Data Processing Agreement

1. Scope and Application

This Data Processing Agreement ("DPA") forms part of the agreement between XALEN Technology Pvt Ltd ("XALEN", "Processor", "we") and the entity or person accepting these terms ("Customer", "Controller", "you") for the provision of AI infrastructure services (the "Service").

This DPA applies to the processing of Personal Data by XALEN on behalf of the Customer in connection with the Service. It supplements and is incorporated into the Terms of Service and any Master Service Agreement between the parties.

In the event of conflict between this DPA and any other agreement, this DPA prevails with respect to data processing matters.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by XALEN on behalf of the Customer in connection with the Service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, alteration, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-Processor" means any third party engaged by XALEN to process Personal Data on behalf of the Customer.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Standard Contractual Clauses (SCCs)" means the European Commission's standard contractual clauses for the transfer of personal data to third countries.
• "Data Fiduciary" has the meaning given under India's Digital Personal Data Protection Act, 2023.

3. Roles and Responsibilities

3.1 Customer as Controller

The Customer acts as the Data Controller (or "Data Fiduciary" under DPDPA 2023) and determines the purposes and means of processing Personal Data. The Customer is responsible for:

• Ensuring a lawful basis for processing (consent, contract, legitimate interest, or legal obligation)
• Providing appropriate notice to Data Subjects about the processing
• Ensuring that Personal Data submitted to the Service is collected lawfully
• Responding to Data Subject rights requests (with XALEN's assistance)

3.2 XALEN as Processor

XALEN acts as the Data Processor (or "Data Processor" under DPDPA 2023) and processes Personal Data solely on documented instructions from the Customer. XALEN is responsible for:

• Processing Personal Data only as instructed by the Customer and as necessary to provide the Service
• Implementing appropriate technical and organizational security measures
• Ensuring personnel with access to Personal Data are bound by confidentiality obligations
• Assisting the Customer with Data Subject rights requests and data protection impact assessments
• Notifying the Customer promptly of any Data Breach
• Deleting or returning Personal Data upon termination of the Service

3.3 Processing Instructions

The Customer's instructions to XALEN for processing Personal Data are as follows: process Personal Data as necessary to provide the Service in accordance with the Terms of Service, this DPA, and any additional written instructions agreed by the parties. XALEN will inform the Customer if, in its opinion, an instruction infringes applicable data protection law.

4. Data Processing Terms

4.1 Categories of Data Subjects

• Customer's employees and contractors who access the Service
• Customer's end users whose data is submitted via API calls
• Customer's business contacts (billing, administrative personnel)

4.2 Types of Personal Data Processed

• Account credentials (email, name, organization)
• API request content (prompts and inputs submitted by Customer)
• API response content (model outputs generated for Customer)
• Usage metadata (timestamps, endpoints, token counts, IP addresses)
• Billing and payment references

4.3 Purpose of Processing

Personal Data is processed solely for the purpose of providing the Service, which includes: processing API requests, authenticating users, computing usage and billing, maintaining security, and providing technical support.

4.4 Duration of Processing

Processing continues for the duration of the Customer's use of the Service, plus the retention periods specified in Section 6, or until the Customer instructs deletion.

5. Sub-Processors

5.1 Current Sub-Processors

XALEN engages the following categories of sub-processors to deliver the Service:

Sub-Processor Category	Purpose	Data Location
Cloud infrastructure provider	Compute, storage, networking, database hosting	India (Mumbai), United States (Iowa)
AI compute partners	Model inference processing	United States
Payment processor	Payment collection and processing	India
Email delivery service	Transactional email (invoices, alerts, notifications)	United States, European Union
Monitoring and observability	Infrastructure monitoring, error tracking, uptime	United States

A detailed list of specific sub-processors with entity names is available upon request to Enterprise customers under NDA. Contact privacy@xalen.io.

5.2 Sub-Processor Obligations

XALEN ensures that all sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA. XALEN remains fully liable for the acts and omissions of its sub-processors.

5.3 Changes to Sub-Processors

XALEN will notify the Customer at least 30 days in advance of engaging any new sub-processor. The Customer may object to the new sub-processor by notifying XALEN within 14 days of receiving notice. If the Customer objects and XALEN cannot reasonably accommodate the objection, the Customer may terminate the affected portion of the Service without penalty.

6. Data Retention

Data Category	Retention Period	Basis
API request/response logs	90 days	Abuse prevention, debugging, support
Model outputs	Not stored (transient processing only)	N/A
Usage metadata (token counts, latency)	12 months	Billing, analytics, capacity planning
Billing and payment records	7 years	Tax and legal compliance (Indian law)
Account information	Duration of account + 30 days	Service delivery
Security and audit logs	12 months	Security monitoring, incident response

6.1 Custom Retention

Enterprise customers may configure custom retention policies, including:

• Zero-retention mode: API inputs and outputs are processed in memory only and never written to persistent storage
• Extended retention: Logs retained beyond 90 days for compliance or audit purposes
• Geographic restriction: Data retained exclusively within a specified region

6.2 Deletion

Upon expiry of the retention period, or upon Customer's request, Personal Data is permanently deleted using cryptographic erasure (destruction of encryption keys) or multi-pass overwrite. Deletion is confirmed within 30 days of the request or retention period expiry.

7. Data Subject Rights

7.1 Assistance with Requests

XALEN will assist the Customer in fulfilling Data Subject rights requests, including:

• Right of Access: Providing copies of Personal Data processed on behalf of the Customer
• Right to Erasure: Deleting Personal Data upon verified request, subject to legal retention obligations
• Right to Portability: Exporting Personal Data in a structured, machine-readable format (JSON)
• Right to Rectification: Correcting inaccurate Personal Data
• Right to Restriction: Restricting processing upon request while maintaining storage
• Right to Object: Ceasing processing for specified purposes upon objection

7.2 Response Timeline

XALEN will respond to Customer's assistance requests related to Data Subject rights within 10 business days. The Customer remains responsible for communicating with the Data Subject within applicable legal timeframes (30 days under GDPR, reasonable time under DPDPA 2023).

7.3 Direct Requests

If XALEN receives a request directly from a Data Subject, we will promptly redirect the Data Subject to the Customer unless legally prohibited from doing so. We will notify the Customer of the direct request within 5 business days.

8. Security Measures

XALEN implements the following technical and organizational measures to protect Personal Data:

8.1 Encryption

• At rest: AES-256 encryption for all stored data, including databases, backups, and logs
• In transit: TLS 1.3 for all data in transit; TLS 1.2 as minimum
• Key management: Encryption keys managed via hardware security modules (HSM) with automatic rotation

8.2 Access Control

• Role-based access control (RBAC) with least-privilege principle
• Multi-factor authentication (MFA) required for all employees accessing production systems
• API keys stored using one-way cryptographic hashing (bcrypt)
• Privileged access logging and quarterly access reviews

8.3 Infrastructure Security

• Virtual private cloud (VPC) isolation with firewall rules
• DDoS protection and Web Application Firewall (WAF)
• Automated vulnerability scanning of infrastructure and application dependencies
• Container isolation for workload separation

8.4 Personnel Security

• Background checks for employees with access to Personal Data
• Mandatory data protection training upon hiring and annually
• Confidentiality agreements binding all personnel
• Immediate access revocation upon employment termination

8.5 Business Continuity

• Multi-region deployment with automatic failover
• Daily encrypted backups with tested restore procedures
• Disaster recovery plan with RTO of 4 hours and RPO of 1 hour

9. Breach Notification

9.1 Notification Timeline

XALEN will notify the Customer of any confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach. Where notification within 72 hours is not feasible, XALEN will provide a preliminary notification within 72 hours and a full notification as soon as additional information becomes available.

9.2 Notification Content

The breach notification will include, to the extent reasonably available:

• Nature of the breach, including categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects
• Name and contact details of the point of contact for further information

9.3 Cooperation

XALEN will cooperate with the Customer in investigating and remediating the breach, including providing information necessary for the Customer to fulfill its obligations to notify supervisory authorities and Data Subjects under applicable law.

9.4 Documentation

XALEN maintains a record of all Data Breaches, including facts, effects, and remedial action taken, which is available for inspection by the Customer upon request.

10. International Transfers

10.1 Transfer Mechanisms

Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country not recognized as providing adequate data protection, XALEN ensures appropriate safeguards through:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (Module 2: Controller to Processor) are incorporated by reference into this DPA
• Supplementary measures: Technical measures (encryption in transit and at rest, pseudonymization where feasible) and organizational measures (access restrictions, data minimization)

10.2 Transfer Impact Assessment

XALEN has conducted a Transfer Impact Assessment for each country where Personal Data is processed and will provide a summary upon request. If the legal framework in a receiving country changes in a way that materially undermines the protections afforded by the SCCs, XALEN will notify the Customer and work with the Customer to implement additional safeguards or, if not feasible, cease the transfer.

10.3 Data Residency

Enterprise customers may restrict processing to specific regions:

• India-only: All processing within Mumbai (asia-south1)
• US-only: All processing within Iowa (us-central1)
• EU-only: Available upon request; requires dedicated infrastructure configuration

11. India DPDPA 2023 Compliance

11.1 Applicability

This section applies where Personal Data is processed under India's Digital Personal Data Protection Act, 2023 ("DPDPA"). Where the DPDPA applies, the Customer is the "Data Fiduciary" and XALEN is the "Data Processor" as defined under the Act.

11.2 Obligations

In accordance with the DPDPA 2023, XALEN:

• Processes Personal Data only for the purposes specified by the Customer (Data Fiduciary)
• Implements reasonable security safeguards as prescribed under Section 8 of the DPDPA
• Does not retain Personal Data beyond the period necessary for the specified purpose
• Erases Personal Data upon the Customer's instruction or when the purpose is no longer being served, whichever is earlier
• Does not transfer Personal Data to any country restricted by the Central Government under Section 16, unless the Customer provides lawful instruction

11.3 Consent Management

Where the lawful basis for processing is consent under the DPDPA, the Customer is responsible for obtaining valid consent from Data Principals (Data Subjects). XALEN provides consent management tools via the API to assist with recording and revoking consent.

11.4 Significant Data Fiduciary

If the Customer is classified as a "Significant Data Fiduciary" under the DPDPA, XALEN will cooperate with additional obligations including periodic data audits, Data Protection Impact Assessments, and appointment of a Data Protection Officer, to the extent such cooperation relates to XALEN's processing activities.

11.5 Children's Data

XALEN does not knowingly process Personal Data of children (persons under 18 years of age as defined by the DPDPA) without verifiable parental consent. The Customer warrants that any Personal Data of children submitted to the Service has been collected with valid parental consent.

12. Audit Rights

12.1 Right to Audit

The Customer (or its authorized auditor) has the right to audit XALEN's compliance with this DPA. Audits may be conducted no more than once per calendar year and upon 30 days' written notice, unless a Data Breach has occurred or a supervisory authority requires an audit.

12.2 Audit Scope

Audits may cover:

• Technical and organizational security measures
• Sub-processor management and contracts
• Data deletion and retention practices
• Breach notification procedures
• Employee training and access controls

12.3 Alternative Evidence

XALEN may satisfy audit requests by providing:

• SOC 2 Type II report (when available)
• ISO 27001 certification (when available)
• Results of third-party penetration tests (summary)
• Completed security questionnaire (SIG or CAIQ format)

12.4 Confidentiality

Audit information is confidential. The Customer agrees to execute a non-disclosure agreement before receiving detailed audit results and to use audit information solely for verifying compliance with this DPA.

13. Termination and Data Return

13.1 Data Return

Upon termination of the Service or upon Customer's written request, XALEN will:

• Return all Personal Data to the Customer in a structured, machine-readable format (JSON or CSV) within 30 days
• Provide the Customer with an export of all account data, usage logs, and billing records

13.2 Data Deletion

Following data return (or Customer's instruction to skip the return), XALEN will permanently delete all Personal Data within 30 days, except where retention is required by applicable law (e.g., billing records for 7 years under Indian tax law). XALEN will provide written confirmation of deletion upon request.

13.3 Survival

The obligations in Sections 8 (Security), 9 (Breach Notification), and 12 (Audit Rights) survive termination of this DPA for as long as XALEN retains any Personal Data on behalf of the Customer.

13.4 Contact

XALEN Technology Pvt Ltd
Pune, Maharashtra, India
Data Protection Officer: privacy@xalen.io
Enterprise: enterprise@xalen.io
General: hello@xalen.io