LEGAL HUB

Data Processing Addendum

Last Updated: January 23, 2026

Close-up of metal fire escape stairs and railing against a clear blue sky.

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

This Data Processing Addendum (“Addendum”) forms part of and is incorporated by reference into the Subscription Agreement (defined below) between the XOEye Technologies, Inc., DBA XOi Technologies, that is a party to the Subscription Agreement (“Service Provider”) and the customer entity that is a party to the Subscription Agreement (“Customer”), each a “Party”, and collectively the “Parties.” Service Provider and Customer have agreed to the terms of this Addendum.  The terms of this Addendum shall take effect as of the effective date of the Agreement.

NOW THEREFORE, in consideration of the mutual obligations and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows: 

1. Definitions 

For purposes of this DPA:

a. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to this DPA, where “control” refers to direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

b. “Agreement” means the applicable subscription or services agreements between Service Provider and Customer pursuant to which Customer has purchased, subscribed to, or signed up to receive services from Service Provider, and any statements of work, exhibits, schedules, work orders, addenda or amendments thereto, as well as the applicable online Service Provider Terms of Use and any other agreement that incorporates this Addendum by reference.

c. “Data Protection Laws” means all applicable laws and regulations in the United States relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and together with its regulations (“CCPA”), the Colorado Privacy Act and related regulations (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and other federal and state United States laws.

d. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also refer to “consumer” as defined in Data Protection Laws.

e. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by applicable Data Protection Laws, that Service Provider Processes in relation to the Agreement. 

f. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

g. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

h. “Services” means the services that Service Provider performs on behalf of Customer pursuant to the Agreement.

i. “Subprocessor” means any third party that Service Provider engages to Process Personal Data. 

j. The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.” 

2. Roles of the Parties; Scope and Purposes of Processing 

a.  In connection with the XOi Platform and Services outlined in the Agreement, Service Provider will Process certain Personal Data to enable the provision of these Services to Company. 

b. The Parties acknowledge that Service Provider may act either as a Processor or an independent Controller, depending on the nature of the Personal Data and the Processing activities:

  1. Company is the Controller and Service Provider is the Processor for Personal Data used to validate eligibility for the Services, facilitate billing, provide support and maintenance, and for additional Company Processing requests such as analytics via automated integrations (collectively, “Company Data”).
  2. Service Provider is a Controller for all Personal Data collected from Data Subjects through their interactions with the Service Provider Services (collectively, “User Data”). 

3. Controller Responsibilities

 

a. Each Party will comply with Data Protection Laws in its performance under this DPA. When acting as independent Controllers, each Party is responsible for meeting its respective legal obligations regarding the Processing of Personal Data. 

b. In its role as Controller, Company will ensure that any Personal Data shared with Service Provider under this Agreement has been lawfully collected and transparently disclosed to the Data Subject.

c. Service Provider will respond to data subject rights requests it receives for User Data as an independent Controller, in accordance with its obligations under Data Protection Laws. For requests related to Company Data, Service Provider will promptly notify Company and provide reasonable assistance to enable Company to fulfill its obligations to the Data Subject as Controller.

d. Service Provider will not sell or share Personal Data, even when acting as a Controller. For the purposes of this subsection, “share” is defined as outlined in the CCPA, specifically referring to the disclosure of Personal Data to third parties for cross-context behavioral advertising or other targeted advertising purposes.

4. Processor Responsibilities 

As Processor, Service Provider will:

a. Process Company Data solely for the purpose of providing the Service Provider Services to Company as specified in the Agreement.

b. Limit the Processing of Company Data to what is necessary for performing the Services. Service Provider will not sell Company Data or Process it beyond the scope of its business relationship with Company, except as required by law. If compelled by law, Service Provider will inform Company prior to compliance, unless prohibited from doing so.

c. Ensure that all Service Provider personnel authorized to Process Company Data are bound by confidentiality obligations and appropriate training.

d. Maintain a Subprocessor list, including their activities and locations (the “Subprocessor List”). Company consents to the use of these Subprocessors for the Services and authorizes Service Provider to engage Subprocessors as needed, with general consent from Company. Service Provider will provide Company at least 30 days’ notice before engaging any new Subprocessors. Company may object to a new Subprocessor on reasonable data protection grounds by submitting a written objection within 30 days of receiving the notice. Service Provider will work in good faith to resolve the objection by offering a commercially reasonable change to the Services or configuration. If no resolution is reached within 60 days, Company may terminate the impacted Services and receive a refund for any prepaid fees covering the remainder of the term. If Company does not provide a timely objection notice, Company will be deemed to have authorized Service Provider’s use of the Subprocessor and to have waived its right to object. Service Provider will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. Service Provider will remain liable for the actions and omissions of its Subprocessors as if performing the Services directly.

e. Reasonably assist Company in fulfilling its obligations under Data Protection Laws. Upon written request, Service Provider will provide information necessary to demonstrate compliance with this DPA. Service Provider will avoid any Processing that could lead to Company’s non-compliance and will promptly notify Company if it considers an instruction to infringe upon Data Protection Laws.

5. Data Security 

Service Provider will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data that are no less restrictive than those in Exhibit B. Service Provider will provide the level of protection for Personal Data as is required under Data Protection Laws.

6. Security Breach 

Service Provider will notify Customer of a Security Breach without undue delay, and in no event later than seventy-two (72) hours. Service Provider will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations.

7. Audits 

Service Provider will make available to Customer all information necessary to demonstrate compliance with this DPA, and may satisfy this obligation by undergoing, and providing to Customer a report reflecting, an annual audit of Service Provider’s policies and technical and organizational measures by a qualified, independent auditor using an appropriate and accepted control standard or framework, such as a SOC-2, Type 2 Report. If Customer has a reasonable objection that the information provided is not sufficient to demonstrate Service Provider’s compliance with this DPA, Service Provider will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. The Parties agree that such audits and inspections will be: 1) conducted with at least fourteen (14) days’ prior written notice to Service Provider; 2) not more than once in any 12 month period; 3) occur during normal business hours; and 4) be limited to interviews with Service Provider personnel and questionnaires, unless required by a data protection authority or in connection with a Security Breach within Service Provider’s system or that of a Subprocessor that involves Customer Personal Data. In no case will Customer have any right to access by any means whatsoever the information or personal data of a third party or that is otherwise subject to a confidentiality obligation owed to a third party; information or systems that would, in Service Provider’s discretion, compromise Service Provider’s security; or any trade secrets or proprietary business information.

8. Return or Destruction of Personal Data 

Except to the extent required otherwise by Data Protection Laws, Service Provider will, at Customer’s written request, return to Customer and/or securely destroy all Personal Data. 

9. Deidentified Information  

Customer acknowledges and agrees that Service Provider may, as permitted by Data Protection Laws, and without limiting any data rights provisions set forth in each Agreement, collect, use and process aggregated, de-identified, and other non-identifiable data derived from the Services to improve its operations, enhance the features, functions, and performance of the Services, for benchmarking, reporting across Service Provider’s customer base, to develop industry reports, to develop general statements regarding the performance and capabilities of Service Provider’s products and services across Service Provider’s customer base, and to create new products and services offerings, provided such data is not Personal Data.  

10 Miscellaneous

a. Notwithstanding anything to the contrary in any Agreement or this DPA, the liability of each Party under this DPA is subject to the exclusions and limitations of liability set out in the applicable Agreement.

b. Any claims against Service Provider under this DPA may only be brought by the Customer entity that is a party to the applicable Agreement against the Service Provider entity that is a party to the applicable Agreement. 

c. This DPA will be governed by and construed in accordance with laws of the State of Tennessee, and subject to the dispute resolution provisions, if any, set forth in the applicable Agreement, in each case unless required otherwise by Data Protection Laws.

11. Survival 

The provisions of this DPA survive the termination or expiration of the Agreement for so long as Service Provider or its Subprocessors Process Personal Data. 

Exhibit B: Security Measures

Service Provider’s Information Security Program includes specific security requirements for its personnel and all Subprocessors or agents who have access to Personal Data (“Data Personnel”). Service Provider’s security requirements cover the following areas:

1. Information Security Policies and Standards. Vendor will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data. 

2. Physical Security. Service Provider will maintain, or cause to be maintained, commercially reasonable security systems at all Service Provider sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.

3. Organizational Security. Service Provider will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.

4. Network Security. Service Provider maintains commercially reasonable information security policies and procedures addressing network security.

5. Access Control.  Service Provider agrees that: (1) only authorized Service Provider staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.

6. Virus and Malware Controls. Service Provider protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.

7. Personnel.  Service Provider has implemented and maintains a security awareness program to train employees about their security obligations.  Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.

8. Business Continuity. Service Provider implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Service Provider also adjusts its Information Security Program in light of new laws and circumstances, including as Service Provider’s business and Processing change.

Close-up of metal structural beams and pipes in an industrial setting.

Talk to us

Let’s start with your name & email
Dark blue tinted image of industrial metal structures with diagonal beams and round components.

Talk to us

Let’s start with your name & email