Data Processing Addendum
Effective date: 19 April 2026. This DPA forms part of the Terms of Service between Xenith Intelligence Ltd. (“Xenith”, “processor”) and the customer (“Customer”, “controller”) and governs the processing of personal data carried out by Xenith on the Customer’s behalf.
1. Definitions
Terms such as “controller”, “processor”, “data subject”, “personal data”, “processing” and “personal data breach” have the meaning given to them in the UK GDPR and the EU GDPR (together, “GDPR”). “Data Protection Laws” means the GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA, and any other applicable data protection or privacy laws.
2. Roles
Customer is the controller and Xenith is the processor in relation to the Customer Data. Each party will comply with its obligations under applicable Data Protection Laws.
3. Subject matter, duration, nature and purpose
- Subject matter: provision of the Xenith voice AI platform under the Terms of Service.
- Duration: the term of the Terms of Service plus any retention period described in Section 10.
- Nature and purpose: hosting, transmitting, transcribing, analysing and storing call audio and related data to operate, secure and improve the Services.
- Categories of data subjects:Customer’s end-users, contacts, prospects, and other individuals whose data is submitted by Customer.
- Categories of personal data: names, phone numbers, call audio and transcripts, metadata, and any other personal data Customer chooses to submit.
4. Customer instructions
Xenith will process personal data only on documented instructions from Customer, including as set out in the Terms and this DPA. Xenith will inform Customer if it believes an instruction infringes Data Protection Laws.
5. Confidentiality
Xenith ensures that personnel authorised to process personal data are bound by written confidentiality obligations and receive appropriate training on their obligations.
6. Security measures (Article 32)
Xenith implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- encryption in transit (TLS 1.2+) and at rest for databases;
- role-based access control with least-privilege principles;
- multi-factor authentication for administrative access;
- HMAC-SHA256 signed webhooks to prevent tampering;
- network isolation, firewalling and vulnerability management;
- audit logging and monitoring of production systems;
- regular backups and tested recovery procedures;
- security reviews of changes, and vendor due diligence for sub-processors.
7. Sub-processors
Customer grants general authorisation for Xenith to engage sub-processors for the performance of the Services. Xenith will impose data protection obligations on each sub-processor that are no less protective than those in this DPA and remains liable for their acts and omissions. Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Voice AI infrastructure provider | Voice AI orchestration, transcription | United States |
| Supabase, Inc. | Database hosting, authentication | United States / EU |
| Vercel, Inc. | Application hosting and CDN | United States / global |
| Stripe, Inc. | Payment processing | United States / Ireland |
| Twilio Inc. / Vonage | Telephony carriage (PSTN) | United States / global |
| Cloudflare, Inc. | DNS, DDoS protection | Global |
We will give Customer at least 30 days’ notice of any new or replacement sub-processor. If Customer has a reasonable, data-protection-based objection, the parties will discuss a resolution in good faith; Customer may terminate the affected Services if no resolution can be reached.
8. International transfers
Where Xenith transfers personal data outside the UK/EEA to a country that does not benefit from an adequacy decision, the transfer is made under the EU Standard Contractual Clauses (Module 2 or 3 as applicable) and, for UK personal data, the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.
9. Data subject rights & assistance
Xenith will, taking into account the nature of the processing, provide reasonable assistance to Customer by appropriate technical and organisational measures, insofar as possible, to enable Customer to respond to data subject requests and to fulfil its obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, consultation with supervisory authorities).
10. Personal data breach
Xenith will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably required for Customer to meet its own notification obligations.
11. Deletion & return
On termination or expiry of the Services, Xenith will, at Customer’s choice, delete or return Customer Data and delete existing copies within 30 days, unless applicable law requires storage for a longer period. Standard back-ups containing Customer Data are deleted in the ordinary course of our back-up rotation.
12. Audits
Xenith will make available to Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR. On reasonable written request and not more than once per 12 months (except following a personal data breach or regulator request), Customer or a mutually agreed independent auditor bound by confidentiality may conduct an audit of Xenith’s data-protection practices, on at least 30 days’ notice, during business hours, and without disrupting Xenith’s operations. Xenith may satisfy this obligation by providing current third-party certifications (e.g. SOC 2, ISO 27001) and audit summaries.
13. CCPA — service provider status
To the extent Xenith processes personal information of California consumers on Customer’s behalf, Xenith acts as a “service provider” under the CCPA/CPRA. Xenith will not (a) sell or share such personal information; (b) retain, use or disclose it for any purpose other than the business purposes specified in the Terms; or (c) combine it with personal information from other sources except as permitted by the CCPA.
14. Liability
Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
15. Order of precedence
If there is a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data. The Standard Contractual Clauses prevail over this DPA to the extent of any conflict.
16. Contact
Data protection enquiries: privacy@xenithintelligence.com.