Data Processing Addendum

1. INTRODUCTION

1.1. Parties

This Data Processing Addendum ("Addendum" or "DPA") forms part of the agreement between
the customer, client, subscriber, or organization using XData services ("Customer") and:

[XDATA LEGAL ENTITY NAME]
[XDATA REGISTERED ADDRESS]
Company registration number: [INSERT]
VAT ID: [INSERT]
Email: [INSERT LEGAL OR PRIVACY EMAIL]
Website: https://xdata.si

("XData", "we", "us", or "our").

1.2. Purpose

This DPA governs the processing of Personal Data by XData on behalf of Customer in connection
with Customer's use of XData services, software, AI systems, advisory services, managed
infrastructure, integrations, APIs, knowledge systems, automation workflows, proofs of concept,
and other services described in the applicable agreement, order, proposal, statement of work,
or online terms (collectively, the "Services").

1.3. Incorporation

This DPA is incorporated into and forms part of the applicable agreement between XData and
Customer, including any Terms of Service, Software and AI Services Agreement, Master Services
Agreement, Order Form, Proposal, Statement of Work, or other written agreement governing the
Services (the "Agreement").

1.4. Order of Precedence

If there is a conflict between this DPA and the Agreement regarding the processing of Personal
Data, this DPA will prevail to the extent of the conflict. If there is a conflict between
the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail
to the extent required by applicable Data Protection Law.

1.5. Scope

This DPA applies only where XData processes Personal Data on behalf of Customer as a Processor
or Sub-processor. It does not apply where XData processes Personal Data as an independent
Controller, such as for XData account administration, billing, security, legal compliance,
business communications, website analytics, sales operations, or marketing, unless otherwise
agreed in writing.


2. DEFINITIONS

2.1. "Agreement" means the applicable agreement between XData and Customer governing the
Services.

2.2. "Authorized User" means an employee, contractor, administrator, agent, or other person
authorized by Customer to access or use the Services.

2.3. "Controller" means the natural or legal person, public authority, agency, or other body
which, alone or jointly with others, determines the purposes and means of the processing of
Personal Data.

2.4. "Customer Content" means data, files, documents, prompts, messages, logs, text, code,
images, audio, video, configurations, records, knowledge bases, embeddings, metadata, and
other materials that Customer or its Authorized Users upload, submit, provide, generate,
connect, or make available to the Services.

2.5. "Customer Instructions" means Customer's documented instructions for processing Personal
Data, including:
(a) the Agreement;
(b) this DPA;
(c) the applicable Order, Proposal, or Statement of Work;
(d) Customer's configuration and use of the Services;
(e) written instructions provided by Customer and accepted by XData.

2.6. "Data Protection Law" means all data protection and privacy laws applicable to the
processing of Personal Data under this DPA, including, where applicable, Regulation (EU)
2016/679 (General Data Protection Regulation, "GDPR"), national data protection laws of EU/EEA
Member States, the Slovenian Personal Data Protection Act, the ePrivacy Directive and
implementing laws, the UK GDPR, the UK Data Protection Act 2018, and other applicable privacy
or data protection laws.

2.7. "Data Subject" means an identified or identifiable natural person to whom Personal Data
relates.

2.8. "Personal Data" means any information relating to an identified or identifiable natural
person, and any other information that is treated as personal data, personal information, or
personally identifiable information under applicable Data Protection Law.

2.9. "Processing" or "process" means any operation or set of operations performed on Personal
Data, whether or not by automated means, including collection, recording, organization,
structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission,
alignment, combination, restriction, erasure, or destruction.

2.10. "Processor" means the entity that processes Personal Data on behalf of a Controller.

2.11. "Security Incident" means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed
by XData or its Sub-processors on behalf of Customer.

2.12. "Services" means XData services described in the Agreement.

2.13. "Special Categories of Personal Data" means Personal Data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade union membership, genetic
data, biometric data for the purpose of uniquely identifying a person, health data, data
concerning a person's sex life or sexual orientation, and any other sensitive category under
applicable Data Protection Law.

2.14. "Sub-processor" means a third party engaged by XData to process Personal Data on behalf
of Customer in connection with the Services.

2.15. "Supervisory Authority" means an independent public authority established by an EU/EEA
Member State or other applicable jurisdiction responsible for monitoring application of Data
Protection Law.


3. ROLES OF THE PARTIES

3.1. Customer Role

Customer is the Controller of Personal Data processed under this DPA, unless Customer acts as
a Processor on behalf of another Controller. If Customer acts as a Processor, then XData acts
as Customer's Sub-processor.

3.2. XData Role

XData will act as Processor or Sub-processor for Personal Data contained in Customer Content
and processed on behalf of Customer in connection with the Services.

3.3. Customer Responsibilities

Customer is responsible for:
(a) determining the purposes and means of processing Personal Data;
(b) ensuring that Customer Instructions comply with Data Protection Law;
(c) having a valid legal basis for processing Personal Data;
(d) providing required notices to Data Subjects;
(e) obtaining required consents where applicable;
(f) ensuring Customer Content is lawful, accurate, and appropriate for the Services;
(g) ensuring that Customer has the right to provide Personal Data to XData;
(h) evaluating whether the Services are suitable for the intended processing;
(i) determining whether a data protection impact assessment is required;
(j) ensuring any AI-related use of Personal Data complies with applicable law.

3.4. XData Responsibilities

XData will process Personal Data only:
(a) in accordance with Customer Instructions;
(b) as necessary to provide, secure, support, maintain, improve, and operate the Services;
(c) as necessary to investigate Security Incidents or prevent abuse;
(d) as required by applicable law.

3.5. Notice of Unlawful Instructions

XData will inform Customer if, in XData's reasonable opinion, a Customer Instruction infringes
Data Protection Law, unless XData is prohibited from doing so by applicable law.


4. PROCESSING OF PERSONAL DATA

4.1. Description of Processing

The subject matter, duration, nature, purpose, categories of Data Subjects, categories of
Personal Data, and Sub-processor transfers are described in Schedule 1.

4.2. Customer Instructions

The Agreement, this DPA, the applicable Order, and Customer's use and configuration of the
Services constitute Customer's complete and final documented instructions to XData for the
processing of Personal Data, unless the parties agree otherwise in writing.

4.3. Additional Instructions

Customer may provide additional written instructions where required by Data Protection Law.
XData will comply with reasonable additional instructions where technically and commercially
feasible. If additional instructions require material changes, additional costs, or additional
services, the parties may agree on fees, timelines, and technical scope.

4.4. Confidentiality

XData will ensure that persons authorized to process Personal Data are subject to appropriate
confidentiality obligations, whether contractual, statutory, or professional.

4.5. No Sale of Personal Data

XData will not sell Personal Data processed on behalf of Customer and will not process such
Personal Data for XData's own commercial purposes except as permitted by the Agreement, this
DPA, Customer Instructions, or Data Protection Law.

4.6. No Training of Foundation Models by Default

Unless expressly agreed in writing or enabled by Customer through a clear setting, XData will
not intentionally use Personal Data contained in Customer Content to train foundation models
or general-purpose AI models made available to other customers.

This does not prevent XData from processing operational logs, telemetry, performance data,
security events, aggregated data, or de-identified data to provide, secure, troubleshoot,
maintain, and improve the Services, provided such processing complies with applicable law.


5. AI-SPECIFIC DATA PROCESSING

5.1. AI Services

Some Services may use AI models, large language models, embedding models, retrieval systems,
classification systems, agents, workflow automation, or other AI-enabled components
("AI Services").

5.2. Customer Responsibility for AI Inputs

Customer is responsible for ensuring that prompts, files, documents, datasets, instructions,
knowledge bases, and other AI inputs do not contain Personal Data unless Customer has a lawful
basis and the applicable Agreement permits such processing.

5.3. Special Categories and High-Risk Data

Customer must not submit Special Categories of Personal Data, criminal offence data, children's
data, secrets, confidential client data, health data, biometric data, or other regulated data
to AI Services unless:
(a) the processing is expressly permitted in the applicable Order or DPA;
(b) Customer has a valid legal basis;
(c) appropriate safeguards are implemented;
(d) the parties agree any required additional terms.

5.4. AI Model Providers

AI Services may rely on third-party model providers, APIs, cloud infrastructure, open-source
models, customer-hosted models, or XData-managed models. The applicable Order, Subprocessor
List, or Service description should identify material AI-related Sub-processors where required
by Data Protection Law.

5.5. AI Outputs

AI-generated outputs may contain Personal Data if Personal Data was included in inputs,
connected sources, retrieval systems, prompts, or Customer Content. Customer is responsible
for reviewing outputs before using, publishing, storing, or acting on them.

5.6. Retrieval and Knowledge Systems

Where XData provides RAG, knowledge base, search, indexing, embeddings, or document
intelligence Services, Personal Data may be extracted, chunked, embedded, indexed, stored,
retrieved, summarized, transformed, or combined with other Customer Content for the purpose
of providing the Services.

5.7. Human Review

Customer is responsible for ensuring appropriate human review, access control, logging,
governance, and risk management when AI Services are used for decisions affecting individuals
or for regulated, high-impact, or business-critical workflows.


6. SECURITY MEASURES

6.1. Technical and Organizational Measures

XData will implement and maintain appropriate technical and organizational measures designed
to protect Personal Data against accidental or unlawful destruction, loss, alteration,
unauthorized disclosure, or access, taking into account the nature, scope, context, and
purposes of processing, the state of the art, implementation costs, and risks to Data Subjects.

6.2. Security Measures Description

The current technical and organizational measures are described in Schedule 2. XData may update
those measures from time to time, provided that updates do not materially reduce the overall
level of protection for Personal Data during the applicable term.

6.3. Customer Security Responsibilities

Customer is responsible for:
(a) securing Customer accounts and credentials;
(b) managing Authorized Users and access rights;
(c) configuring permissions and integrations;
(d) enabling available security controls such as MFA or SSO where appropriate;
(e) protecting Customer systems, endpoints, networks, repositories, and connected services;
(f) ensuring that data shared with the Services is appropriate and lawful;
(g) reviewing logs and alerts where available.

6.4. Security Certifications

Unless expressly stated in an applicable Order, XData does not represent that it holds any
specific security certification, including SOC 2, ISO 27001, ISO 27018, ISO 42001, or similar
certifications.


7. SECURITY INCIDENTS

7.1. Notification

XData will notify Customer without undue delay after becoming aware of a confirmed Security
Incident affecting Personal Data processed on behalf of Customer. Where feasible and required
by applicable law, XData will aim to notify Customer within 72 hours after becoming aware of
the Security Incident.

7.2. Content of Notice

To the extent reasonably available, XData's notice may include:
(a) a description of the nature of the Security Incident;
(b) categories and approximate number of affected Data Subjects;
(c) categories and approximate number of affected records;
(d) likely consequences;
(e) measures taken or proposed to address the Security Incident;
(f) measures recommended to Customer;
(g) contact point for follow-up.

7.3. Investigation and Remediation

XData will use commercially reasonable efforts to investigate, mitigate, contain, and remediate
Security Incidents within XData's reasonable control.

7.4. No Admission

Notification of a Security Incident is not an admission of fault, liability, or violation by
XData.


8. SUB-PROCESSORS

8.1. General Authorization

Customer generally authorizes XData to engage Sub-processors to process Personal Data in
connection with the Services, including XData affiliates, hosting providers, infrastructure
providers, AI model providers, email providers, analytics providers, monitoring providers,
identity providers, support tools, payment processors, and other service providers.

8.2. Sub-processor Agreements

XData will enter into written agreements with Sub-processors that impose data protection
obligations materially equivalent to those required by this DPA, to the extent applicable to
the nature of the services provided by the Sub-processor.

8.3. Liability for Sub-processors

XData remains responsible for the performance of its Sub-processors to the extent required by
Data Protection Law and the Agreement.

8.4. Sub-processor List

XData should maintain an up-to-date list of material Sub-processors at:

[INSERT SUBPROCESSOR LIST URL]

The list should identify, where appropriate:
(a) Sub-processor name;
(b) service function;
(c) processing location or region;
(d) type of data processed;
(e) applicable transfer mechanism.

8.5. Notification of Changes

XData will provide notice of new or replacement Sub-processors by updating the Sub-processor
List, email notice, account notice, or another reasonable method. Unless otherwise stated in
the Agreement, XData will use reasonable efforts to provide at least 15 days' notice before a
new Sub-processor begins processing Personal Data on behalf of Customer.

8.6. Objection Right

Customer may object to a new Sub-processor during the notice period on reasonable data
protection grounds. The parties will discuss commercially reasonable alternatives in good
faith. If no resolution is reached, Customer may terminate the affected Services as its sole
remedy, unless otherwise required by Data Protection Law.


9. ASSISTANCE AND COOPERATION

9.1. Data Subject Requests

Taking into account the nature of processing and the information available to XData, XData
will provide reasonable assistance to Customer to enable Customer to respond to requests from
Data Subjects exercising their rights under Data Protection Law, where Customer cannot
reasonably fulfill the request using self-service functionality or Customer's own systems.

9.2. Data Protection Impact Assessments

Taking into account the nature of processing and the information available to XData, XData
will provide reasonable assistance to Customer with data protection impact assessments and
prior consultations with Supervisory Authorities, where required by Data Protection Law.

9.3. Government and Third-Party Requests

If XData receives a legally binding request from a public authority, law enforcement agency,
regulator, court, or other third party for disclosure of Personal Data processed on behalf of
Customer, XData will, where legally permitted:
(a) promptly notify Customer;
(b) refer the requesting party to Customer;
(c) use reasonable efforts to challenge unlawful, disproportionate, or overbroad requests;
(d) disclose only the Personal Data legally required.

9.4. Compliance Information

XData will make available information reasonably necessary to demonstrate compliance with this
DPA, subject to confidentiality, security, legal, and operational restrictions.


10. DELETION AND RETURN

10.1. Customer Controls

During the term of the Agreement, Customer may delete, export, correct, or retrieve Customer
Content where the Services provide self-service functionality.

10.2. End of Services

At the end of the provision of Services involving processing of Personal Data, XData will,
at Customer's choice and subject to technical feasibility, delete or return Personal Data
processed on behalf of Customer within a reasonable period, unless applicable law requires
retention.

10.3. Default Deletion Period

Unless otherwise stated in the Agreement or required by law, XData will delete Customer Content
from active systems within 30 days after termination or confirmed deletion request, where
technically feasible.

10.4. Backups

Personal Data may remain in backups, archives, logs, or disaster recovery systems for a
limited period according to XData's retention and backup policies. During this period, XData
will protect such data from active processing except as necessary for restoration, security,
legal compliance, or deletion.

10.5. Legal Retention

XData may retain Personal Data where required by law, regulation, court order, tax obligations,
audit obligations, dispute resolution, fraud prevention, or legitimate security purposes,
subject to confidentiality and processing restrictions.


11. AUDIT

11.1. Documentation-Based Audit

Upon Customer's reasonable written request, XData will provide information reasonably necessary
to demonstrate compliance with this DPA, such as security summaries, policy summaries,
Sub-processor information, architecture descriptions, data flow descriptions, or other
available documentation.

11.2. On-Site or Remote Audit

Only where Customer's audit requirements under Data Protection Law cannot reasonably be
satisfied through documentation, Customer may request an audit of XData's relevant processing
activities. Any audit must:
(a) be limited to processing of Personal Data under this DPA;
(b) be subject to confidentiality obligations;
(c) be conducted during regular business hours;
(d) be preceded by at least 45 days' written notice;
(e) occur no more than once per year unless required by a Supervisory Authority or following
    a confirmed Security Incident;
(f) avoid unnecessary disruption to XData operations;
(g) not compromise security, confidentiality, trade secrets, other customers' data, or
    third-party rights;
(h) be conducted at Customer's expense unless otherwise required by law.

11.3. Third-Party Auditors

Customer's appointed auditor must be independent, qualified, and not a direct competitor of
XData. XData may object to an auditor on reasonable grounds.

11.4. Audit Findings

Customer must provide XData with a copy of audit findings relating to XData. The parties will
discuss any material findings in good faith.


12. INTERNATIONAL DATA TRANSFERS

12.1. EEA Processing

Where the Services are configured for EU/EEA processing and XData processes Personal Data
within the EU/EEA, XData will use reasonable efforts to maintain processing within the agreed
region, subject to the Agreement, Sub-processor List, and technical architecture.

12.2. Transfers Outside the EEA

Where Personal Data is transferred from the European Economic Area, Switzerland, or the United
Kingdom to a country that is not recognized as providing an adequate level of protection,
the parties will use a valid transfer mechanism, such as:
(a) the EU Standard Contractual Clauses;
(b) the UK International Data Transfer Addendum or UK International Data Transfer Agreement;
(c) Swiss amendments to the EU Standard Contractual Clauses;
(d) an adequacy decision;
(e) another lawful transfer mechanism under Data Protection Law.

12.3. Transfer Impact Assessments

Where required by Data Protection Law, the parties will cooperate reasonably in relation to
transfer impact assessments, taking into account the nature of the Services, the transfer
mechanism, technical safeguards, Sub-processors, and data categories.

12.4. Customer-Hosted Deployments

For customer-hosted or self-hosted deployments, Customer may control the hosting location and
international transfer architecture. XData's responsibility is limited to the processing
activities performed by XData under the Agreement.


13. REGION-SPECIFIC TERMS

13.1. European Economic Area

For Personal Data subject to GDPR:
(a) Customer acts as Controller and XData acts as Processor, unless Customer acts as Processor
    and XData acts as Sub-processor.
(b) XData will comply with Article 28 GDPR processor obligations applicable to its role.
(c) If EU SCCs apply, Module Two applies for Controller-to-Processor transfers and Module
    Three applies for Processor-to-Processor transfers.
(d) The competent Supervisory Authority should be determined based on the parties' roles,
    establishment, and applicable law. For XData established in Slovenia, this may be the
    Information Commissioner of the Republic of Slovenia, unless another authority is competent.

13.2. United Kingdom

For Personal Data subject to UK GDPR, the parties will apply an appropriate UK transfer
mechanism where required, such as the UK Addendum to the EU SCCs or the UK IDTA.

13.3. Switzerland

For Personal Data subject to Swiss data protection law, the parties will interpret the EU SCCs
as required under Swiss law where applicable.

13.4. Other Regions

If other regional privacy laws apply, the parties will comply with their respective obligations
under those laws and may enter into additional terms where required.


14. DATA PROTECTION CONTACTS

14.1. XData Contact

Privacy and data protection notices should be sent to:

[XDATA PRIVACY CONTACT NAME OR ROLE]
Email: [INSERT PRIVACY EMAIL]
Address: [INSERT ADDRESS]

14.2. Customer Contact

Customer's privacy contact is the contact identified in the Agreement, account, Order, or
other written notice provided to XData.

14.3. Data Protection Officer

XData's Data Protection Officer, if appointed, is:

[INSERT DPO DETAILS OR "Not appointed unless required by applicable law"]


15. RECORDS AND COMPLIANCE

15.1. Records

XData will maintain records of processing activities where required by Data Protection Law.

15.2. Personnel Training

XData will take reasonable steps to ensure that personnel involved in processing Personal Data
receive appropriate confidentiality, privacy, and security awareness instructions or training.

15.3. Policies

XData will maintain appropriate internal policies and procedures for information security,
access control, incident response, confidentiality, data retention, and vendor management,
taking into account the size, nature, and risk profile of XData's operations.

15.4. AI Governance

Where XData provides AI Services, XData should maintain reasonable AI governance practices
appropriate to the Service, which may include documentation, model/provider review, access
control, logging, prompt and data handling rules, testing, and human oversight guidance.


SCHEDULE 1 - DESCRIPTION OF PROCESSING

1. Subject Matter

Processing of Personal Data contained in Customer Content for the purpose of providing,
securing, supporting, maintaining, improving, and operating the Services under the Agreement.

2. Duration

For the term of the Agreement and any additional period required for deletion, return, backup
retention, legal retention, dispute resolution, or compliance with applicable law.

3. Frequency of Processing

Continuous or as otherwise required to provide the Services.

4. Nature of Processing

Depending on the Services, processing may include:
(a) collection;
(b) storage;
(c) hosting;
(d) transmission;
(e) retrieval;
(f) indexing;
(g) search;
(h) classification;
(i) embedding generation;
(j) summarization;
(k) transformation;
(l) analysis;
(m) enrichment;
(n) automation;
(o) logging;
(p) monitoring;
(q) backup;
(r) deletion;
(s) support access;
(t) incident investigation.

5. Purpose of Processing

Processing Personal Data as necessary to:
(a) provide the Services;
(b) manage accounts and users;
(c) host Customer Content;
(d) operate AI, search, RAG, automation, and analytics functions;
(e) integrate with Customer systems;
(f) provide support and troubleshooting;
(g) maintain security and prevent abuse;
(h) monitor performance and reliability;
(i) comply with Customer Instructions;
(j) comply with applicable law.

6. Categories of Data Subjects

Depending on Customer's use of the Services, Data Subjects may include:
(a) Customer's employees;
(b) Customer's contractors;
(c) Customer's administrators and Authorized Users;
(d) Customer's customers, prospects, leads, or end users;
(e) website visitors;
(f) support users;
(g) business contacts;
(h) suppliers and partners;
(i) applicants and candidates;
(j) individuals mentioned in Customer documents or datasets;
(k) other individuals whose Personal Data is included in Customer Content.

7. Categories of Personal Data

Depending on Customer's use of the Services, Personal Data may include:
(a) names;
(b) email addresses;
(c) phone numbers;
(d) job titles;
(e) organization names;
(f) account identifiers;
(g) usernames;
(h) IP addresses;
(i) device and browser data;
(j) authentication and access logs;
(k) usage logs;
(l) support communications;
(m) uploaded documents;
(n) business records;
(o) prompts and messages;
(p) free-text content;
(q) metadata;
(r) images or media files;
(s) code or configuration files containing identifiers;
(t) any other Personal Data included by Customer in Customer Content.

8. Special Categories of Personal Data

XData does not intend to receive or process Special Categories of Personal Data unless
expressly agreed in writing. Customer must not submit Special Categories of Personal Data
unless the Agreement permits such processing and appropriate safeguards are in place.

9. Criminal Offence Data

XData does not intend to receive or process criminal offence data unless expressly agreed in
writing and permitted by applicable law.

10. Children's Data

XData does not intend to receive or process children's Personal Data unless expressly agreed
in writing and permitted by applicable law.

11. AI-Specific Processing Activities

Where AI Services are used, processing may include:
(a) prompt processing;
(b) context retrieval;
(c) document chunking;
(d) embedding generation;
(e) vector storage;
(f) semantic search;
(g) model inference;
(h) model routing;
(i) output generation;
(j) evaluation;
(k) safety filtering;
(l) workflow automation;
(m) human review support;
(n) logging for security, debugging, and observability.

12. Sub-processors

Personal Data may be transferred to Sub-processors as described in the Sub-processor List
and Section 8 of this DPA.


SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES

The measures below are a draft baseline. They should be verified against actual XData
implementation before publication.

1. Governance and Policies

XData should maintain internal policies and procedures appropriate to its size and risk
profile, including:
(a) information security policy;
(b) privacy and data protection procedures;
(c) access control policy;
(d) incident response procedure;
(e) vendor and Sub-processor review process;
(f) backup and retention procedure;
(g) acceptable use and customer data handling rules.

2. Confidentiality

Measures may include:
(a) confidentiality obligations for personnel and contractors;
(b) role-based access to Customer Content;
(c) need-to-know access principles;
(d) restrictions on sharing Customer Content outside approved systems.

3. Access Control

Measures may include:
(a) unique user accounts;
(b) role-based access control;
(c) least-privilege access;
(d) multi-factor authentication for administrative systems where feasible;
(e) periodic access review;
(f) prompt removal of access when personnel leave or no longer need access;
(g) separation of customer environments where applicable.

4. Authentication and Credential Security

Measures may include:
(a) strong password requirements;
(b) MFA for privileged accounts;
(c) secure storage of secrets and API keys;
(d) rotation of credentials where appropriate;
(e) restriction of shared accounts;
(f) secure handling of customer-provided credentials.

5. Encryption

Measures may include:
(a) encryption in transit using TLS or equivalent;
(b) encryption at rest where supported by hosting/storage providers;
(c) secure key management appropriate to the deployment model;
(d) encryption of backups where technically feasible.

6. Network and Infrastructure Security

Measures may include:
(a) firewalls or network security controls;
(b) secure configuration of servers and containers;
(c) limited administrative interfaces;
(d) patching of operating systems and dependencies;
(e) monitoring of exposed services;
(f) segmentation between environments where appropriate.

7. Logging and Monitoring

Measures may include:
(a) collection of system and security logs;
(b) monitoring of authentication events;
(c) monitoring of service health and performance;
(d) alerting for suspicious or abnormal activity where feasible;
(e) log retention appropriate to the Service and Agreement.

8. Vulnerability Management

Measures may include:
(a) periodic vulnerability scanning;
(b) dependency review and updates;
(c) patch management based on severity;
(d) review of security advisories;
(e) remediation tracking for material vulnerabilities.

9. Secure Development

Measures may include:
(a) version control;
(b) code review for material changes;
(c) separation of development and production environments where feasible;
(d) secure coding practices;
(e) testing before production release;
(f) protection of source code repositories.

10. Backups and Recovery

Measures may include:
(a) regular backups for production systems where applicable;
(b) backup restoration testing where appropriate;
(c) disaster recovery procedures proportional to the Service;
(d) retention periods documented in the Agreement or internal policy.

11. Data Retention and Deletion

Measures may include:
(a) deletion of Customer Content after termination or request, subject to backups and legal
    retention;
(b) documented retention periods for logs and backups;
(c) secure disposal of storage media where applicable;
(d) isolation of retained data where legally required.

12. Sub-processor Management

Measures may include:
(a) risk-based review of Sub-processors;
(b) written agreements with data protection obligations;
(c) maintenance of a Sub-processor List;
(d) review of Sub-processor security and privacy information where available.

13. Physical Security

Where XData uses third-party data centers or cloud providers, physical security is generally
provided by those providers. XData should select providers with reasonable physical security
controls appropriate to the risk.

14. Incident Response

Measures may include:
(a) internal incident response process;
(b) escalation contacts;
(c) investigation and containment steps;
(d) Customer notification process;
(e) post-incident review where appropriate.

15. AI-Specific Security and Privacy Measures

For AI Services, measures may include:
(a) control over which model providers are used;
(b) separation of Customer Content between customers;
(c) access controls for vector stores and knowledge bases;
(d) prompt and retrieval logging controls;
(e) filtering or restriction of sensitive inputs where configured;
(f) human review recommendations for high-impact outputs;
(g) documentation of AI data flows where appropriate;
(h) no intentional foundation model training on Customer Content unless agreed.

16. Customer-Hosted Deployments

For customer-hosted deployments, Customer is responsible for the infrastructure, network,
physical security, backup, endpoint, identity, and access controls under Customer's control,
unless otherwise agreed in writing. XData is responsible only for processing activities and
controls expressly performed by XData.


SCHEDULE 3 - INTERNATIONAL TRANSFER TERMS

1. European Economic Area

Where Personal Data is transferred from the EEA to a country without an adequacy decision,
the EU Standard Contractual Clauses adopted by the European Commission will apply as follows,
unless another lawful transfer mechanism applies:

(a) Module Two applies where Customer is Controller and XData is Processor.
(b) Module Three applies where Customer is Processor and XData is Sub-processor.
(c) Clause 7 optional docking clause: [SELECT: applies / does not apply].
(d) Clause 9 Sub-processor option: Option 2, with notice period as stated in Section 8.5.
(e) Clause 11 optional language: [SELECT: applies / does not apply].
(f) Clause 17 governing law: [SELECT EU MEMBER STATE LAW, e.g. Slovenia].
(g) Clause 18 forum: [SELECT COURTS, e.g. competent courts of Slovenia].
(h) Annex I is completed by Schedule 4.
(i) Annex II is completed by Schedule 2.
(j) Annex III is completed by the Sub-processor List.

2. Switzerland

For transfers from Switzerland, references in the EU SCCs to the GDPR will be interpreted as
references to Swiss data protection law where required. References to EU Member States will
be interpreted to include Switzerland where required. The competent authority and courts
should be specified in accordance with Swiss law.

3. United Kingdom

For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU
SCCs or another lawful UK transfer mechanism will apply where required.

4. Other Jurisdictions

For other jurisdictions, the parties will use lawful transfer mechanisms required by applicable
Data Protection Law.


SCHEDULE 4 - LIST OF PARTIES

A. Data Exporter / Controller / Processor

Name:
Customer as identified in the Agreement.

Address:
Customer address as identified in the Agreement or account.

Contact:
Customer privacy or legal contact as identified in the Agreement or account.

Activities relevant to the transfer:
Use of XData Services and processing of Customer Content under the Agreement.

Role:
Controller, or Processor where Customer processes Personal Data on behalf of another Controller.

Signature and date:
As set out in the Agreement, Order, electronic acceptance, or signed DPA.


B. Data Importer / Processor / Sub-processor

Name:
[XDATA LEGAL ENTITY NAME]

Address:
[XDATA REGISTERED ADDRESS]

Contact:
[INSERT XDATA PRIVACY CONTACT]

Activities relevant to the transfer:
Provision of XData Services, including hosting, AI processing, RAG/search/indexing,
automation, support, security, monitoring, and related processing under the Agreement.

Role:
Processor, or Sub-processor where Customer acts as Processor.

Signature and date:
As set out in the Agreement, Order, electronic acceptance, or signed DPA.

Image

Transforming organizations for the AI era through strategy, research, education and implementation.

SOLUTIONS

INSIGHTS

COMPANY

STAY INFORMED

Get the latest insights, research and frameworks delivered to your inbox.

EU Based & Compliant

GDPR • AI Act • ISO 42001

Secure & Sovereign

Your data. Your control.

Research Driven

Powered by Cognitio Labs

Proven Impact

Measurable results