Data Processing Agreement

The Processor will process Personal Data on behalf of the Controller for the duration of the Services agreement, unless terminated earlier in accordance with this DPA or the Terms of Service.

The subject matter of the processing is the provision of AI automation consulting services as described in the Services agreement.

The Processor will process Personal Data to provide the following Services:

• Business process analysis and workflow automation
• AI solution implementation and system integration
• Data analysis for automation recommendations
• Training and support services
• Project management and communication

The Personal Data processed may include, but is not limited to:

• Identity Data: Names, job titles, employee IDs
• Contact Data: Email addresses, phone numbers, business addresses
• Professional Data: Work history, department, role, responsibilities
• Technical Data: IP addresses, device information, system access logs
• Usage Data: User interactions with systems, workflow patterns
• Communication Data: Messages, feedback, support requests
• Business Data: Transaction records, performance metrics, operational data

Personal Data may relate to the following categories of Data Subjects:

• Controller's employees and contractors
• Controller's customers and clients
• Controller's suppliers and business partners
• End users of Controller's systems and services

The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law.

If the Processor believes that any instruction infringes Data Protection Laws, the Processor will immediately inform the Controller.

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor shall, taking into account the nature of the processing and information available to the Processor, assist the Controller:

• In ensuring compliance with obligations regarding security, breach notification, and impact assessments
• In responding to requests from Data Subjects exercising their rights
• In meeting the Controller's obligations under Data Protection Laws

The Processor shall maintain written records of all categories of processing activities carried out on behalf of the Controller, including:

• Name and contact details of the Processor and Controller
• Categories of processing performed on behalf of the Controller
• Transfers of Personal Data to third countries or international organizations
• Description of technical and organizational security measures

The Controller's initial instructions for processing Personal Data are set out in this DPA and the Services agreement. The Controller may issue additional written instructions as reasonably necessary.

The Controller may provide additional processing instructions to the Processor by:

• Email to the designated Processor contact
• Written notice through the Services platform
• Formal amendment to this DPA or the Services agreement

If the Processor determines that an instruction from the Controller would violate Data Protection Laws, the Processor will inform the Controller immediately and will be entitled to refuse to comply with the instruction until it is confirmed or modified by the Controller.

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Pseudonymization and encryption of Personal Data
• Ongoing confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore availability and access to Personal Data in a timely manner
• Regular testing, assessment, and evaluation of security effectiveness

The Processor maintains the following security controls:

• Access Control: Role-based access controls, multi-factor authentication, principle of least privilege
• Encryption: Data encrypted in transit (TLS 1.3+) and at rest (AES-256)
• Network Security: Firewalls, intrusion detection/prevention systems, network segmentation
• Application Security: Secure coding practices, regular vulnerability scanning, penetration testing
• Backup and Recovery: Regular automated backups, tested disaster recovery procedures
• Logging and Monitoring: Comprehensive audit logs, real-time security monitoring, SIEM integration
• Physical Security: Data centers with 24/7 security, biometric access controls, video surveillance

The Processor will regularly review and update security measures to address evolving threats and maintain compliance with industry best practices and Data Protection Laws.

Upon reasonable request and subject to confidentiality obligations, the Processor will provide the Controller with information about security measures implemented to protect Personal Data.

The Controller provides general authorization for the Processor to engage Sub-processors to process Personal Data. The Processor will maintain a current list of Sub-processors available at xavarro.com/legal/subprocessors.

As of the effective date of this DPA, the Processor uses the following Sub-processors:

• Cloud Hosting: Vercel, Hostinger, GitHub – Infrastructure, deployment, and source code management
• AI Services: Anthropic, OpenAI, Google (Gemini) – AI model APIs and processing
• Database: Supabase – Application database and authentication services
• Communication: Resend (email), Twilio (SMS), Daily.co (video) – Client communication channels
• Automation: n8n – Workflow automation and integration
• Payment Processing: Stripe – Payment and billing services
• Analytics: Google Analytics – Website usage analytics

A complete and up-to-date list of all Sub-processors is maintained at xavarro.com/legal/subprocessors.

The Processor shall ensure that any Sub-processor:

• Enters into a written agreement imposing data protection obligations substantially similar to those in this DPA
• Complies with all applicable Data Protection Laws
• Implements appropriate technical and organizational security measures
• Provides sufficient guarantees regarding data protection

The Processor will notify the Controller at least 30 days in advance of adding or replacing Sub-processors. If the Controller objects to a new Sub-processor on reasonable data protection grounds, the Controller may:

• Request that the Processor not use the Sub-processor
• Terminate the affected Services upon 30 days' written notice

The Processor remains fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA.

"Confidential Information" means all non-public information disclosed by one party to the other party in connection with this DPA and the Agreement, including:

• Personal Data: All personal data processed under this DPA, including data subject information, processing records, and data flows
• Business Information: Business strategies, financial information, customer lists, supplier information, pricing, and forecasts
• Technical Information: System architectures, security measures, technical specifications, data schemas, APIs, and integration methods
• Security Information: Security controls, vulnerability assessments, incident reports, security audits, and penetration test results
• Proprietary Information: Trade secrets, know-how, inventions, algorithms, and methodologies

Each party agrees to:

• Non-Disclosure: Hold all Confidential Information in strict confidence and not disclose it to any third party without prior written consent, except as expressly permitted in this DPA
• Limited Use: Use Confidential Information only for purposes of fulfilling obligations under this DPA and the Agreement
• Protection: Protect Confidential Information using the same degree of care used to protect its own confidential information, but in no event less than reasonable care
• Prompt Notification: Notify the other party promptly of any unauthorized disclosure or use of Confidential Information

The Receiving Party may disclose Confidential Information only to:

• Authorized Representatives: Its employees, officers, directors, contractors, and advisors who have a legitimate need to know and are bound by confidentiality obligations at least as protective as those herein
• Sub-processors: Approved Sub-processors as set forth in this DPA, provided they are bound by appropriate confidentiality agreements
• Legal Requirements: Government authorities or courts when required by law, provided the Receiving Party gives prior notice to the Disclosing Party (if legally permitted) and limits disclosure to the minimum required

The Receiving Party shall be fully responsible for any breach of confidentiality by its Representatives or Sub-processors.

Confidential Information does not include information that:

• Is or becomes publicly available through no breach of this DPA by the Receiving Party
• Was rightfully in the Receiving Party's possession prior to disclosure, as evidenced by written records
• Is rightfully received from a third party without breach of confidentiality obligations
• Is independently developed without use of or reference to Confidential Information, as evidenced by written records
• Is approved for disclosure by prior written authorization of the Disclosing Party

Note: Personal Data subject to this DPA does not qualify for these exclusions and remains protected regardless of public availability or other circumstances.

Without limiting the general confidentiality obligations above, the Processor shall implement additional safeguards for Personal Data:

• Access Controls: Restrict access to Personal Data to authorized personnel only, using role-based access controls and the principle of least privilege
• Encryption: Encrypt Personal Data in transit (TLS 1.3+) and at rest (AES-256 or equivalent)
• Segregation: Maintain logical segregation of Personal Data between different Controllers
• Monitoring: Implement logging and monitoring of all access to Personal Data
• Training: Ensure all personnel with access to Personal Data receive data protection and confidentiality training
• Confidentiality Agreements: Bind all personnel with access to Personal Data to written confidentiality obligations

Upon termination or expiration of this DPA, or upon the Disclosing Party's written request, the Receiving Party shall:

• Promptly return to the Disclosing Party, or securely destroy, all tangible materials containing Confidential Information
• Delete or destroy all electronic copies of Confidential Information in its possession or control
• Provide written certification of such return or destruction within thirty (30) days

Exceptions: The Receiving Party may retain:

• One archival copy of Confidential Information in secure storage solely for determining its obligations under this DPA
• Electronic copies automatically retained in backup systems, provided such copies remain subject to confidentiality obligations
• Information required to be retained by applicable law or regulation, provided such information remains confidential

Nothing in this DPA grants the Receiving Party any license, right, title, or interest in or to any Confidential Information, except the limited right to use the Confidential Information as expressly set forth in this DPA. All Confidential Information remains the sole property of the Disclosing Party.

The Receiving Party acknowledges that unauthorized disclosure or use of Confidential Information may cause irreparable harm to the Disclosing Party for which monetary damages may be an inadequate remedy. Accordingly, the Disclosing Party shall be entitled to seek equitable relief, including injunction and specific performance, in addition to all other remedies available at law or in equity.

The confidentiality obligations set forth in this Section shall:

• Personal Data: Continue for as long as the Processor processes Personal Data on behalf of the Controller, and for three (3) years thereafter
• Trade Secrets: Continue for as long as the information remains a trade secret under applicable law
• Other Confidential Information: Continue for a period of three (3) years from the date of disclosure

Note: These obligations survive termination or expiration of this DPA and the Agreement.

In addition to Security Incident notification requirements elsewhere in this DPA, the Receiving Party shall notify the Disclosing Party immediately (and in any event within 24 hours) upon becoming aware of any breach of confidentiality obligations, including:

• Unauthorized access to or disclosure of Confidential Information
• Loss, theft, or misappropriation of Confidential Information
• Breach of confidentiality by Representatives or Sub-processors
• Any circumstances that may lead to unauthorized disclosure

Such notification shall include all details known at the time, and the Receiving Party shall provide regular updates as additional information becomes available.

If the parties have previously executed a separate Mutual Non-Disclosure Agreement (NDA), such NDA is hereby incorporated by reference and shall continue to govern the treatment of Confidential Information disclosed under this DPA.

In the event of any conflict between this Section and a separate NDA:

• The terms of this DPA shall control with respect to Personal Data and data processing activities
• The terms of the NDA shall control with respect to other Confidential Information
• The more protective provision shall apply in cases of ambiguity

The Processor shall, to the extent legally permitted and taking into account the nature of the processing, assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

If the Processor receives a request directly from a Data Subject, the Processor will not respond to such request directly without the Controller's prior written authorization, except to acknowledge receipt and inform the Data Subject that the request will be forwarded to the Controller.

The Processor will provide assistance to the Controller within the timeframes required by Data Protection Laws to enable the Controller to respond to Data Subject requests within applicable deadlines (typically 30 days under GDPR).

The Processor may charge reasonable fees for assistance with Data Subject requests that require significant technical effort or involve excessive repetitive requests, provided such fees are communicated to the Controller in advance.

The Processor shall notify the Controller without undue delay (and in any event within 24 hours) upon becoming aware of a Security Incident affecting Personal Data processed on behalf of the Controller.

The Security Incident notification shall include, to the extent known:

• Description of the nature of the Security Incident
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident
• Measures to mitigate possible adverse effects
• Contact point for further information

The Processor shall:

• Promptly investigate Security Incidents and take appropriate remedial measures
• Provide regular updates to the Controller on investigation progress
• Cooperate with the Controller in fulfilling regulatory reporting obligations
• Assist with notifications to Data Subjects if required by Data Protection Laws
• Preserve evidence and maintain records of Security Incidents

The Processor's notification of a Security Incident shall not be construed as an acknowledgment of fault or liability.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller may conduct audits:

• No more than once per year, unless required by Data Protection Laws or following a Security Incident
• Upon reasonable advance notice (at least 30 days)
• During normal business hours
• In a manner that does not unreasonably interfere with Processor's operations

In lieu of an on-site audit, the Controller may accept alternative evidence of compliance, including:

• Third-party security certifications (SOC 2 Type II, ISO 27001, etc.)
• Completed security questionnaires
• Independent audit reports
• Attestations of compliance

The Controller shall bear the costs of any audits, including reasonable costs incurred by the Processor in facilitating the audit. If an audit reveals material non-compliance, the Processor shall bear its own costs and implement remedial measures at no charge.

Any information obtained during audits is confidential and shall be used solely to verify compliance with this DPA.

The Processor may process Personal Data in countries outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with comprehensive data protection laws. When such transfers occur, the Processor shall ensure appropriate safeguards are in place, including:

• European Commission-approved Standard Contractual Clauses (SCCs)
• UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
• Adequacy decisions by relevant data protection authorities
• Binding Corporate Rules (where applicable)
• Other legally recognized transfer mechanisms

Where Standard Contractual Clauses are used, they are incorporated into this DPA by reference. The parties agree to execute the applicable SCCs upon request by either party.

In addition to appropriate transfer mechanisms, the Processor implements supplementary technical and organizational measures to ensure adequate protection, including:

• End-to-end encryption of Personal Data
• Contractual restrictions on access by third-country authorities
• Regular assessment of transfer impact
• Data minimization and pseudonymization where possible

The Processor currently processes Personal Data in the following locations:

• Canada (primary business location)
• United States (Sub-processor data centres: Vercel, Supabase, Anthropic, OpenAI, AWS Bedrock, Stripe, Resend, GitHub)
• European Union (Sub-processor data centres: n8n, Hostinger)

An updated list of processing locations is available upon request.

Upon termination or expiration of the Services, the Processor shall, at the Controller's choice and within 30 days of such termination:

• Return all Personal Data to the Controller in a commonly used, machine-readable format
• Securely delete all Personal Data from Processor's systems

Upon completion of deletion, the Processor will provide written certification that all Personal Data has been deleted in accordance with this DPA, unless retention is required by applicable law.

The Processor may retain Personal Data to the extent required by applicable law, provided that:

• The Processor ensures confidentiality of retained Personal Data
• Personal Data is only processed as necessary for legal compliance
• Personal Data is deleted once the legal retention period expires

Personal Data in backup systems will be deleted in accordance with the Processor's regular backup deletion schedule, but in no event later than 90 days after the scheduled deletion date.

This DPA shall commence on the effective date of the Services agreement and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.

Either party may terminate this DPA with immediate effect by written notice if the other party materially breaches this DPA and fails to remedy such breach within 30 days of receiving written notice.

Upon termination of this DPA:

• The Processor shall cease all processing of Personal Data
• The Processor shall comply with deletion or return obligations as specified in this DPA
• Provisions relating to confidentiality, liability, and dispute resolution shall survive

The following provisions shall survive termination of this DPA: Definitions, Security Measures, Confidentiality, Limitation of Liability, Governing Law, and Dispute Resolution.