July 9, 2026
July 9, 2026
1. INTRODUCTION
1.1. Purpose
XData respects the intellectual property rights of others and expects its customers, users,
visitors, partners, and authorized users to do the same.
This Copyright & Intellectual Property Policy ("Policy") explains how rights holders may
notify XData of alleged copyright, trademark, database right, trade secret, or other
intellectual property infringement involving XData services.
1.2. XData
This Policy applies to services provided by:
[XDATA LEGAL ENTITY NAME]
[XDATA REGISTERED ADDRESS]
Company registration number: [INSERT]
VAT ID: [INSERT]
Website: https://xdata.si
Legal contact: [INSERT LEGAL CONTACT EMAIL]
("XData", "we", "us", or "our").
1.3. Services Covered
This Policy applies to websites, SaaS services, AI tools, APIs, hosted content, customer
portals, documentation, demos, proofs of concept, managed deployments, knowledge systems,
search products, and other services made available by XData (collectively, the "Services").
1.4. Relationship to Other Terms
This Policy forms part of and should be read together with the applicable XData Terms of
Service, Software and AI Services Agreement, AI Terms, Acceptable Use Policy, Data Processing
Addendum, Privacy Policy, and any applicable Order, Proposal, Statement of Work, or written
agreement.
1.5. No Legal Determination
XData may review notices and take action where appropriate, but XData does not act as a court
or final legal decision-maker. Disputes about ownership, licensing, fair use, exceptions,
contractual rights, or infringement may need to be resolved directly between the parties or
by a competent court or authority.
2. USER RESPONSIBILITIES
2.1. Respect for Rights
You must not use the Services to upload, publish, transmit, generate, process, store, share,
index, or distribute content that infringes or misappropriates the intellectual property or
other rights of others.
This includes:
(a) copyright;
(b) trademarks;
(c) design rights;
(d) patents;
(e) trade secrets;
(f) database rights;
(g) moral rights;
(h) rights of publicity and personality;
(i) confidentiality rights;
(j) open-source license obligations;
(k) contractual restrictions.
2.2. Required Permissions
Before using content with the Services, you are responsible for ensuring that you have all
rights, licenses, permissions, consents, and legal bases needed for the intended use.
This applies to:
(a) text;
(b) images;
(c) audio;
(d) video;
(e) code;
(f) datasets;
(g) documents;
(h) logos;
(i) fonts;
(j) designs;
(k) prompts;
(l) embeddings;
(m) model outputs;
(n) third-party materials;
(o) customer or client materials.
2.3. AI Services
If you use XData AI Services, you are responsible for ensuring that both the input and your
use of the output comply with applicable intellectual property laws, third-party rights,
license terms, confidentiality obligations, and XData AI Terms.
AI-generated output may not be unique and may be similar to output generated for other users.
XData does not guarantee that AI-generated output is original, protectable, registrable,
non-infringing, or suitable for exclusive commercial use.
2.4. Open-Source Software
If you upload, generate, modify, distribute, or deploy software through the Services, you are
responsible for complying with all applicable open-source licenses, including attribution,
notice, copyleft, source availability, and redistribution obligations where applicable.
2.5. Third-Party Datasets and Model Materials
If you use third-party datasets, model weights, embeddings, templates, training materials,
scraped content, or knowledge bases with the Services, you are responsible for ensuring that
such use is lawful and permitted by applicable licenses, terms, and laws.
3. COPYRIGHT INFRINGEMENT NOTICES
3.1. When to Submit a Copyright Notice
If you are a copyright owner, or authorized to act on behalf of a copyright owner, and you
believe that content available through the Services infringes your copyright, you may submit
a copyright infringement notice to XData.
3.2. Where to Send a Copyright Notice
Copyright notices should be sent to:
XData Copyright / Legal Contact
Email: [INSERT COPYRIGHT OR LEGAL EMAIL]
Postal address: [INSERT POSTAL ADDRESS]
3.3. Required Information
To help XData review your notice, please include the following information:
(a) Your full legal name.
(b) If you act on behalf of a rights holder, the name of the rights holder and evidence that
you are authorized to act on their behalf.
(c) Your contact information, including mailing address, email address, and telephone number
if available.
(d) Identification of the copyrighted work you claim has been infringed. If multiple works are
involved, you may provide a representative list.
(e) Identification of the material you claim is infringing or the subject of infringing
activity.
(f) Information reasonably sufficient for XData to locate the material, such as:
- URL;
- account name;
- workspace name;
- project name;
- file name;
- screenshot;
- description of where the material appears;
- any other relevant identifier.
(g) A statement that you have a good-faith belief that the disputed use is not authorized by
the copyright owner, its agent, applicable license, or the law.
(h) A statement that the information in the notice is accurate and that you are the copyright
owner or authorized to act on behalf of the owner.
(i) Your electronic or physical signature.
3.4. Sample Copyright Notice Text
You may include the following statements in your notice:
"I have a good-faith belief that the disputed use of the copyrighted material is not
authorized by the copyright owner, its agent, applicable license, or the law."
"The information in this notice is accurate, and I am the owner of the copyright or authorized
to act on behalf of the owner of the copyright that is allegedly infringed."
3.5. Incomplete Notices
XData may be unable to act on incomplete, unclear, unsupported, automated, abusive, or
insufficient notices. XData may request additional information before taking action.
4. TRADEMARK INFRINGEMENT NOTICES
4.1. When to Submit a Trademark Notice
If you believe that a trademark, service mark, trade name, logo, or brand identifier that you
own or represent is being used through the Services in a way that constitutes trademark
infringement or unlawful passing off, you may submit a trademark infringement notice.
4.2. Required Information
Your trademark notice should include:
(a) Your full legal name.
(b) If you act on behalf of a rights holder, the name of the rights holder and evidence that
you are authorized to act on their behalf.
(c) Your contact information, including mailing address, email address, and telephone number
if available.
(d) Identification of the trademark or mark allegedly infringed.
(e) For registered trademarks, the registration number, jurisdiction, registration certificate,
or link to the relevant official trademark registry record.
(f) For unregistered marks, evidence sufficient to establish claimed rights, such as:
- description of use;
- goods or services associated with the mark;
- territory of use;
- duration of use;
- evidence of recognition or goodwill.
(g) Identification of the challenged use and information reasonably sufficient for XData to
locate it.
(h) A statement that you have not authorized the challenged use and have a good-faith belief
that the use is not authorized by law.
(i) A statement that the information in the notice is accurate and that you are the owner of
the mark or authorized to act on behalf of the owner.
(j) Your electronic or physical signature.
4.3. Sample Trademark Notice Text
You may include the following statements in your notice:
"I have not authorized the challenged use, and I have a good-faith belief that the challenged
use is not authorized by law."
"The information in this notice is accurate, and I am the owner of the trademark or authorized
to act on behalf of the owner of the trademark that is allegedly infringed."
5. OTHER INTELLECTUAL PROPERTY NOTICES
5.1. Other Rights Covered
If you believe that another intellectual property right is being infringed through the Services,
you may submit a notice. This may include:
(a) design rights;
(b) database rights;
(c) trade secrets;
(d) patents;
(e) moral rights;
(f) rights of publicity or personality;
(g) confidentiality rights;
(h) other rights recognized by applicable law.
5.2. Required Information
Your notice should include:
(a) Your full legal name.
(b) If you act on behalf of a rights holder, the name of the rights holder and evidence that
you are authorized to act on their behalf.
(c) Your contact information, including mailing address, email address, and telephone number
if available.
(d) Identification and description of the intellectual property right allegedly infringed.
(e) Evidence that you own or are authorized to enforce the right in the relevant jurisdiction.
(f) Identification of the challenged material or activity and information reasonably sufficient
for XData to locate it.
(g) A clear explanation of why you believe the challenged material or activity infringes your
rights.
(h) A statement that you have not authorized the challenged use and have a good-faith belief
that the use is not authorized by law.
(i) A statement that the information in the notice is accurate and that you are the owner of
the right or authorized to act on behalf of the owner.
(j) Your electronic or physical signature.
6. XDATA REVIEW AND ACTIONS
6.1. Review
Upon receiving a notice, XData may review the notice and the challenged material or activity.
XData may request additional information, reject incomplete notices, notify the user who
provided the challenged material, or take action where XData considers it appropriate.
6.2. Possible Actions
Depending on the circumstances, XData may take one or more of the following actions:
(a) remove or disable access to challenged material;
(b) restrict indexing, publication, sharing, or distribution;
(c) quarantine content;
(d) suspend a workspace, account, API key, integration, or service;
(e) notify the customer or user who provided the material;
(f) request counter-information;
(g) preserve relevant logs or evidence;
(h) terminate repeat infringers;
(i) refuse to act where the notice is unsupported, abusive, incomplete, or legally insufficient;
(j) take any other action permitted by the Customer Agreement or applicable law.
6.3. No Obligation to Monitor
Unless required by applicable law or expressly agreed in writing, XData does not undertake a
general obligation to monitor all Customer Content for infringement.
6.4. Customer-Hosted Deployments
For customer-hosted or self-hosted deployments, XData may not have access to or control over
the challenged material. In such cases, XData may refer the complainant to the customer or
may take only the actions technically and contractually available to XData.
6.5. Search, Indexing, and RAG Systems
If the Services include search, indexing, RAG, embeddings, or knowledge base functionality,
XData may restrict, delete, de-index, or disable access to challenged content where appropriate.
Customer remains responsible for the legality of content and data sources connected to such
systems.
6.6. AI Outputs
If a complaint concerns AI-generated output, XData may review the specific output, the related
Input where available and legally permitted, relevant logs, model/provider configuration, and
Customer's use of the output. XData does not guarantee that all AI outputs can be reproduced,
verified, or traced to a specific source.
7. COUNTER-NOTICES AND DISPUTES
7.1. Counter-Notice
If your content was removed, disabled, or restricted because of an IP complaint and you believe
the action was mistaken or that you have the right to use the material, you may submit a
counter-notice to XData.
7.2. Counter-Notice Requirements
Your counter-notice should include:
(a) Your full legal name.
(b) Your contact information, including mailing address, email address, and telephone number
if available.
(c) Identification of the material that was removed, disabled, or restricted.
(d) Information reasonably sufficient for XData to identify the original complaint and the
affected material.
(e) A clear explanation of why you believe the material was removed or restricted by mistake,
or why you have the right to use the material.
(f) Any evidence supporting your position, such as a license, authorization, ownership proof,
exception, limitation, fair use/fair dealing argument, or other legal basis.
(g) A statement that the information in the counter-notice is accurate.
(h) Your electronic or physical signature.
7.3. Forwarding Counter-Notice
XData may forward your counter-notice to the original complainant. XData may restore the
material, keep it restricted, request further information, or take other action depending on
the circumstances, contractual obligations, legal risk, and applicable law.
7.4. Direct Resolution
XData may encourage the complainant and the affected user to resolve the dispute directly,
especially where the dispute involves complex ownership, licensing, contractual, fair use,
fair dealing, employment, agency, or commercial issues.
7.5. Court or Authority Orders
XData may comply with court orders, regulator decisions, settlement agreements, or other
legally binding instructions regarding disputed material.
8. ABUSE OF THE NOTICE PROCESS
8.1. Improper Notices
You must not submit false, misleading, abusive, automated, bad-faith, or improper infringement
notices.
8.2. Consequences
XData may reject notices, suspend accounts, terminate access, refuse future notices, or take
other appropriate action against users or complainants who abuse the notice process.
8.3. Repeat False Notices
XData may disable or terminate accounts of users who repeatedly submit improper or false
notices, or who use the notice process to harass, silence, disrupt, or unfairly pressure
others.
9. REPEAT INFRINGERS
9.1. Repeat-Infringer Policy
XData may, in appropriate circumstances and at its discretion, disable, restrict, or terminate
accounts of users who repeatedly infringe, are repeatedly the subject of valid infringement
complaints, or repeatedly upload, publish, generate, or distribute infringing material.
9.2. Factors Considered
XData may consider:
(a) number of notices;
(b) validity of notices;
(c) severity of alleged infringement;
(d) user response;
(e) counter-notices;
(f) repeat behavior;
(g) evidence of bad faith;
(h) risk to XData, customers, users, rights holders, or third parties.
10. OPEN-SOURCE SOFTWARE AND ATTRIBUTION
10.1. Use of Open-Source Components by XData
XData may use open-source software, libraries, frameworks, models, tools, and components in
the Services. Where required, XData will provide notices, license information, or attribution
for open-source components.
10.2. Open-Source Notices
Open-source notices, if published, may be available at:
[INSERT OPEN-SOURCE NOTICES URL]
10.3. Customer Use of Open Source
Customer is responsible for complying with open-source license obligations for any code,
models, datasets, libraries, or components that Customer uploads, connects, generates,
modifies, distributes, or deploys using the Services.
10.4. AI-Generated Code
AI-generated code may require review for quality, security, licensing, originality, and
third-party rights. Customer is responsible for reviewing AI-generated code before use,
publication, distribution, or deployment.
11. XDATA TRADEMARKS AND BRAND ASSETS
11.1. XData Marks
XData names, logos, product names, designs, graphics, icons, slogans, and brand assets are
owned by XData or its licensors.
11.2. Use of XData Marks
You may not use XData marks or brand assets without prior written permission, except where
permitted by law or by XData's published brand guidelines.
11.3. No Misleading Association
You must not use XData marks in a way that suggests sponsorship, endorsement, partnership,
certification, or affiliation with XData unless XData has expressly authorized such use.
12. LANGUAGE
12.1. Translations
Any translation of this Policy may be provided for convenience only. Unless XData expressly
states otherwise, the English language version prevails over versions in other languages.
12.2. Slovenian Version
If XData publishes a Slovenian version and states that it is authoritative for Slovenian
customers, the Slovenian version may prevail for those customers to the extent stated by
XData.
13. QUESTIONS AND CONTACT
13.1. Questions
Questions about this Policy may be sent to:
[INSERT LEGAL OR COPYRIGHT EMAIL]
13.2. Copyright and IP Notices
Copyright, trademark, and other intellectual property notices should be sent to:
[INSERT COPYRIGHT / IP CONTACT EMAIL]
13.3. Abuse Reports
Abuse reports unrelated to intellectual property should be sent to:
[INSERT ABUSE CONTACT EMAIL]
13.4. Privacy Notices
Privacy and data protection notices should be sent to:
[INSERT PRIVACY CONTACT EMAIL]
July 9, 2026
1. INTRODUCTION
1.1. Parties
These XData AI Terms ("AI Terms") are entered into between the customer, client, user,
subscriber, organization, or legal entity using XData AI features ("Customer", "you", or
"your") and:
[XDATA LEGAL ENTITY NAME]
[XDATA REGISTERED ADDRESS]
Company registration number: [INSERT]
VAT ID: [INSERT]
Email: [INSERT LEGAL EMAIL]
Website: https://xdata.si
("XData", "we", "us", or "our").
1.2. Incorporation into Customer Agreement
These AI Terms are incorporated into and form part of Customer's applicable agreement with
XData, including any Terms of Service, Software and AI Services Agreement, Master Services
Agreement, Order Form, Proposal, Statement of Work, Data Processing Addendum, or online
subscription terms (the "Customer Agreement").
1.3. Order of Precedence
If these AI Terms conflict with the Customer Agreement regarding use of AI Services, these
AI Terms will prevail to the extent of the conflict, unless a signed enterprise agreement,
Order Form, or Statement of Work expressly states otherwise.
If these AI Terms conflict with the Data Processing Addendum regarding processing of Personal
Data, the Data Processing Addendum will prevail for data protection matters.
1.4. Scope
These AI Terms govern Customer's access to and use of AI-enabled features, AI systems,
AI models, AI agents, AI workflows, AI-generated outputs, AI credits, AI usage units,
AI APIs, retrieval systems, embedding systems, model routing, prompt processing, AI search,
RAG systems, knowledge systems, automation systems, and other artificial intelligence or
machine learning functionality made available by XData (collectively, "AI Services").
1.5. Enterprise and Custom AI Services
Where XData provides custom AI advisory, implementation, managed infrastructure, private
deployment, customer-hosted AI, sovereign AI architecture, AI governance, AI education,
or professional services, additional or different terms may apply in the relevant Order,
Proposal, Statement of Work, or Enterprise Agreement.
2. ACCESS TO AI SERVICES
2.1. Access Right
Subject to the Customer Agreement, these AI Terms, and the applicable Order, XData grants
Customer a limited, non-exclusive, non-transferable, non-sublicensable, revocable right to
access and use the AI Services for Customer's permitted internal business purposes.
2.2. Authorized Users
Customer may allow Authorized Users to use AI Services through Customer's account or deployment.
Customer is responsible for all use of AI Services by its Authorized Users.
2.3. Acceptable Use
Customer must use AI Services in accordance with:
(a) these AI Terms;
(b) the Customer Agreement;
(c) XData Acceptable Use Policy;
(d) XData Privacy Policy;
(e) XData Data Processing Addendum, where applicable;
(f) applicable laws and regulations;
(g) applicable third-party AI provider usage policies where relevant.
2.4. Availability
AI Services may depend on third-party model providers, cloud providers, API providers,
open-source models, customer infrastructure, network connectivity, compute capacity, rate
limits, or service availability. XData does not guarantee uninterrupted or error-free access
unless expressly stated in the applicable Order or service level agreement.
2.5. Beta and Experimental AI Features
AI Services made available as beta, preview, early access, experimental, demo, prototype,
or proof-of-concept features may be changed, limited, suspended, or withdrawn at any time.
They may contain errors, produce unexpected outputs, or be unsuitable for production use
unless XData expressly agrees otherwise in writing.
3. INPUT, OUTPUT, AND OWNERSHIP
3.1. Input
Customer may provide or make available prompts, instructions, messages, files, documents,
images, audio, video, code, datasets, database records, knowledge bases, configuration,
metadata, embeddings, connected sources, integrations, or other content to AI Services
("Input").
3.2. Output
AI Services may generate, return, summarize, classify, transform, extract, recommend, search,
retrieve, route, draft, translate, analyze, code, configure, or otherwise produce text,
images, data, documents, code, configuration, metadata, recommendations, decisions, or other
materials based on Input ("Output").
3.3. Customer Content
Input and Output are Customer Content, subject to the Customer Agreement, these AI Terms,
third-party rights, open-source licenses, and applicable law.
3.4. Customer Ownership
As between Customer and XData, Customer retains all right, title, and interest in Customer's
Input. To the extent permitted by applicable law and subject to the Customer Agreement,
Customer owns or may use Output generated for Customer through the AI Services.
3.5. XData Ownership
XData retains all right, title, and interest in the AI Services, XData software, systems,
interfaces, source code, prompts, workflows, model routing logic, orchestration logic,
templates, methodologies, architecture, documentation, evaluation frameworks, monitoring
systems, improvements, know-how, and XData intellectual property.
3.6. No Transfer of XData Technology
Customer does not receive any ownership rights in XData technology, AI Services, models,
software, prompts, templates, workflows, system instructions, orchestration logic, or other
XData intellectual property unless expressly agreed in writing.
3.7. Similar Outputs
Due to the nature of AI systems, Output may be the same as or similar to output generated for
other customers or users. XData does not guarantee that Output is unique, exclusive,
registrable, protectable, non-infringing, or suitable for exclusive commercial use.
3.8. Third-Party Rights
Customer is responsible for reviewing Output for potential third-party rights, including
copyright, trademark, database rights, personality rights, privacy rights, open-source license
obligations, and confidentiality obligations before using or publishing Output.
4. USE OF CUSTOMER CONTENT FOR TRAINING
4.1. No Training by Default
Unless expressly agreed in writing or enabled by Customer through a clear administrative
setting, XData will not intentionally use Customer Content to train foundation models,
general-purpose AI models, or AI models made generally available to other customers.
4.2. Optional Training or Improvement Settings
If XData provides a setting allowing Customer to permit use of Customer Content for model
training or service improvement, Customer may enable or disable that setting according to
the available controls. Customer is responsible for ensuring that any such setting is enabled
only where Customer has a lawful basis and appropriate authority.
4.3. Effect of Disabling Training
If Customer disables an optional content training setting, new Customer Content and new edits
created after the setting is disabled will not be intentionally used by XData for training
foundation models or general-purpose AI models made available to other customers, unless
otherwise required by law or expressly agreed in writing.
4.4. Operational Use
The restrictions on training do not prevent XData from using Customer Content, Usage Data,
logs, telemetry, system metadata, error reports, security events, performance data, or
de-identified and aggregated data as necessary to:
(a) provide AI Services;
(b) operate and secure the Services;
(c) route requests to models;
(d) debug and troubleshoot errors;
(e) detect abuse and security threats;
(f) monitor reliability and performance;
(g) comply with law;
(h) improve non-customer-specific service quality using aggregated or de-identified data.
4.5. Third-Party Model Providers
Where AI Services use third-party model providers, their data handling practices may apply as
described in the Customer Agreement, DPA, Subprocessor List, Service description, or applicable
provider terms. XData will use commercially reasonable efforts to configure third-party AI
providers so that Customer Content is not used for provider-side training where such controls
are available and required by the applicable Order.
5. CONTROLLING AI SETTINGS
5.1. Administrative Settings
XData may provide administrative settings to manage AI functionality, such as:
(a) enabling or disabling AI features;
(b) selecting model providers;
(c) selecting deployment region;
(d) enabling or disabling external model calls;
(e) enabling or disabling logging;
(f) setting usage limits;
(g) setting budget limits;
(h) enabling or disabling AI training or improvement settings;
(i) managing knowledge bases and connected sources;
(j) controlling user access.
5.2. Customer Responsibility
Customer is responsible for configuring AI settings appropriately for its organization,
users, risk profile, data categories, regulatory obligations, and intended use cases.
5.3. Administrative Authority
Customer's administrators may change AI settings on behalf of Customer. Customer is responsible
for actions taken by administrators and Authorized Users.
5.4. Settings Availability
Available AI settings may vary by product, plan, deployment type, region, provider, and
technical architecture. Some settings may not be available for all AI Services.
6. AI LIMITATIONS
6.1. Nature of AI Output
Output is generated by artificial intelligence, machine learning, retrieval systems,
automation workflows, or statistical models. Output may be inaccurate, incomplete, outdated,
biased, unsafe, misleading, offensive, or unsuitable for Customer's intended use.
6.2. No Verification by XData
Unless expressly agreed in writing, XData does not verify Output for accuracy, completeness,
quality, legality, reliability, non-infringement, safety, or suitability.
6.3. No Warranty for Output
XData makes no warranty or guarantee regarding Output, including:
(a) accuracy;
(b) completeness;
(c) reliability;
(d) originality;
(e) uniqueness;
(f) non-infringement;
(g) legality;
(h) suitability for a particular purpose;
(i) compliance with Customer's policies;
(j) compliance with industry-specific regulation.
6.4. Human Review
Customer is responsible for evaluating Output before relying on it, publishing it, sharing it,
using it in production, using it in customer-facing contexts, or making decisions based on it.
Customer should apply appropriate human review, professional review, testing, validation,
and approval processes.
6.5. No Professional Advice
AI Services do not provide legal, medical, financial, tax, employment, insurance, investment,
cybersecurity certification, regulatory, or other professional advice unless expressly agreed
in writing and supported by qualified professionals. Customer must not rely on AI Output as
professional advice without qualified human review.
6.6. High-Impact Decisions
Customer must not use AI Services to make fully automated decisions that produce legal,
financial, employment, educational, housing, healthcare, insurance, credit, migration,
law enforcement, or similarly significant effects on individuals without appropriate legal
basis, human oversight, risk management, documentation, and compliance controls.
6.7. Regulated and High-Risk AI
Customer must not use AI Services for high-risk, safety-critical, regulated, prohibited,
or restricted AI use cases unless such use is expressly agreed in writing and supported by
appropriate technical, organizational, legal, governance, human oversight, data protection,
and risk management controls.
6.8. Customer Evaluation
Customer is responsible for determining whether AI Services and Outputs are suitable for
Customer's use case, sector, risk profile, data categories, regulatory obligations, and
business requirements.
7. AI ACCEPTABLE USE RULES
7.1. Prohibited Uses
Customer must not use AI Services to:
(a) violate applicable law;
(b) infringe intellectual property, privacy, publicity, confidentiality, or other rights;
(c) create or distribute malware, phishing, credential theft, exploit instructions, or
cyber abuse;
(d) generate fraudulent, deceptive, impersonating, defamatory, harassing, hateful, or abusive
content;
(e) manipulate, deceive, or exploit individuals;
(f) create unlawful surveillance, social scoring, biometric identification, or discriminatory
systems;
(g) process regulated, sensitive, or special categories of data without lawful basis and
appropriate safeguards;
(h) bypass security, safety, usage, budget, or access controls;
(i) generate spam, scams, fake reviews, fraudulent communications, or misleading claims;
(j) violate export control or sanctions laws;
(k) use AI Services for unlawful weapons, harmful substances, or other dangerous activities;
(l) intentionally overload or abuse AI Services or model providers.
7.2. Sensitive Data
Customer must not submit Special Categories of Personal Data, children's data, health data,
criminal offence data, biometric data, trade secrets, regulated client data, classified data,
payment card data, government identifiers, or other sensitive data unless the applicable
Customer Agreement expressly permits such processing and appropriate safeguards are in place.
7.3. Customer Policies
Customer is responsible for ensuring that its use of AI Services complies with Customer's
own internal policies, industry standards, contractual obligations, and regulatory requirements.
7.4. Suspension
XData may suspend or restrict AI Services if XData reasonably believes Customer's use violates
these AI Terms, creates security or legal risk, violates third-party provider policies,
generates excessive costs, or may harm XData, other customers, third parties, or the public.
8. AI CREDITS, USAGE UNITS, AND BILLING
8.1. AI Usage Units
XData may measure AI usage using credits, tokens, requests, seats, compute time, storage,
index size, embeddings, bandwidth, model calls, agent runs, automation runs, or other usage
units ("AI Usage Units").
8.2. Included Usage
Some plans may include a defined amount of AI Usage Units. Included usage may be assigned to
individual users, pooled across an organization, limited by product, limited by time period,
or limited by specific AI features.
8.3. AI Usage Subscription
Customer may purchase an AI usage subscription that provides additional AI Usage Units during
the applicable subscription period. Unless otherwise stated in the applicable Order, AI Usage
Units refresh at the start of each billing period and do not roll over.
8.4. Pay-As-You-Go Usage
If Customer enables or agrees to pay-as-you-go AI usage, Customer is responsible for AI Usage
Units consumed by Customer and its Authorized Users. Pay-as-you-go charges may be billed in
arrears on a monthly, quarterly, or other basis stated in the applicable Order.
8.5. Usage Order
Unless otherwise stated in the applicable Order, AI Usage Units may be consumed in the
following order:
(a) included user-specific usage;
(b) included organization-level usage;
(c) prepaid AI usage subscription;
(d) pay-as-you-go usage.
8.6. Budget Controls
Where available, Customer may configure budgets, caps, alerts, or limits for AI usage.
Customer remains responsible for usage incurred before limits take effect, for usage allowed
by administrators, and for usage caused by Customer integrations or Authorized Users.
8.7. Pricing Changes
XData may change AI usage pricing prospectively. For paid recurring subscriptions, XData will
use reasonable efforts to provide advance notice of material AI pricing changes before they
apply to existing subscriptions, unless changes are caused by third-party provider pricing,
urgent operational requirements, legal changes, or abuse prevention.
8.8. Expiration
Unless otherwise stated in the applicable Order, AI Usage Units:
(a) do not represent legal tender, currency, stored value, or electronic money;
(b) are not redeemable for cash;
(c) are not transferable;
(d) may be used only for the applicable AI Services;
(e) expire at the end of the applicable billing or usage period;
(f) do not roll over.
8.9. Refunds
Unless otherwise stated in the applicable Order or required by law, unused AI Usage Units are
not refundable. If Customer is entitled to a refund for an AI usage subscription, the refund
will be based on the unused time remaining in the subscription term, not on unused AI Usage
Units.
8.10. Third-Party Costs
AI Services may generate costs from third-party model providers, cloud providers, vector
databases, search systems, storage, compute, APIs, and other infrastructure. Customer is
responsible for such costs where stated in the applicable Order or where incurred through
Customer's usage, settings, integrations, or instructions.
9. DATA PROTECTION AND PRIVACY
9.1. Personal Data in AI Services
If Customer submits Personal Data to AI Services, XData will process such Personal Data in
accordance with the applicable Data Processing Addendum where XData acts as Processor or
Sub-processor.
9.2. Customer Responsibilities
Customer is responsible for:
(a) determining whether Personal Data may be used with AI Services;
(b) establishing a lawful basis for processing;
(c) providing notices to Data Subjects;
(d) obtaining consents where required;
(e) responding to Data Subject requests;
(f) conducting data protection impact assessments where required;
(g) implementing human oversight where required;
(h) ensuring that AI usage complies with GDPR, the EU AI Act, and other applicable laws.
9.3. Data Minimization
Customer should avoid submitting unnecessary Personal Data to AI Services and should apply
data minimization, pseudonymization, anonymization, redaction, access controls, and retention
limits where appropriate.
9.4. AI Logs
AI Services may create logs containing prompts, outputs, metadata, usage information, model
routing information, errors, safety events, and security events. Such logs may be used to
provide, secure, troubleshoot, monitor, and improve the Services, subject to the Customer
Agreement, DPA, and applicable law.
9.5. Data Location
Unless expressly stated in the applicable Order, XData does not guarantee that AI processing
will occur exclusively in the EU/EEA. EU-only, Slovenia-only, customer-hosted, private cloud,
dedicated, sovereign, or restricted-provider processing must be expressly agreed in the
applicable Order.
10. THIRD-PARTY AI PROVIDERS AND OPEN-SOURCE MODELS
10.1. Third-Party Providers
AI Services may use third-party AI model providers, cloud infrastructure providers, API
providers, search providers, analytics providers, monitoring providers, open-source models,
or other service providers.
10.2. Provider Terms
Customer acknowledges that third-party providers may impose their own terms, usage policies,
technical limits, safety policies, rate limits, data handling terms, and availability
constraints.
10.3. Model Changes
XData may change, replace, route, upgrade, downgrade, or remove AI models or providers used
to deliver AI Services, provided that such changes do not materially reduce contracted core
functionality during the applicable term, unless required for security, compliance, provider
availability, cost control, or abuse prevention.
10.4. Open-Source Models
Where AI Services use open-source models or open-source components, such models and components
may be subject to their applicable open-source or model licenses. Customer is responsible for
complying with any license obligations that apply to Customer's use of delivered models,
weights, code, or components, if such materials are provided to Customer.
10.5. Customer-Provided Models
If Customer provides or selects models, APIs, keys, infrastructure, or providers, Customer is
responsible for the legality, security, licensing, cost, availability, and configuration of
those models, APIs, keys, infrastructure, or providers.
11. AI GOVERNANCE AND EU AI ACT
11.1. Role Allocation
The parties should identify in the applicable Order whether XData acts as a provider,
deployer, importer, distributor, product manufacturer, authorized representative, or other
role under the EU AI Act or other applicable AI laws. Unless expressly agreed in writing,
Customer is responsible for deployment decisions, intended use, end-user notices, human
oversight, risk classification, and regulatory compliance relating to Customer's use of AI
Services.
11.2. Intended Use
Customer must use AI Services only for the intended use described in the applicable Order,
documentation, or Service description. Customer must not materially modify intended use or
deploy AI Services in a higher-risk context without prior written agreement.
11.3. Prohibited AI Practices
Customer must not use AI Services for prohibited AI practices under applicable law, including
unlawful manipulation, exploitation of vulnerabilities, social scoring, certain biometric
identification or categorization uses, or other prohibited practices.
11.4. High-Risk AI Systems
Customer must not use AI Services as part of a high-risk AI system unless:
(a) the applicable Order expressly permits such use;
(b) the parties agree role allocation;
(c) required risk management, data governance, technical documentation, logging, transparency,
human oversight, accuracy, robustness, cybersecurity, monitoring, and conformity assessment
obligations are addressed;
(d) appropriate legal review has been completed.
11.5. Documentation
XData may provide available technical, security, and data flow documentation reasonably needed
for Customer's AI governance obligations, subject to confidentiality, security, trade secret,
and third-party restrictions.
11.6. Monitoring and Incident Reporting
Customer is responsible for monitoring its deployment and use of AI Services and for reporting
serious incidents or regulatory issues where Customer is legally required to do so, unless
otherwise agreed in writing.
12. INDEMNITY, DISCLAIMERS, AND LIMITATION OF LIABILITY
12.1. Customer Responsibility
Customer is responsible for:
(a) Input;
(b) use of Output;
(c) Customer's AI workflows;
(d) Customer's deployment of AI Services;
(e) Customer's decisions based on AI Services;
(f) Customer's legal and regulatory compliance;
(g) Customer's use of third-party models, systems, or integrations.
12.2. Disclaimers
AI Services and Output are provided subject to the disclaimers in the Customer Agreement and
these AI Terms. To the maximum extent permitted by law, XData disclaims all warranties relating
to AI Output, including accuracy, reliability, completeness, originality, non-infringement,
fitness for purpose, and suitability for regulated or high-impact use.
12.3. Limitation of Liability
XData's liability for AI Services and Output is limited as set out in the Customer Agreement.
If the Customer Agreement does not contain a liability cap, XData's total aggregate liability
arising out of or relating to AI Services will not exceed the greater of:
(a) EUR 100; or
(b) the fees paid by Customer to XData for the affected AI Services during the 12 months before
the event giving rise to liability.
12.4. No Liability for Customer Use of Output
To the maximum extent permitted by law, XData will not be liable for Customer's use of Output,
Customer's failure to review Output, Customer's decisions based on Output, or errors,
omissions, inaccuracies, or unsuitable content in Output.
13. CHANGES TO AI TERMS
13.1. Updates
XData may update these AI Terms from time to time in the same manner that XData may update
the Customer Agreement.
13.2. Notice of Material Changes
For material changes affecting paid AI Services, XData will use reasonable efforts to provide
advance notice before the changes take effect, unless changes are required for legal,
security, provider, operational, or abuse-prevention reasons.
13.3. Continued Use
Customer's continued use of AI Services after updated AI Terms take effect constitutes
acceptance of the updated AI Terms.
14. MISCELLANEOUS
14.1. Definitions from Customer Agreement
Capitalized terms used but not defined in these AI Terms have the meaning given in the
Customer Agreement.
14.2. Suspension for Provider or Legal Reasons
XData may suspend, restrict, or modify AI Services if required by law, third-party provider
terms, model provider availability, security concerns, abuse prevention, or risk management.
14.3. No Waiver
Failure to enforce any provision of these AI Terms is not a waiver of that provision.
14.4. Severability
If any provision of these AI Terms is invalid or unenforceable, the remaining provisions will
remain in effect, and the invalid provision will be modified to the minimum extent necessary
to make it valid and enforceable.
14.5. Survival
Sections concerning Customer Content, training, AI limitations, ownership, data protection,
billing obligations, third-party providers, AI governance, disclaimers, limitation of liability,
and miscellaneous provisions survive termination of AI Services.
15. DEFINITIONS
15.1. "AI Services" has the meaning given in Section 1.4.
15.2. "AI Usage Units" has the meaning given in Section 8.1.
15.3. "Authorized User" means an employee, contractor, administrator, agent, or other person
authorized by Customer to access or use the AI Services.
15.4. "Customer Agreement" has the meaning given in Section 1.2.
15.5. "Customer Content" means Input, Output, and other content, data, files, documents,
prompts, messages, code, configurations, knowledge bases, embeddings, and materials submitted
to, generated through, or processed by the AI Services.
15.6. "Input" has the meaning given in Section 3.1.
15.7. "Output" has the meaning given in Section 3.2.
15.8. "Personal Data" has the meaning given in the Data Processing Addendum or applicable
Data Protection Law.
15.9. "Special Categories of Personal Data" has the meaning given in the Data Processing
Addendum or applicable Data Protection Law.
July 9, 2026
1. INTRODUCTION
1.1. Parties
This Data Processing Addendum ("Addendum" or "DPA") forms part of the agreement between
the customer, client, subscriber, or organization using XData services ("Customer") and:
[XDATA LEGAL ENTITY NAME]
[XDATA REGISTERED ADDRESS]
Company registration number: [INSERT]
VAT ID: [INSERT]
Email: [INSERT LEGAL OR PRIVACY EMAIL]
Website: https://xdata.si
("XData", "we", "us", or "our").
1.2. Purpose
This DPA governs the processing of Personal Data by XData on behalf of Customer in connection
with Customer's use of XData services, software, AI systems, advisory services, managed
infrastructure, integrations, APIs, knowledge systems, automation workflows, proofs of concept,
and other services described in the applicable agreement, order, proposal, statement of work,
or online terms (collectively, the "Services").
1.3. Incorporation
This DPA is incorporated into and forms part of the applicable agreement between XData and
Customer, including any Terms of Service, Software and AI Services Agreement, Master Services
Agreement, Order Form, Proposal, Statement of Work, or other written agreement governing the
Services (the "Agreement").
1.4. Order of Precedence
If there is a conflict between this DPA and the Agreement regarding the processing of Personal
Data, this DPA will prevail to the extent of the conflict. If there is a conflict between
the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail
to the extent required by applicable Data Protection Law.
1.5. Scope
This DPA applies only where XData processes Personal Data on behalf of Customer as a Processor
or Sub-processor. It does not apply where XData processes Personal Data as an independent
Controller, such as for XData account administration, billing, security, legal compliance,
business communications, website analytics, sales operations, or marketing, unless otherwise
agreed in writing.
2. DEFINITIONS
2.1. "Agreement" means the applicable agreement between XData and Customer governing the
Services.
2.2. "Authorized User" means an employee, contractor, administrator, agent, or other person
authorized by Customer to access or use the Services.
2.3. "Controller" means the natural or legal person, public authority, agency, or other body
which, alone or jointly with others, determines the purposes and means of the processing of
Personal Data.
2.4. "Customer Content" means data, files, documents, prompts, messages, logs, text, code,
images, audio, video, configurations, records, knowledge bases, embeddings, metadata, and
other materials that Customer or its Authorized Users upload, submit, provide, generate,
connect, or make available to the Services.
2.5. "Customer Instructions" means Customer's documented instructions for processing Personal
Data, including:
(a) the Agreement;
(b) this DPA;
(c) the applicable Order, Proposal, or Statement of Work;
(d) Customer's configuration and use of the Services;
(e) written instructions provided by Customer and accepted by XData.
2.6. "Data Protection Law" means all data protection and privacy laws applicable to the
processing of Personal Data under this DPA, including, where applicable, Regulation (EU)
2016/679 (General Data Protection Regulation, "GDPR"), national data protection laws of EU/EEA
Member States, the Slovenian Personal Data Protection Act, the ePrivacy Directive and
implementing laws, the UK GDPR, the UK Data Protection Act 2018, and other applicable privacy
or data protection laws.
2.7. "Data Subject" means an identified or identifiable natural person to whom Personal Data
relates.
2.8. "Personal Data" means any information relating to an identified or identifiable natural
person, and any other information that is treated as personal data, personal information, or
personally identifiable information under applicable Data Protection Law.
2.9. "Processing" or "process" means any operation or set of operations performed on Personal
Data, whether or not by automated means, including collection, recording, organization,
structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission,
alignment, combination, restriction, erasure, or destruction.
2.10. "Processor" means the entity that processes Personal Data on behalf of a Controller.
2.11. "Security Incident" means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed
by XData or its Sub-processors on behalf of Customer.
2.12. "Services" means XData services described in the Agreement.
2.13. "Special Categories of Personal Data" means Personal Data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade union membership, genetic
data, biometric data for the purpose of uniquely identifying a person, health data, data
concerning a person's sex life or sexual orientation, and any other sensitive category under
applicable Data Protection Law.
2.14. "Sub-processor" means a third party engaged by XData to process Personal Data on behalf
of Customer in connection with the Services.
2.15. "Supervisory Authority" means an independent public authority established by an EU/EEA
Member State or other applicable jurisdiction responsible for monitoring application of Data
Protection Law.
3. ROLES OF THE PARTIES
3.1. Customer Role
Customer is the Controller of Personal Data processed under this DPA, unless Customer acts as
a Processor on behalf of another Controller. If Customer acts as a Processor, then XData acts
as Customer's Sub-processor.
3.2. XData Role
XData will act as Processor or Sub-processor for Personal Data contained in Customer Content
and processed on behalf of Customer in connection with the Services.
3.3. Customer Responsibilities
Customer is responsible for:
(a) determining the purposes and means of processing Personal Data;
(b) ensuring that Customer Instructions comply with Data Protection Law;
(c) having a valid legal basis for processing Personal Data;
(d) providing required notices to Data Subjects;
(e) obtaining required consents where applicable;
(f) ensuring Customer Content is lawful, accurate, and appropriate for the Services;
(g) ensuring that Customer has the right to provide Personal Data to XData;
(h) evaluating whether the Services are suitable for the intended processing;
(i) determining whether a data protection impact assessment is required;
(j) ensuring any AI-related use of Personal Data complies with applicable law.
3.4. XData Responsibilities
XData will process Personal Data only:
(a) in accordance with Customer Instructions;
(b) as necessary to provide, secure, support, maintain, improve, and operate the Services;
(c) as necessary to investigate Security Incidents or prevent abuse;
(d) as required by applicable law.
3.5. Notice of Unlawful Instructions
XData will inform Customer if, in XData's reasonable opinion, a Customer Instruction infringes
Data Protection Law, unless XData is prohibited from doing so by applicable law.
4. PROCESSING OF PERSONAL DATA
4.1. Description of Processing
The subject matter, duration, nature, purpose, categories of Data Subjects, categories of
Personal Data, and Sub-processor transfers are described in Schedule 1.
4.2. Customer Instructions
The Agreement, this DPA, the applicable Order, and Customer's use and configuration of the
Services constitute Customer's complete and final documented instructions to XData for the
processing of Personal Data, unless the parties agree otherwise in writing.
4.3. Additional Instructions
Customer may provide additional written instructions where required by Data Protection Law.
XData will comply with reasonable additional instructions where technically and commercially
feasible. If additional instructions require material changes, additional costs, or additional
services, the parties may agree on fees, timelines, and technical scope.
4.4. Confidentiality
XData will ensure that persons authorized to process Personal Data are subject to appropriate
confidentiality obligations, whether contractual, statutory, or professional.
4.5. No Sale of Personal Data
XData will not sell Personal Data processed on behalf of Customer and will not process such
Personal Data for XData's own commercial purposes except as permitted by the Agreement, this
DPA, Customer Instructions, or Data Protection Law.
4.6. No Training of Foundation Models by Default
Unless expressly agreed in writing or enabled by Customer through a clear setting, XData will
not intentionally use Personal Data contained in Customer Content to train foundation models
or general-purpose AI models made available to other customers.
This does not prevent XData from processing operational logs, telemetry, performance data,
security events, aggregated data, or de-identified data to provide, secure, troubleshoot,
maintain, and improve the Services, provided such processing complies with applicable law.
5. AI-SPECIFIC DATA PROCESSING
5.1. AI Services
Some Services may use AI models, large language models, embedding models, retrieval systems,
classification systems, agents, workflow automation, or other AI-enabled components
("AI Services").
5.2. Customer Responsibility for AI Inputs
Customer is responsible for ensuring that prompts, files, documents, datasets, instructions,
knowledge bases, and other AI inputs do not contain Personal Data unless Customer has a lawful
basis and the applicable Agreement permits such processing.
5.3. Special Categories and High-Risk Data
Customer must not submit Special Categories of Personal Data, criminal offence data, children's
data, secrets, confidential client data, health data, biometric data, or other regulated data
to AI Services unless:
(a) the processing is expressly permitted in the applicable Order or DPA;
(b) Customer has a valid legal basis;
(c) appropriate safeguards are implemented;
(d) the parties agree any required additional terms.
5.4. AI Model Providers
AI Services may rely on third-party model providers, APIs, cloud infrastructure, open-source
models, customer-hosted models, or XData-managed models. The applicable Order, Subprocessor
List, or Service description should identify material AI-related Sub-processors where required
by Data Protection Law.
5.5. AI Outputs
AI-generated outputs may contain Personal Data if Personal Data was included in inputs,
connected sources, retrieval systems, prompts, or Customer Content. Customer is responsible
for reviewing outputs before using, publishing, storing, or acting on them.
5.6. Retrieval and Knowledge Systems
Where XData provides RAG, knowledge base, search, indexing, embeddings, or document
intelligence Services, Personal Data may be extracted, chunked, embedded, indexed, stored,
retrieved, summarized, transformed, or combined with other Customer Content for the purpose
of providing the Services.
5.7. Human Review
Customer is responsible for ensuring appropriate human review, access control, logging,
governance, and risk management when AI Services are used for decisions affecting individuals
or for regulated, high-impact, or business-critical workflows.
6. SECURITY MEASURES
6.1. Technical and Organizational Measures
XData will implement and maintain appropriate technical and organizational measures designed
to protect Personal Data against accidental or unlawful destruction, loss, alteration,
unauthorized disclosure, or access, taking into account the nature, scope, context, and
purposes of processing, the state of the art, implementation costs, and risks to Data Subjects.
6.2. Security Measures Description
The current technical and organizational measures are described in Schedule 2. XData may update
those measures from time to time, provided that updates do not materially reduce the overall
level of protection for Personal Data during the applicable term.
6.3. Customer Security Responsibilities
Customer is responsible for:
(a) securing Customer accounts and credentials;
(b) managing Authorized Users and access rights;
(c) configuring permissions and integrations;
(d) enabling available security controls such as MFA or SSO where appropriate;
(e) protecting Customer systems, endpoints, networks, repositories, and connected services;
(f) ensuring that data shared with the Services is appropriate and lawful;
(g) reviewing logs and alerts where available.
6.4. Security Certifications
Unless expressly stated in an applicable Order, XData does not represent that it holds any
specific security certification, including SOC 2, ISO 27001, ISO 27018, ISO 42001, or similar
certifications.
7. SECURITY INCIDENTS
7.1. Notification
XData will notify Customer without undue delay after becoming aware of a confirmed Security
Incident affecting Personal Data processed on behalf of Customer. Where feasible and required
by applicable law, XData will aim to notify Customer within 72 hours after becoming aware of
the Security Incident.
7.2. Content of Notice
To the extent reasonably available, XData's notice may include:
(a) a description of the nature of the Security Incident;
(b) categories and approximate number of affected Data Subjects;
(c) categories and approximate number of affected records;
(d) likely consequences;
(e) measures taken or proposed to address the Security Incident;
(f) measures recommended to Customer;
(g) contact point for follow-up.
7.3. Investigation and Remediation
XData will use commercially reasonable efforts to investigate, mitigate, contain, and remediate
Security Incidents within XData's reasonable control.
7.4. No Admission
Notification of a Security Incident is not an admission of fault, liability, or violation by
XData.
8. SUB-PROCESSORS
8.1. General Authorization
Customer generally authorizes XData to engage Sub-processors to process Personal Data in
connection with the Services, including XData affiliates, hosting providers, infrastructure
providers, AI model providers, email providers, analytics providers, monitoring providers,
identity providers, support tools, payment processors, and other service providers.
8.2. Sub-processor Agreements
XData will enter into written agreements with Sub-processors that impose data protection
obligations materially equivalent to those required by this DPA, to the extent applicable to
the nature of the services provided by the Sub-processor.
8.3. Liability for Sub-processors
XData remains responsible for the performance of its Sub-processors to the extent required by
Data Protection Law and the Agreement.
8.4. Sub-processor List
XData should maintain an up-to-date list of material Sub-processors at:
[INSERT SUBPROCESSOR LIST URL]
The list should identify, where appropriate:
(a) Sub-processor name;
(b) service function;
(c) processing location or region;
(d) type of data processed;
(e) applicable transfer mechanism.
8.5. Notification of Changes
XData will provide notice of new or replacement Sub-processors by updating the Sub-processor
List, email notice, account notice, or another reasonable method. Unless otherwise stated in
the Agreement, XData will use reasonable efforts to provide at least 15 days' notice before a
new Sub-processor begins processing Personal Data on behalf of Customer.
8.6. Objection Right
Customer may object to a new Sub-processor during the notice period on reasonable data
protection grounds. The parties will discuss commercially reasonable alternatives in good
faith. If no resolution is reached, Customer may terminate the affected Services as its sole
remedy, unless otherwise required by Data Protection Law.
9. ASSISTANCE AND COOPERATION
9.1. Data Subject Requests
Taking into account the nature of processing and the information available to XData, XData
will provide reasonable assistance to Customer to enable Customer to respond to requests from
Data Subjects exercising their rights under Data Protection Law, where Customer cannot
reasonably fulfill the request using self-service functionality or Customer's own systems.
9.2. Data Protection Impact Assessments
Taking into account the nature of processing and the information available to XData, XData
will provide reasonable assistance to Customer with data protection impact assessments and
prior consultations with Supervisory Authorities, where required by Data Protection Law.
9.3. Government and Third-Party Requests
If XData receives a legally binding request from a public authority, law enforcement agency,
regulator, court, or other third party for disclosure of Personal Data processed on behalf of
Customer, XData will, where legally permitted:
(a) promptly notify Customer;
(b) refer the requesting party to Customer;
(c) use reasonable efforts to challenge unlawful, disproportionate, or overbroad requests;
(d) disclose only the Personal Data legally required.
9.4. Compliance Information
XData will make available information reasonably necessary to demonstrate compliance with this
DPA, subject to confidentiality, security, legal, and operational restrictions.
10. DELETION AND RETURN
10.1. Customer Controls
During the term of the Agreement, Customer may delete, export, correct, or retrieve Customer
Content where the Services provide self-service functionality.
10.2. End of Services
At the end of the provision of Services involving processing of Personal Data, XData will,
at Customer's choice and subject to technical feasibility, delete or return Personal Data
processed on behalf of Customer within a reasonable period, unless applicable law requires
retention.
10.3. Default Deletion Period
Unless otherwise stated in the Agreement or required by law, XData will delete Customer Content
from active systems within 30 days after termination or confirmed deletion request, where
technically feasible.
10.4. Backups
Personal Data may remain in backups, archives, logs, or disaster recovery systems for a
limited period according to XData's retention and backup policies. During this period, XData
will protect such data from active processing except as necessary for restoration, security,
legal compliance, or deletion.
10.5. Legal Retention
XData may retain Personal Data where required by law, regulation, court order, tax obligations,
audit obligations, dispute resolution, fraud prevention, or legitimate security purposes,
subject to confidentiality and processing restrictions.
11. AUDIT
11.1. Documentation-Based Audit
Upon Customer's reasonable written request, XData will provide information reasonably necessary
to demonstrate compliance with this DPA, such as security summaries, policy summaries,
Sub-processor information, architecture descriptions, data flow descriptions, or other
available documentation.
11.2. On-Site or Remote Audit
Only where Customer's audit requirements under Data Protection Law cannot reasonably be
satisfied through documentation, Customer may request an audit of XData's relevant processing
activities. Any audit must:
(a) be limited to processing of Personal Data under this DPA;
(b) be subject to confidentiality obligations;
(c) be conducted during regular business hours;
(d) be preceded by at least 45 days' written notice;
(e) occur no more than once per year unless required by a Supervisory Authority or following
a confirmed Security Incident;
(f) avoid unnecessary disruption to XData operations;
(g) not compromise security, confidentiality, trade secrets, other customers' data, or
third-party rights;
(h) be conducted at Customer's expense unless otherwise required by law.
11.3. Third-Party Auditors
Customer's appointed auditor must be independent, qualified, and not a direct competitor of
XData. XData may object to an auditor on reasonable grounds.
11.4. Audit Findings
Customer must provide XData with a copy of audit findings relating to XData. The parties will
discuss any material findings in good faith.
12. INTERNATIONAL DATA TRANSFERS
12.1. EEA Processing
Where the Services are configured for EU/EEA processing and XData processes Personal Data
within the EU/EEA, XData will use reasonable efforts to maintain processing within the agreed
region, subject to the Agreement, Sub-processor List, and technical architecture.
12.2. Transfers Outside the EEA
Where Personal Data is transferred from the European Economic Area, Switzerland, or the United
Kingdom to a country that is not recognized as providing an adequate level of protection,
the parties will use a valid transfer mechanism, such as:
(a) the EU Standard Contractual Clauses;
(b) the UK International Data Transfer Addendum or UK International Data Transfer Agreement;
(c) Swiss amendments to the EU Standard Contractual Clauses;
(d) an adequacy decision;
(e) another lawful transfer mechanism under Data Protection Law.
12.3. Transfer Impact Assessments
Where required by Data Protection Law, the parties will cooperate reasonably in relation to
transfer impact assessments, taking into account the nature of the Services, the transfer
mechanism, technical safeguards, Sub-processors, and data categories.
12.4. Customer-Hosted Deployments
For customer-hosted or self-hosted deployments, Customer may control the hosting location and
international transfer architecture. XData's responsibility is limited to the processing
activities performed by XData under the Agreement.
13. REGION-SPECIFIC TERMS
13.1. European Economic Area
For Personal Data subject to GDPR:
(a) Customer acts as Controller and XData acts as Processor, unless Customer acts as Processor
and XData acts as Sub-processor.
(b) XData will comply with Article 28 GDPR processor obligations applicable to its role.
(c) If EU SCCs apply, Module Two applies for Controller-to-Processor transfers and Module
Three applies for Processor-to-Processor transfers.
(d) The competent Supervisory Authority should be determined based on the parties' roles,
establishment, and applicable law. For XData established in Slovenia, this may be the
Information Commissioner of the Republic of Slovenia, unless another authority is competent.
13.2. United Kingdom
For Personal Data subject to UK GDPR, the parties will apply an appropriate UK transfer
mechanism where required, such as the UK Addendum to the EU SCCs or the UK IDTA.
13.3. Switzerland
For Personal Data subject to Swiss data protection law, the parties will interpret the EU SCCs
as required under Swiss law where applicable.
13.4. Other Regions
If other regional privacy laws apply, the parties will comply with their respective obligations
under those laws and may enter into additional terms where required.
14. DATA PROTECTION CONTACTS
14.1. XData Contact
Privacy and data protection notices should be sent to:
[XDATA PRIVACY CONTACT NAME OR ROLE]
Email: [INSERT PRIVACY EMAIL]
Address: [INSERT ADDRESS]
14.2. Customer Contact
Customer's privacy contact is the contact identified in the Agreement, account, Order, or
other written notice provided to XData.
14.3. Data Protection Officer
XData's Data Protection Officer, if appointed, is:
[INSERT DPO DETAILS OR "Not appointed unless required by applicable law"]
15. RECORDS AND COMPLIANCE
15.1. Records
XData will maintain records of processing activities where required by Data Protection Law.
15.2. Personnel Training
XData will take reasonable steps to ensure that personnel involved in processing Personal Data
receive appropriate confidentiality, privacy, and security awareness instructions or training.
15.3. Policies
XData will maintain appropriate internal policies and procedures for information security,
access control, incident response, confidentiality, data retention, and vendor management,
taking into account the size, nature, and risk profile of XData's operations.
15.4. AI Governance
Where XData provides AI Services, XData should maintain reasonable AI governance practices
appropriate to the Service, which may include documentation, model/provider review, access
control, logging, prompt and data handling rules, testing, and human oversight guidance.
SCHEDULE 1 - DESCRIPTION OF PROCESSING
1. Subject Matter
Processing of Personal Data contained in Customer Content for the purpose of providing,
securing, supporting, maintaining, improving, and operating the Services under the Agreement.
2. Duration
For the term of the Agreement and any additional period required for deletion, return, backup
retention, legal retention, dispute resolution, or compliance with applicable law.
3. Frequency of Processing
Continuous or as otherwise required to provide the Services.
4. Nature of Processing
Depending on the Services, processing may include:
(a) collection;
(b) storage;
(c) hosting;
(d) transmission;
(e) retrieval;
(f) indexing;
(g) search;
(h) classification;
(i) embedding generation;
(j) summarization;
(k) transformation;
(l) analysis;
(m) enrichment;
(n) automation;
(o) logging;
(p) monitoring;
(q) backup;
(r) deletion;
(s) support access;
(t) incident investigation.
5. Purpose of Processing
Processing Personal Data as necessary to:
(a) provide the Services;
(b) manage accounts and users;
(c) host Customer Content;
(d) operate AI, search, RAG, automation, and analytics functions;
(e) integrate with Customer systems;
(f) provide support and troubleshooting;
(g) maintain security and prevent abuse;
(h) monitor performance and reliability;
(i) comply with Customer Instructions;
(j) comply with applicable law.
6. Categories of Data Subjects
Depending on Customer's use of the Services, Data Subjects may include:
(a) Customer's employees;
(b) Customer's contractors;
(c) Customer's administrators and Authorized Users;
(d) Customer's customers, prospects, leads, or end users;
(e) website visitors;
(f) support users;
(g) business contacts;
(h) suppliers and partners;
(i) applicants and candidates;
(j) individuals mentioned in Customer documents or datasets;
(k) other individuals whose Personal Data is included in Customer Content.
7. Categories of Personal Data
Depending on Customer's use of the Services, Personal Data may include:
(a) names;
(b) email addresses;
(c) phone numbers;
(d) job titles;
(e) organization names;
(f) account identifiers;
(g) usernames;
(h) IP addresses;
(i) device and browser data;
(j) authentication and access logs;
(k) usage logs;
(l) support communications;
(m) uploaded documents;
(n) business records;
(o) prompts and messages;
(p) free-text content;
(q) metadata;
(r) images or media files;
(s) code or configuration files containing identifiers;
(t) any other Personal Data included by Customer in Customer Content.
8. Special Categories of Personal Data
XData does not intend to receive or process Special Categories of Personal Data unless
expressly agreed in writing. Customer must not submit Special Categories of Personal Data
unless the Agreement permits such processing and appropriate safeguards are in place.
9. Criminal Offence Data
XData does not intend to receive or process criminal offence data unless expressly agreed in
writing and permitted by applicable law.
10. Children's Data
XData does not intend to receive or process children's Personal Data unless expressly agreed
in writing and permitted by applicable law.
11. AI-Specific Processing Activities
Where AI Services are used, processing may include:
(a) prompt processing;
(b) context retrieval;
(c) document chunking;
(d) embedding generation;
(e) vector storage;
(f) semantic search;
(g) model inference;
(h) model routing;
(i) output generation;
(j) evaluation;
(k) safety filtering;
(l) workflow automation;
(m) human review support;
(n) logging for security, debugging, and observability.
12. Sub-processors
Personal Data may be transferred to Sub-processors as described in the Sub-processor List
and Section 8 of this DPA.
SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES
The measures below are a draft baseline. They should be verified against actual XData
implementation before publication.
1. Governance and Policies
XData should maintain internal policies and procedures appropriate to its size and risk
profile, including:
(a) information security policy;
(b) privacy and data protection procedures;
(c) access control policy;
(d) incident response procedure;
(e) vendor and Sub-processor review process;
(f) backup and retention procedure;
(g) acceptable use and customer data handling rules.
2. Confidentiality
Measures may include:
(a) confidentiality obligations for personnel and contractors;
(b) role-based access to Customer Content;
(c) need-to-know access principles;
(d) restrictions on sharing Customer Content outside approved systems.
3. Access Control
Measures may include:
(a) unique user accounts;
(b) role-based access control;
(c) least-privilege access;
(d) multi-factor authentication for administrative systems where feasible;
(e) periodic access review;
(f) prompt removal of access when personnel leave or no longer need access;
(g) separation of customer environments where applicable.
4. Authentication and Credential Security
Measures may include:
(a) strong password requirements;
(b) MFA for privileged accounts;
(c) secure storage of secrets and API keys;
(d) rotation of credentials where appropriate;
(e) restriction of shared accounts;
(f) secure handling of customer-provided credentials.
5. Encryption
Measures may include:
(a) encryption in transit using TLS or equivalent;
(b) encryption at rest where supported by hosting/storage providers;
(c) secure key management appropriate to the deployment model;
(d) encryption of backups where technically feasible.
6. Network and Infrastructure Security
Measures may include:
(a) firewalls or network security controls;
(b) secure configuration of servers and containers;
(c) limited administrative interfaces;
(d) patching of operating systems and dependencies;
(e) monitoring of exposed services;
(f) segmentation between environments where appropriate.
7. Logging and Monitoring
Measures may include:
(a) collection of system and security logs;
(b) monitoring of authentication events;
(c) monitoring of service health and performance;
(d) alerting for suspicious or abnormal activity where feasible;
(e) log retention appropriate to the Service and Agreement.
8. Vulnerability Management
Measures may include:
(a) periodic vulnerability scanning;
(b) dependency review and updates;
(c) patch management based on severity;
(d) review of security advisories;
(e) remediation tracking for material vulnerabilities.
9. Secure Development
Measures may include:
(a) version control;
(b) code review for material changes;
(c) separation of development and production environments where feasible;
(d) secure coding practices;
(e) testing before production release;
(f) protection of source code repositories.
10. Backups and Recovery
Measures may include:
(a) regular backups for production systems where applicable;
(b) backup restoration testing where appropriate;
(c) disaster recovery procedures proportional to the Service;
(d) retention periods documented in the Agreement or internal policy.
11. Data Retention and Deletion
Measures may include:
(a) deletion of Customer Content after termination or request, subject to backups and legal
retention;
(b) documented retention periods for logs and backups;
(c) secure disposal of storage media where applicable;
(d) isolation of retained data where legally required.
12. Sub-processor Management
Measures may include:
(a) risk-based review of Sub-processors;
(b) written agreements with data protection obligations;
(c) maintenance of a Sub-processor List;
(d) review of Sub-processor security and privacy information where available.
13. Physical Security
Where XData uses third-party data centers or cloud providers, physical security is generally
provided by those providers. XData should select providers with reasonable physical security
controls appropriate to the risk.
14. Incident Response
Measures may include:
(a) internal incident response process;
(b) escalation contacts;
(c) investigation and containment steps;
(d) Customer notification process;
(e) post-incident review where appropriate.
15. AI-Specific Security and Privacy Measures
For AI Services, measures may include:
(a) control over which model providers are used;
(b) separation of Customer Content between customers;
(c) access controls for vector stores and knowledge bases;
(d) prompt and retrieval logging controls;
(e) filtering or restriction of sensitive inputs where configured;
(f) human review recommendations for high-impact outputs;
(g) documentation of AI data flows where appropriate;
(h) no intentional foundation model training on Customer Content unless agreed.
16. Customer-Hosted Deployments
For customer-hosted deployments, Customer is responsible for the infrastructure, network,
physical security, backup, endpoint, identity, and access controls under Customer's control,
unless otherwise agreed in writing. XData is responsible only for processing activities and
controls expressly performed by XData.
SCHEDULE 3 - INTERNATIONAL TRANSFER TERMS
1. European Economic Area
Where Personal Data is transferred from the EEA to a country without an adequacy decision,
the EU Standard Contractual Clauses adopted by the European Commission will apply as follows,
unless another lawful transfer mechanism applies:
(a) Module Two applies where Customer is Controller and XData is Processor.
(b) Module Three applies where Customer is Processor and XData is Sub-processor.
(c) Clause 7 optional docking clause: [SELECT: applies / does not apply].
(d) Clause 9 Sub-processor option: Option 2, with notice period as stated in Section 8.5.
(e) Clause 11 optional language: [SELECT: applies / does not apply].
(f) Clause 17 governing law: [SELECT EU MEMBER STATE LAW, e.g. Slovenia].
(g) Clause 18 forum: [SELECT COURTS, e.g. competent courts of Slovenia].
(h) Annex I is completed by Schedule 4.
(i) Annex II is completed by Schedule 2.
(j) Annex III is completed by the Sub-processor List.
2. Switzerland
For transfers from Switzerland, references in the EU SCCs to the GDPR will be interpreted as
references to Swiss data protection law where required. References to EU Member States will
be interpreted to include Switzerland where required. The competent authority and courts
should be specified in accordance with Swiss law.
3. United Kingdom
For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU
SCCs or another lawful UK transfer mechanism will apply where required.
4. Other Jurisdictions
For other jurisdictions, the parties will use lawful transfer mechanisms required by applicable
Data Protection Law.
SCHEDULE 4 - LIST OF PARTIES
A. Data Exporter / Controller / Processor
Name:
Customer as identified in the Agreement.
Address:
Customer address as identified in the Agreement or account.
Contact:
Customer privacy or legal contact as identified in the Agreement or account.
Activities relevant to the transfer:
Use of XData Services and processing of Customer Content under the Agreement.
Role:
Controller, or Processor where Customer processes Personal Data on behalf of another Controller.
Signature and date:
As set out in the Agreement, Order, electronic acceptance, or signed DPA.
B. Data Importer / Processor / Sub-processor
Name:
[XDATA LEGAL ENTITY NAME]
Address:
[XDATA REGISTERED ADDRESS]
Contact:
[INSERT XDATA PRIVACY CONTACT]
Activities relevant to the transfer:
Provision of XData Services, including hosting, AI processing, RAG/search/indexing,
automation, support, security, monitoring, and related processing under the Agreement.
Role:
Processor, or Sub-processor where Customer acts as Processor.
Signature and date:
As set out in the Agreement, Order, electronic acceptance, or signed DPA.
July 9, 2026
1. INTRODUCTION
1.1. Parties
These Terms of Service ("Terms") are entered into between the customer, visitor, user,
or entity using the Services ("Customer", "you", or "your") and:
[XDATA LEGAL ENTITY NAME]
[XDATA REGISTERED ADDRESS]
Company registration number: [INSERT]
VAT ID: [INSERT]
Email: [INSERT LEGAL OR SUPPORT EMAIL]
Website: https://xdata.si
("XData", "we", "us", or "our").
1.2. Scope
These Terms govern access to and use of websites, portals, online services, software
products, AI-enabled tools, proofs of concept, demos, APIs, documentation, downloads,
and other digital services made available by XData (collectively, the "Services").
Where Customer enters into a separate written order form, statement of work, master
services agreement, enterprise software agreement, data processing agreement, or other
written agreement with XData, that separate agreement may supplement or override these
Terms to the extent expressly stated in that agreement.
1.3. Acceptance
By accessing or using the Services, creating an account, accepting an order, clicking
an acceptance button, or otherwise indicating acceptance, Customer agrees to be bound by
these Terms.
If an individual uses the Services on behalf of an organization, that individual represents
that they have authority to bind that organization. If the individual does not have such
authority, or does not agree with these Terms, they must not use the Services on behalf of
that organization.
1.4. Enterprise Customers
XData may provide enterprise services under a separate agreement. Enterprise services may
include AI strategy, advisory, custom AI implementation, managed infrastructure, knowledge
systems, RAG systems, LLM gateway configuration, workflow automation, training, governance,
data protection support, or other professional services. If there is a conflict between these
Terms and a signed enterprise agreement, the signed enterprise agreement will prevail.
2. SERVICES
2.1. Access to Services
Subject to these Terms and any applicable Order, XData grants Customer a limited,
non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the
Services for Customer's internal business purposes or permitted personal purposes, depending
on the nature of the Service and the applicable plan.
2.2. Service Descriptions
XData may provide, among other things:
- AI strategy and advisory services.
- AI readiness, governance, transformation, and education services.
- AI-enabled software products, prototypes, and proofs of concept.
- RAG, knowledge base, and document intelligence solutions.
- LLM gateway, agent, and workflow automation solutions.
- Secure search, analytics, monitoring, and data platform services.
- Open, modular, and vendor-independent architecture consulting.
- Managed, self-hosted, hybrid, or customer-hosted deployments.
- Documentation, templates, training materials, and technical resources.
Specific deliverables, service levels, support obligations, hosting locations, data handling
commitments, and security commitments apply only if they are expressly stated in the relevant
Order, proposal, statement of work, or written agreement.
2.3. Changes to Services
XData may improve, update, modify, suspend, discontinue, or replace features of the Services.
For paid Services, XData will use reasonable efforts to avoid material degradation of core
functionality during the applicable subscription or project term. If XData permanently
discontinues a paid Service during a prepaid term and does not provide a substantially similar
replacement, Customer may be entitled to a pro-rata refund of prepaid unused fees, unless
otherwise agreed in writing.
2.4. Beta, Demo, Trial, and Experimental Services
XData may offer beta, demo, trial, early access, experimental, or proof-of-concept Services.
Such Services are provided for evaluation only, may contain errors, may be changed or withdrawn
at any time, and may not be suitable for production use unless XData expressly confirms
otherwise in writing.
3. WHO MAY USE THE SERVICES
3.1. Legal Age
Customer may use the Services only if Customer is legally permitted to enter into these Terms
under applicable law.
3.2. AI Features
AI-enabled Services may be used only by individuals who are legally permitted to use such
services and, where required by applicable law or the applicable Service description, are at
least 18 years old.
3.3. Organization Accounts
If Customer creates or uses an organization account, Customer is responsible for the actions
of its authorized users, administrators, employees, contractors, agents, and other persons
who access the Services through Customer's account ("Authorized Users").
4. ACCOUNT MANAGEMENT
4.1. Account Information
Customer must provide accurate, current, and complete account, billing, domain, organization,
and contact information, and must keep that information up to date.
4.2. Administrators
Customer may appoint one or more account administrators. Administrators may manage users,
configure settings, approve purchases, access Customer Content, manage integrations, and
take other actions on Customer's behalf.
4.3. User Credentials
Each user account is personal to the individual user. Credentials must not be shared.
Customer is responsible for maintaining the confidentiality of usernames, passwords, API keys,
tokens, and other access credentials.
4.4. Security Controls
Where available, Customer should enable multi-factor authentication, single sign-on, access
reviews, least-privilege permissions, and appropriate administrative controls. XData is not
responsible for losses that could reasonably have been prevented by Customer's failure to use
available security controls.
5. ACCEPTABLE USE
5.1. General Restrictions
Customer must not, and must not encourage or assist others to:
(a) reverse engineer, decompile, disassemble, or attempt to discover the source code,
underlying structure, algorithms, models, prompts, system logic, or technical design of the
Services, except to the extent such restriction is not permitted by law;
(b) copy, modify, resell, sublicense, rent, lend, distribute, or otherwise make the Services
available to third parties, except as expressly permitted by XData;
(c) remove proprietary notices or misrepresent the source of the Services;
(d) interfere with, overload, disrupt, scan, attack, bypass, or compromise the Services or
related systems;
(e) use the Services to develop competing services by unauthorized copying, benchmarking,
scraping, or extraction of non-public features, documentation, prompts, workflows, or system
behavior;
(f) access the Services in violation of export control, sanctions, public procurement,
anti-corruption, data protection, cybersecurity, or other applicable laws;
(g) use the Services to process, store, transmit, or generate illegal, harmful, infringing,
abusive, deceptive, or malicious content;
(h) upload malware, exploit code, credential dumps, stolen data, or content that violates
third-party rights;
(i) attempt to bypass usage limits, payment obligations, licensing restrictions, access
controls, or security measures.
5.2. AI-Specific Restrictions
Customer must not use AI-enabled Services:
(a) to make fully automated high-impact decisions about individuals without appropriate
human review and legal basis;
(b) to generate or deploy unlawful surveillance, biometric identification, social scoring,
manipulative, discriminatory, or otherwise prohibited AI systems;
(c) to produce or distribute misleading, fraudulent, impersonating, defamatory, or deceptive
content;
(d) to provide medical, legal, financial, employment, housing, insurance, credit, law
enforcement, migration, education access, or similarly high-impact decisions without
qualified human review and compliance controls;
(e) to intentionally generate harmful code, phishing, credential theft, evasion instructions,
or cyber abuse;
(f) to upload or process special categories of personal data, confidential client data,
classified information, or regulated data unless Customer has a lawful basis and the applicable
Order or DPA permits such processing.
5.3. Suspension
XData may suspend or limit access to the Services if XData reasonably believes that Customer
has violated these Terms, poses a security risk, creates legal or operational risk, fails to
pay fees, or uses the Services in a way that may harm XData, other customers, third parties,
or the public.
6. CUSTOMER CONTENT
6.1. Ownership
As between Customer and XData, Customer retains ownership of applications, files, prompts,
documents, data, text, images, code, configurations, knowledge bases, outputs selected by
Customer, and other materials uploaded to, submitted to, generated through, or developed using
the Services ("Customer Content"), subject to XData's rights in the Services and any third-party
rights.
6.2. License to Provide the Services
Customer grants XData a limited right to host, process, transmit, copy, display, analyze,
secure, debug, back up, and otherwise use Customer Content solely as necessary to provide,
maintain, secure, support, improve, and operate the Services, comply with law, and perform
the activities contemplated by these Terms or the applicable Order.
6.3. Customer Responsibility
Customer is responsible for Customer Content, including its accuracy, legality, quality,
integrity, permissions, intellectual property rights, data protection compliance, and suitability
for use with the Services.
6.4. No Training by Default
Unless otherwise stated in an applicable Order, DPA, AI Policy, or explicit customer setting,
XData will not intentionally use Customer Content to train foundation models made generally
available to other customers. This does not prevent XData from using de-identified and
aggregated usage data, security logs, system telemetry, or operational data to operate,
secure, troubleshoot, and improve the Services.
6.5. Third-Party AI Providers
Some AI-enabled Services may use third-party model providers, infrastructure providers, APIs,
or open-source components. The applicable Order, DPA, Subprocessor List, or Service description
should identify material third-party providers where required. Customer acknowledges that
third-party providers may impose their own technical limits, acceptable use rules, availability
constraints, and data processing terms.
7. AI OUTPUTS AND HUMAN REVIEW
7.1. Nature of AI Outputs
AI-generated outputs may be inaccurate, incomplete, outdated, biased, unsafe, or unsuitable
for Customer's intended use. AI outputs should not be treated as verified facts, professional
advice, legal opinions, medical advice, financial advice, security guarantees, or final
business decisions unless reviewed by qualified humans.
7.2. Customer Review
Customer is responsible for evaluating AI outputs before relying on them, publishing them,
making decisions based on them, or integrating them into production workflows.
7.3. No Guarantee of Uniqueness
AI outputs may be similar or identical to outputs generated for other users or customers.
XData does not guarantee that AI outputs are unique, registrable, protectable, non-infringing,
or suitable for exclusive use.
7.4. High-Risk and Regulated Uses
Customer must not use the Services for high-risk, regulated, or safety-critical AI use cases
unless such use is expressly agreed in writing and supported by appropriate governance,
risk management, documentation, testing, human oversight, data protection, and compliance
controls.
8. DATA PROTECTION AND PRIVACY
8.1. Privacy Policy
XData's Privacy Policy explains how XData collects, uses, stores, and protects personal data
in connection with the Services. The Privacy Policy is available at:
[INSERT PRIVACY POLICY URL]
8.2. Data Processing Agreement
Where XData processes personal data on behalf of Customer as a processor, the parties will
enter into or be bound by XData's Data Processing Agreement ("DPA"), available at:
[INSERT DPA URL]
If no DPA is available online, the parties should sign a separate DPA before processing
Customer-controlled personal data.
8.3. Customer Responsibilities
Customer is responsible for determining whether Customer has a lawful basis for processing
personal data, for providing required notices to data subjects, for obtaining required consents,
for responding to data subject requests where applicable, and for ensuring that Customer's
use of the Services complies with GDPR and other applicable privacy laws.
8.4. Security Measures
XData will implement reasonable technical and organizational measures designed to protect
Customer Content against unauthorized access, loss, misuse, alteration, or disclosure. Specific
security commitments apply only if stated in the applicable Order, DPA, security exhibit, or
written agreement.
8.5. Security Incidents
If XData becomes aware of a confirmed security incident affecting Customer Content or personal
data processed on behalf of Customer, XData will notify Customer without undue delay and will
provide information reasonably available to XData, taking into account the nature of the
incident, legal requirements, and security constraints.
8.6. Data Location
Unless expressly stated in an applicable Order or DPA, XData does not guarantee that all
processing will occur exclusively in the European Union or European Economic Area. If Customer
requires EU-only, Slovenia-only, sovereign, private cloud, customer-hosted, or dedicated
infrastructure processing, this must be expressly agreed in the applicable Order.
8.7. Subprocessors
XData may use third-party service providers and subprocessors to provide the Services.
XData should maintain a list of material subprocessors at:
[INSERT SUBPROCESSOR URL]
XData remains responsible for its subprocessors to the extent required by applicable law and
the applicable DPA.
9. USAGE DATA, ANALYTICS, AND FEEDBACK
9.1. Usage Data
XData may collect and analyze technical logs, metadata, telemetry, diagnostics, security
events, performance information, feature usage, and similar operational data ("Usage Data").
Usage Data does not include Customer Content itself, except where necessary for security,
support, debugging, compliance, or provision of the Services.
9.2. Aggregated and De-Identified Data
XData may use aggregated or de-identified Usage Data to operate, secure, maintain, improve,
benchmark, and develop the Services, provided such data does not identify Customer or any
individual.
9.3. Feedback
If Customer provides suggestions, comments, ideas, bug reports, improvement requests, or
other feedback ("Feedback"), Customer grants XData a worldwide, royalty-free, perpetual,
irrevocable right to use Feedback to improve, develop, market, and operate XData products
and services, without restriction or compensation.
10. THIRD-PARTY SERVICES AND OPEN-SOURCE COMPONENTS
10.1. Third-Party Services
The Services may interoperate with third-party services, platforms, APIs, model providers,
cloud providers, analytics tools, identity providers, repositories, communication tools, or
customer systems. XData is not responsible for third-party services unless expressly stated
in the applicable Order.
10.2. Customer Integrations
Customer is responsible for authorizing, configuring, securing, and maintaining integrations
with Customer's own systems, repositories, data sources, credentials, APIs, and services.
10.3. Open-Source Software
Some Services may include, integrate with, or be built upon open-source software. Open-source
software is licensed under its applicable open-source license. Nothing in these Terms limits
Customer's rights under applicable open-source licenses.
11. BILLING, FEES, AND PAYMENT
11.1. Fees
Customer will pay all fees specified in the applicable Order, online checkout, subscription
plan, proposal, statement of work, or invoice.
11.2. Subscriptions
If Customer purchases a subscription, the subscription may renew automatically on a monthly,
annual, or other periodic basis, as stated at purchase or in the applicable Order. Customer is
responsible for cancelling renewal before the renewal date if Customer does not wish to renew.
11.3. Payment Authorization
Customer authorizes XData or its payment processor to charge Customer's payment method for
fees, renewals, usage-based charges, upgrades, additional seats, AI usage, credits, storage,
support, professional services, and other purchases authorized by Customer.
11.4. Late Payment
If Customer fails to pay amounts when due, XData may suspend or terminate access to paid
Services, charge late payment interest where permitted by law, recover collection costs, and
use other remedies available under the applicable Order or law.
11.5. Taxes
Fees are exclusive of VAT, sales tax, withholding tax, duties, levies, and similar taxes unless
expressly stated otherwise. Customer is responsible for applicable taxes, except taxes based
on XData's income.
11.6. Withholding
If Customer is required by law to withhold amounts from payments to XData, Customer must
gross up payments where legally permitted so that XData receives the full amount invoiced,
unless otherwise agreed in writing.
11.7. Refunds
Unless otherwise stated in the applicable Order or required by law, fees are non-refundable,
and purchased quantities, seats, credits, service hours, or subscriptions cannot be decreased
during the applicable term.
11.8. Usage-Based AI Costs
Some AI-enabled Services may involve usage-based costs, including model tokens, AI credits,
compute, storage, search indexing, embeddings, bandwidth, or third-party API calls. Customer
is responsible for usage-based charges generated by Customer or its Authorized Users, unless
otherwise agreed in writing.
12. CONFIDENTIALITY
12.1. Confidential Information
"Confidential Information" means non-public business, technical, financial, product, security,
commercial, customer, operational, or other information disclosed by one party ("Discloser")
to the other party ("Recipient") that is marked confidential or should reasonably be understood
to be confidential.
XData Confidential Information includes non-public information about the Services, software,
architecture, pricing, roadmap, security practices, prompts, configurations, models, workflows,
source code, documentation, and business plans.
Customer Confidential Information includes Customer Content, non-public data, business
processes, internal documents, credentials, system architecture, and other confidential
materials provided to XData.
12.2. Exclusions
Confidential Information does not include information that Recipient can demonstrate:
(a) is or becomes public without breach of these Terms;
(b) was known to Recipient before disclosure without confidentiality obligations;
(c) was lawfully received from a third party without confidentiality obligations; or
(d) was independently developed without use of the Discloser's Confidential Information.
12.3. Obligations
Recipient will use Confidential Information only to perform under these Terms, evaluate or
use the Services, provide support, or fulfill the applicable Order. Recipient will use
reasonable care to protect Confidential Information and will disclose it only to personnel,
contractors, affiliates, advisors, and subprocessors who need to know it and are bound by
confidentiality obligations.
12.4. Required Disclosure
Recipient may disclose Confidential Information where required by law, court order, regulator,
or legal process, provided that Recipient gives prompt notice where legally permitted and
reasonably cooperates with efforts to limit disclosure.
12.5. Survival
Confidentiality obligations survive for five years after termination, except that trade secrets
and highly sensitive information remain protected for as long as they remain confidential under
applicable law.
13. INTELLECTUAL PROPERTY
13.1. XData Intellectual Property
XData owns all rights, title, and interest in and to the Services, software, source code,
templates, frameworks, documentation, methodologies, architectures, workflows, know-how,
training materials, designs, names, logos, trademarks, and other XData intellectual property,
except for Customer Content and third-party materials.
13.2. Customer Intellectual Property
Customer owns Customer Content and Customer's pre-existing intellectual property.
13.3. Deliverables
Unless otherwise agreed in writing, XData retains ownership of its pre-existing materials,
tools, frameworks, libraries, reusable components, know-how, methodologies, generic code,
templates, prompts, configuration patterns, documentation structures, and non-customer-specific
improvements.
Customer receives the rights to use project deliverables as stated in the applicable Order.
If no rights are stated, XData grants Customer a non-exclusive, non-transferable right to use
deliverables internally for Customer's business purposes after Customer has paid all applicable
fees.
13.4. Trademarks
Customer may not use XData names, logos, trademarks, or brand assets without XData's prior
written consent, except where legally permitted.
14. WARRANTIES AND DISCLAIMERS
14.1. Mutual Warranties
Each party represents that it has the authority to enter into these Terms and will comply with
applicable law in performing its obligations.
14.2. XData Warranties
For paid Services, XData will use commercially reasonable efforts to provide the Services in
substantial conformity with the applicable documentation, proposal, or Order. XData will use
commercially reasonable efforts to protect the Services against malware introduced by XData.
14.3. Disclaimer
Except as expressly stated in these Terms or a signed Order, the Services are provided
"as is" and "as available". XData disclaims all implied warranties, including merchantability,
fitness for a particular purpose, title, non-infringement, accuracy, uninterrupted operation,
availability, and error-free performance, to the maximum extent permitted by law.
14.4. No Professional Advice
Unless expressly agreed in writing, the Services do not constitute legal, tax, financial,
medical, cybersecurity certification, regulatory, or other professional advice. Customer should
consult qualified professionals before making regulated or high-impact decisions.
14.5. No Guaranteed Outcomes
XData does not guarantee business results, revenue increases, cost reductions, investment
returns, legal compliance, AI model accuracy, search accuracy, security outcomes, or market
success unless expressly stated in a signed agreement.
15. INDEMNITY
15.1. Customer Indemnity
Customer will defend and indemnify XData against third-party claims, damages, losses, costs,
and reasonable legal fees arising from:
(a) Customer Content;
(b) Customer's violation of these Terms;
(c) Customer's unlawful use of the Services;
(d) Customer's violation of third-party intellectual property, privacy, data protection, or
other rights;
(e) Customer's integrations, systems, data sources, or instructions.
15.2. XData Indemnity
If expressly agreed in a paid Order, XData may provide limited indemnity for claims that
XData-owned software, as provided by XData and used in accordance with the applicable Order,
infringes third-party intellectual property rights. Any such indemnity is subject to exclusions,
process requirements, and liability caps stated in the applicable Order.
15.3. Process
The indemnified party must promptly notify the indemnifying party of the claim, reasonably
cooperate, allow the indemnifying party to control the defense and settlement, and mitigate
losses. No settlement may require the indemnified party to admit liability or pay money without
its prior written consent.
16. LIMITATION OF LIABILITY
16.1. Exclusion of Indirect Damages
To the maximum extent permitted by law, neither party will be liable for indirect, incidental,
special, consequential, exemplary, punitive, or similar damages, including loss of profits,
revenue, goodwill, data, use, business opportunity, or cost of cover, even if advised of the
possibility of such damages.
16.2. Liability Cap
Unless otherwise stated in the applicable Order and to the maximum extent permitted by law,
XData's total aggregate liability arising out of or relating to the Services or these Terms
will not exceed the greater of:
(a) EUR 100; or
(b) the fees paid by Customer to XData for the affected Service during the 12 months before
the event giving rise to liability.
16.3. Exclusions
The liability cap does not apply to liability that cannot be limited under applicable law.
Any additional exclusions should be confirmed by legal counsel before publication.
16.4. Risk Allocation
The limitations in this section allocate risk between the parties and are reflected in the
pricing and availability of the Services.
17. TERM AND TERMINATION
17.1. Term
These Terms apply from the first time Customer accesses or uses the Services and continue
until Customer stops using the Services, the account is deleted, the subscription ends, or the
applicable Order is terminated.
17.2. Termination by Customer
Customer may stop using the Services at any time. For paid subscriptions, cancellation takes
effect at the end of the current subscription term unless otherwise stated in the applicable
Order or required by law.
17.3. Termination or Suspension by XData
XData may suspend or terminate Customer's access if Customer breaches these Terms, fails to
pay fees, creates security or legal risk, violates acceptable use rules, infringes third-party
rights, or uses the Services in a way that may harm XData, other customers, third parties, or
the public.
17.4. Effect of Termination
Upon termination, Customer must stop using the Services. XData may delete Customer Content
after a reasonable retrieval period unless longer retention is required by law, the applicable
DPA, backup policies, or the applicable Order.
17.5. Survival
The sections concerning payment obligations, Customer Content, Usage Data, confidentiality,
intellectual property, disclaimers, indemnity, limitation of liability, termination effects,
governing law, and miscellaneous provisions survive termination.
18. EXPORT CONTROL, SANCTIONS, AND ANTI-CORRUPTION
18.1. Export and Sanctions
Customer must comply with applicable export control and sanctions laws. Customer must not
use the Services in embargoed jurisdictions, by or for sanctioned persons or entities, or in
ways that violate applicable export control or sanctions laws.
18.2. Anti-Corruption
Neither party may offer, request, receive, or provide illegal bribes, kickbacks, improper
payments, or other improper benefits in connection with the Services.
19. PUBLIC SECTOR AND REGULATED CUSTOMERS
19.1. Public Sector
If Customer is a public sector entity, Customer is responsible for ensuring that its purchase
and use of the Services complies with applicable public procurement, transparency, data
protection, archiving, cybersecurity, and public finance rules.
19.2. Regulated Industries
If Customer operates in a regulated sector, Customer is responsible for determining whether
the Services are suitable for Customer's regulatory obligations. Regulated use cases may
require additional written terms, technical controls, documentation, risk assessments, or
approval processes.
20. GOVERNING LAW AND DISPUTES
20.1. Governing Law
Unless otherwise agreed in writing, these Terms are governed by the laws of the Republic of
Slovenia, without regard to conflict of law rules.
20.2. Venue
Unless otherwise agreed in writing or required by applicable law, the competent courts in
Slovenia will have jurisdiction over disputes arising out of or relating to these Terms.
20.3. Good-Faith Resolution
Before initiating formal proceedings, the parties will use reasonable efforts to resolve
disputes in good faith through business-level escalation, except where urgent injunctive
relief is required to protect intellectual property, confidentiality, security, or personal data.
21. MISCELLANEOUS
21.1. Notices
XData may provide notices by email, through the Services, through account notifications, or
by posting updated information on its website. Legal notices to XData should be sent to:
[INSERT LEGAL NOTICE EMAIL]
[INSERT POSTAL ADDRESS]
21.2. Changes to Terms
XData may update these Terms from time to time. For material changes affecting paid Services,
XData will use reasonable efforts to provide notice before the changes take effect. Continued
use of the Services after changes take effect constitutes acceptance of the updated Terms.
21.3. Assignment
Customer may not assign or transfer these Terms or access to the Services without XData's
prior written consent. XData may assign these Terms in connection with a merger, acquisition,
reorganization, sale of assets, or transfer of business.
21.4. Force Majeure
Neither party is liable for delay or failure to perform caused by events beyond reasonable
control, including natural disasters, war, terrorism, labor disputes, internet outages,
cloud provider failures, power failures, cyberattacks, government action, pandemics, or
other force majeure events. Payment obligations are not excused by force majeure.
21.5. Severability
If any provision of these Terms is invalid or unenforceable, the remaining provisions remain
in effect. The invalid provision will be modified to the minimum extent necessary to make it
valid and enforceable while preserving its intended effect.
21.6. No Waiver
Failure to enforce a provision is not a waiver of that provision.
21.7. No Partnership
These Terms do not create a partnership, joint venture, agency, franchise, fiduciary, or
employment relationship between the parties.
21.8. Order of Precedence
If there is a conflict between documents, the order of precedence is:
1. signed enterprise agreement or master services agreement;
2. data processing agreement;
3. applicable order form, proposal, or statement of work;
4. product-specific terms or service-specific terms;
5. these Terms;
6. documentation.
21.9. Entire Agreement
These Terms, together with any applicable Order, DPA, Privacy Policy, Acceptable Use Policy,
AI Policy, and product-specific terms, constitute the entire agreement between the parties
regarding the Services and supersede prior or contemporaneous agreements on the same subject.
22. DEFINITIONS
22.1. "AI Services" means Services that use, integrate, orchestrate, configure, host, or
otherwise rely on machine learning models, large language models, generative AI systems,
embedding models, classifiers, agents, retrieval systems, or automation workflows.
22.2. "Authorized User" means an employee, contractor, administrator, agent, or other person
authorized by Customer to access or use the Services.
22.3. "Customer Content" means content, data, prompts, files, code, configurations, documents,
knowledge bases, outputs selected by Customer, and other materials uploaded to, submitted to,
generated through, or developed using the Services by Customer or its Authorized Users.
22.4. "Documentation" means user guides, technical documentation, help articles, policies,
and other written materials provided by XData for the Services.
22.5. "Order" means an online order, order form, invoice, proposal, statement of work,
subscription confirmation, or other written purchasing document for the Services.
22.6. "Services" has the meaning given in Section 1.2.
22.7. "Usage Data" has the meaning given in Section 9.1.
Subscribe News
Get Exclusive Business Insights & Tips
Transforming organizations for the AI era through strategy, research, education and implementation.
SOLUTIONS
INSIGHTS
COMPANY
STAY INFORMED
Get the latest insights, research and frameworks delivered to your inbox.
EU Based & Compliant
GDPR • AI Act • ISO 42001
Secure & Sovereign
Your data. Your control.
Research Driven
Powered by Cognitio Labs
Proven Impact
Measurable results