Data Processing Addendum

For xNet Cloud business customers (Team and Enterprise).

Last updated: June 24, 2026

Draft — not yet in effect. This document is a working draft pending legal review and a named contracting entity. If you need an executable DPA today, contact legal@xnet.fyi.

1. Scope and roles

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer," the controller) and xNet (the processor) for the processing of personal data through xNet Cloud. Where you process personal data of your own end users through the service, you are the controller and we process it on your documented instructions.

2. Subject matter, duration, nature and purpose

  • Subject matter: hosting and processing of Customer data to provide xNet Cloud.
  • Duration: for the term of your subscription, plus the retention windows described in our Privacy Policy.
  • Nature and purpose: storage, backup, synchronization, search, and (where enabled by you) AI processing.

3. Types of personal data and data subjects

The personal data processed is determined by you and may include account identifiers, content you store, and the personal data of your end users or contacts contained in that content. Categories of data subjects include your authorized users and the individuals referenced in your content. You must not store special-category data unless your plan and applicable law permit it.

4. Our obligations as processor

  • Process personal data only on your documented instructions, including for transfers, unless required by law (in which case we'll inform you where permitted).
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Section 7).
  • Assist you, taking into account the nature of processing, with data-subject requests and with your obligations around security, breach notification, and impact assessments.
  • Not sell or share personal data, and not retain, use, or disclose it for any purpose other than providing the service — including the "service provider" / "contractor" commitments under the CCPA/CPRA.

5. Sub-processors

You provide general authorization for us to engage the sub-processors listed on our sub-processor page. We will give advance notice (at least 30 days where practicable) before adding or replacing a sub-processor, and you may object on reasonable data-protection grounds. We impose data-protection obligations on each sub-processor no less protective than those in this DPA and remain responsible for their performance.

6. Data-subject rights

Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, in responding to requests from data subjects to exercise their rights. Many requests you can fulfill yourself using the app and dashboard (export, correction, deletion).

7. Security

We maintain measures appropriate to the risk, including encryption in transit and of content at rest, tenant isolation, access controls and least privilege, continuous backups with restore verification, and logging. Your private keys and data identity remain on your devices and are not available to us. See our Privacy Policy for details.

8. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information reasonably available to help you meet your notification obligations.

9. Deletion and return

On termination, you can export your data, after which we delete it in accordance with the retention windows in our Privacy Policy, unless retention is required by law. Because your content is keyed to an identity only you hold, deletion is irreversible.

10. International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses (and the UK Addendum / Swiss amendments as applicable), which are incorporated by reference. Enterprise plans may request region pinning.

11. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including by providing relevant documentation and responding to reasonable written questionnaires, subject to confidentiality.

12. Order of precedence and contact

In case of conflict, this DPA prevails over the Terms of Service with respect to processing of personal data. To execute a DPA or ask questions, contact legal@xnet.fyi.