This Data Processing Agreement ("DPA") forms part of the Terms of Service (/tos) between Client (Controller) and Xirsys, LLC (Processor). Capitalized terms not defined here have the meanings in the ToS.
Xirsys processes Client Personal Data to provide the Services for the term of the ToS and this DPA.
Account administration, authentication, support, billing, security, and service improvement. Xirsys relays encrypted Service Traffic (including IP addresses) only transiently to facilitate session connectivity and does not process or store Service Traffic content. Metrics Data is stored at the account level for billing, operations, and support.
Xirsys may engage sub-processors (e.g., cloud hosting, payments, support tools). Xirsys will impose data protection terms equivalent to this DPA and remains responsible for sub-processors’ performance. A current list is available on request; we will notify of material changes.
Where Client Personal Data is transferred outside the EEA/UK/Switzerland, Xirsys will use appropriate safeguards, including the EU 2021 SCCs and the UK Addendum, as detailed in the SCC Addendum (/policies/scc.html).
Upon reasonable request, Xirsys will make available information to demonstrate compliance (e.g., security summaries, policies, third-party reports) and allow audits subject to reasonable advance notice, confidentiality, and frequency limits.
Upon request, Xirsys will delete Client Personal Data within 30 days, unless retention is required by law. Service Traffic content is never stored; Metrics Data is retained per our retention schedule for billing, security, and planning.
Each party’s liability is as set out in the ToS. Nothing in this DPA limits liability that cannot be limited by law.
Conflicts are resolved in favor of the SCCs (for transfers) and then this DPA over the ToS with respect to processing of Client Personal Data. Governing law: California, without prejudice to mandatory protections under applicable Data Protection Laws.
Last Updated: September 16, 2025