Data Processing Addendum

Standard processor-facing terms describing how XYLEX handles customer personal data, subprocessors, incident support, and cross-border transfers.

Last updated: March 2, 2026•

This page is intentionally drafted as a conventional public baseline. Enterprise customers can still execute a negotiated DPA where their procurement process requires one.

Purpose and Scope

This page sets out the standard baseline terms under which XYLEX processes personal data for customers acting as controllers or businesses.

This Data Processing Addendum applies where XYLEX processes personal data on behalf of a customer in connection with the services and applicable data protection law requires processor, service provider, or similar contractual terms.

This public version is designed to give customers and counsel a starting point. If the parties execute a separate DPA, that executed version controls over this public summary.

Roles and Processing Details

The customer generally determines why personal data is processed, while XYLEX processes that data only to provide the services.

Customer acts as the controller, business, or equivalent primary decision-maker for the customer data it submits to the services.
XYLEX acts as the processor, service provider, or equivalent vendor handling that personal data on behalf of the customer.
The subject matter, duration, nature, and purpose of processing depend on the subscribed services, the customer configuration, and the documented instructions provided by the customer.
Categories of personal data and data subjects may include customer employees, contractors, end users, and counterparties, as determined by the customer.

Documented Instructions

XYLEX will process customer personal data only on documented instructions from the customer, unless otherwise required by law.

Instructions are typically reflected in the services agreement, product configuration selected by the customer, support requests, implementation directions, and authorized use of the service features. If XYLEX believes an instruction violates applicable law, we may notify the customer before proceeding unless prohibited from doing so.

Customer is responsible for ensuring that its instructions and its use of the services comply with applicable data protection law.

Confidentiality and Security Measures

Personnel and subprocessors with access to customer personal data are expected to be bound by confidentiality obligations and supported by appropriate safeguards.

Access to customer personal data is limited to personnel and agents who require it for service delivery, support, security, or legal compliance.
XYLEX maintains technical and organizational measures appropriate to the risk, including measures relating to access control, system security, operational resilience, and incident management.
Additional detail about our general program is described on the Security page.

Subprocessors

XYLEX may engage subprocessors to support service delivery, subject to appropriate contractual controls.

Subprocessors are used for functions such as infrastructure, communications, security tooling, analytics, support operations, or other managed service dependencies.
XYLEX requires subprocessors that process customer personal data to enter into written agreements that impose data protection and confidentiality obligations appropriate to the services provided.
Where required by law or contract, XYLEX may provide notice of material subprocessors or changes to them through customer channels.

Assistance with Compliance

XYLEX will provide commercially reasonable assistance needed for the customer to meet certain data protection obligations.

Assistance with data subject requests, taking into account the nature of processing and the information available to XYLEX.
Assistance with security incident information required for customer assessments and legally required notifications.
Assistance with data protection impact assessments and prior consultations where legally required and where the relevant processing activity materially depends on XYLEX.

Security Incident Notification

XYLEX maintains an incident response process and will notify customers of confirmed incidents affecting customer personal data where required by law or contract.

Notification timing may depend on our ability to verify the event, understand scope, and avoid compromising containment or remediation. Notifications may include available details about the nature of the incident, the likely impact, and measures taken or proposed in response.

Customer remains responsible for determining whether it has its own external notification obligations to regulators, individuals, or counterparties.

International Transfers and Audits

Cross-border processing and customer assurance activities are handled through proportionate contractual and operational mechanisms.

XYLEX may use recognized cross-border transfer mechanisms where required for personal data transferred internationally.
Subject to confidentiality, security, and proportionality limits, XYLEX may provide information reasonably necessary to demonstrate compliance with processor obligations.
Where an audit right exists under a signed agreement, audits should be conducted in a manner that avoids unreasonable disruption and does not compromise other customers, systems, or confidential information.

Deletion or Return of Data

At the end of the services, customer personal data is handled according to the contract, the service architecture, and applicable law.

Upon termination or expiry, XYLEX will delete or return customer personal data where required by the governing agreement, subject to any legal retention obligations, security logging requirements, or residual copies maintained in backup systems for a limited period.

Customers should plan exports and migration activity before service termination where they need a final copy of data.