements often benefit from dedicated infrastructure when controls and documentation are implemented.

Current security posture (summary):

• GDPR-aligned data handling — Data Processing Agreements are available for enterprise customers. • PCI via certified processors — Payment processing is handled through PCI-compliant providers; card data does not touch the Operator's infrastructure. • Transport security — Dashboard and API access use HTTPS/TLS where available. • At-rest encryption — Data at rest is encrypted by hosting providers where supported. • Security reviews — Periodic security reviews and vulnerability management are conducted.

Standards roadmap: • SOC 2 — Under evaluation. • ISO 27001 — Under evaluation.

The Operator maintains a compliance program designed to support the following regulatory frameworks where applicable:

• GDPR (EU/EEA/UK) — General Data Protection Regulation, including data minimization, purpose limitation, lawful basis for processing, and data subject rights. • CCPA/CPRA (California) — California Consumer Privacy Act and California Privacy Rights Act, including rights to know, delete, and opt out where applicable. • ePrivacy Directive (EU) — Compliance with requirements for electronic communications privacy, including cookie consent and traffic data confidentiality. • Digital Services Act (EU) — Program controls designed to support intermediary obligations, including transparency and notice-and-action processes where applicable. • Electronic Communications Code (EU) — Program controls mapped to relevant obligations for infrastructure providers where applicable.

Infrastructure is hosted in commercial datacenters with physical security controls provided by hosting partners. Details are available on request.

The Operator monitors regulatory developments across all applicable jurisdictions and updates its compliance posture proactively as new requirements emerge.

Contact our compliance team to discuss your organization's specific requirements.

Available upon request: • Signed Data Processing Agreements — Customized DPAs that reflect your organization's data processing requirements and comply with GDPR Article 28. • Custom security questionnaires — Completed responses to your organization's vendor security assessment questionnaires (SIG, CAIQ, or custom formats). • Compliance documentation — Technical and organizational measures documentation, sub-processor lists, data flow diagrams, and other materials for your legal team's review. • Enterprise security reviews — Detailed walkthroughs of our security architecture, access controls, incident response procedures, and business continuity planning.

Contact: support@hexproxies.com

Our compliance team aims to respond as quickly as possible. For enterprise evaluations requiring expedited review, please indicate your timeline in the initial inquiry.