1. Parties and scope
This Data Processing Addendum ("DPA") forms part of the XESO Terms of Service ("Agreement") between Amalgam Holdings Pty Ltd ("XESO", "Processor") and the Customer ("Controller") identified in the Agreement.
It applies whenever XESO processes Personal Data on behalf of the Controller in connection with the XESO Service, and governs that processing under Article 28 of Regulation (EU) 2016/679 ("GDPR"), the UK GDPR (as incorporated by the Data Protection Act 2018), the Australian Privacy Act 1988 (Cth), and — where the Controller is a "business" under the CCPA/CPRA — the obligations imposed on "service providers".
If there is a conflict between this DPA and the rest of the Agreement, this DPA controls with respect to processing of Personal Data.2. Definitions
"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" have the meanings given in the GDPR.
"Sub-processor" means any Processor engaged by XESO that processes Personal Data under this DPA.
"Standard Contractual Clauses" or "SCCs" means the clauses annexed to European Commission Implementing Decision (EU) 2021/914, as updated or replaced from time to time.
"UK IDTA" means the International Data Transfer Addendum issued by the UK Information Commissioner under s119A of the UK DPA 2018.3. Subject matter and duration
Subject matter: XESO processes Personal Data to provide the Service as described in the Agreement — knowledge ingestion, retrieval, summarization, collaboration, billing, and related support.
Duration: Processing continues for the term of the Agreement plus any retention periods described in §9 below.
Nature and purpose of processing: providing, maintaining, securing, and improving the Service; enforcing the Terms; responding to Controller support requests; and complying with law.4. Categories of data subjects and personal data
Data subjects: Controller's authorised end-users (e.g. employees, contractors, invited collaborators) and any natural persons identified in content the Controller submits to the Service.
Categories of Personal Data:
• Account identifiers (name, email, auth provider IDs, profile photo if supplied)
• User content (notes, imported documents, transcripts, chat prompts/responses, shared links)
• Usage telemetry, device/session metadata, and diagnostics
• Billing metadata (Stripe customer/subscription references — XESO does not store full card numbers)
• Security events (authentication events, audit log entries)
Sensitive data: The Service is not designed to receive special-category data under GDPR Art. 9 or equivalent. Controllers must not submit health, financial-account, government-ID, children's, or similarly sensitive data unless separately agreed in writing.5. Roles and processing instructions
Each Party acknowledges that, in respect of Personal Data processed under the Service, the Controller is the Controller and XESO is the Processor.
XESO will process Personal Data only on the Controller's documented instructions, which are: (a) the Agreement (including this DPA), (b) the configuration of the Service, (c) any instruction the Controller sends through the Service or written support channels, and (d) as required by applicable law (in which case XESO will notify the Controller of that legal requirement before processing, unless the law forbids such notice).
If XESO believes an instruction infringes applicable data-protection law, it will inform the Controller.6. Confidentiality
XESO personnel authorised to process Personal Data are bound by written confidentiality obligations that survive termination of their employment or engagement, and are given role-based access on a need-to-know basis.7. Security of processing
XESO implements the technical and organisational measures described in Annex II of this DPA, which include, at a minimum:
• Transport encryption (TLS 1.2+) on all external traffic and at-rest encryption for managed storage (Postgres, object storage, Stripe vault).
• Role-based access control, passkey step-up for admin writes, and account-frozen enforcement at the edge.
• Tamper-evident hash-chained audit logging for sensitive actions (export, delete, admin writes).
• Secret storage in a managed KMS/secret manager with rotation procedures documented in the Secret Rotation Runbook.
• Defence-in-depth: Content Security Policy with nonces + strict-dynamic, HSTS with preload, COOP/COEP, rate limits, CSRF, and client-side error ingest with IP/user-agent minimisation.
• Vulnerability management: dependency scanning in CI (npm audit, CodeQL, secret-scan), pentest coverage before material releases, and public bug-bounty intake via security@xeso.ai.
• Backup and disaster-recovery procedures including point-in-time restore and documented RPO/RTO targets.
XESO will periodically test and evaluate the effectiveness of these measures.8. Sub-processors
The Controller grants XESO general written authorisation to engage Sub-processors, subject to the following conditions:
(a) XESO maintains a public register of current and intended Sub-processors at /subprocessors. During the pre-GA period, that register is labelled "under review" — XESO will not route Controller Personal Data to a listed Sub-processor until its DPA (or equivalent parent-provider DPA) is signed.
(b) XESO will give the Controller at least 30 calendar days' prior notice (by email to subscribers and updates to the public register) before engaging a new Sub-processor.
(c) The Controller may object in writing within 15 calendar days of notice on reasonable data-protection grounds by emailing subprocessors@xeso.ai. The parties will work in good faith to resolve the objection; if that fails, the Controller may terminate the affected portion of the Service for convenience.
(d) XESO will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Controller for its Sub-processors' acts and omissions.9. Data-subject rights
Taking into account the nature of the processing, XESO will assist the Controller, by appropriate technical and organisational measures, to respond to requests from Data Subjects exercising rights under applicable law (access, rectification, erasure, restriction, portability, and objection).
In-product self-service: authenticated end-users can export their data ("scope=all" ZIP export) and delete their account (72-hour soft-delete grace, cancel-on-signin, physical purge cron) through the XESO Settings surface. Controllers may use these same tools to action Data-Subject requests routed through them.
If XESO receives a request directly from a Data Subject, it will promptly forward the request to the Controller and will not respond itself except to confirm receipt and refer the Data Subject to the Controller, unless otherwise legally required.10. Personal-data breach
XESO will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal-Data breach affecting the Controller's Personal Data. Notification will include the nature of the breach, the categories and approximate number of data subjects and records affected (where known), the likely consequences, the measures taken or proposed, and the contact point for further information.
XESO maintains an internal incident-response runbook (Incident Response) and will cooperate reasonably with the Controller's regulatory-notification obligations.11. Data-protection impact assessment; prior consultation
Taking into account the nature of the processing and the information available to XESO, XESO will provide reasonable assistance to the Controller with (a) data-protection impact assessments under GDPR Art. 35 and (b) prior consultations with Supervisory Authorities under Art. 36, in each case to the extent required by applicable law.12. Return or deletion
On termination of the Agreement, or earlier at the Controller's written request, XESO will delete or return all Personal Data processed on behalf of the Controller and delete existing copies, unless applicable law requires further storage.
Operational timelines: accounts deleted by end-users are soft-deleted for 72 hours (reversible), then physically purged by the account-reaper cron. Controller-initiated offboarding follows the same path or the timeline agreed in writing. Backups containing Personal Data are overwritten on a documented rolling schedule.13. Audit and inspection
XESO will make available to the Controller all information reasonably necessary to demonstrate compliance with Art. 28 GDPR, including:
(a) the information in this DPA and the subprocessor register;
(b) where requested, SOC 2 / ISO 27001 reports (when those certifications are issued), penetration-test summaries, and responses to a reasonable due-diligence questionnaire;
(c) on at least 30 days' written notice, an annual remote audit limited to XESO's data-protection controls. On-site audits require separate written agreement, reasonable notice, and a mutually acceptable scope, and may be performed by an independent auditor bound by confidentiality obligations.
The Controller is responsible for its own audit costs, unless the audit reveals material non-compliance by XESO.14. International transfers
Where the processing under the Agreement involves a transfer of Personal Data out of the EEA, the UK, or Switzerland to a country not the subject of an adequacy decision, the parties agree:
(a) the EU SCCs (Module 2: Controller-to-Processor, or Module 3: Processor-to-Processor, as applicable) are incorporated by reference and take effect on the transfer. The optional docking clause is selected; Clause 7 is included; Clause 11 option for independent dispute resolution is not selected; Clause 17 Option 1 applies with Irish law; Clause 18(b) venue is Ireland.
(b) for UK transfers, the UK IDTA is incorporated by reference and takes effect on the transfer.
(c) for Swiss transfers, the SCCs apply with references to the GDPR read as references to the Swiss FADP and references to EU Member State law read as references to Swiss law.
The technical and organisational measures in Annex II of this DPA satisfy Annex II of the SCCs/IDTA.15. CCPA / service-provider terms
Where the Controller is a "business" and XESO is a "service provider" under the California Consumer Privacy Act / California Privacy Rights Act (together, "CCPA"):
• XESO will process Personal Information only for the "business purposes" described in the Agreement, and will not "sell" or "share" Personal Information as those terms are defined in the CCPA.
• XESO will not retain, use, or disclose Personal Information outside the direct business relationship with the Controller, or combine it with Personal Information received from or on behalf of another person, except as permitted by the CCPA.
• XESO will notify the Controller if it determines it can no longer meet its obligations under the CCPA and will cooperate with any resulting remediation.16. Liability; order of precedence
Each party's liability under this DPA is subject to the limitations of liability in the Agreement. Where the SCCs/IDTA are in effect, nothing in the Agreement limits a Data Subject's rights against the parties as beneficiaries under those clauses.
In the event of conflict: this DPA > the SCCs/IDTA (for matters they govern) > the Agreement.17. How to sign
A countersigned PDF of this DPA is available on request. Email legal@xeso.ai from the same domain as your XESO administrator account with:
• Legal entity name (Controller)
• Billing/contract contact
• Supervisory Authority (for EU/UK Controllers) or primary regulator
We return a signed PDF within five business days. For pre-signed templates or custom redlines, please indicate the material changes you need in that email so we can route the request correctly.Annex I — Subject matter, categories, purposes
See §3 (subject matter, duration, nature, and purpose of processing) and §4 (categories of data subjects and Personal Data) above. Those sections together constitute Annex I A–B of the SCCs.
Competent Supervisory Authority (SCC Annex I C): the authority of the EU Member State in which the Controller is established; for the UK, the UK ICO; for Australia, the OAIC.Annex II — Technical and organisational measures
Summarised in §7. Full control register (network, identity, application, data, operations) is maintained in the XESO Security Charter and updated on each material release. Key items:
• Network: HTTPS only; HSTS preload; origin CDN with rate limits; WAF rollout in progress per the Cloud Armor runbook.
• Identity: OAuth/passkey primary; passkey step-up for admin writes and destructive actions; session revocation on risk signals.
• Application: CSP with nonce + strict-dynamic, CSRF, input validation, zip-slip protection in all archive importers, rate limiting on OG image generation, per-user request caps.
• Data: encryption in transit and at rest; narrow IAM on databases; BYOK-capable AI path; vault unlock required for sensitive read paths.
• Operations: CI gates (lint / typecheck / tests / migration-ordering / CodeQL / secret-scan), blue/green deploy, five-tier fast-revert, PITR-capable database.Annex III — Sub-processors
The current list is published at /subprocessors and updated at least 30 calendar days before a new Sub-processor begins processing Controller Personal Data, as required by §8.