Policy

Data Processing Agreement.

This agreement describes how Xirsys processes client personal data while providing WebRTC STUN/TURN services, APIs, billing, support, and operational reporting.

Data Processing Agreement

Last updated: September 16, 2025

This Data Processing Agreement forms part of the Xirsys Terms of Service between the client as controller and Xirsys, LLC as processor. Capitalized terms not defined here have the meanings given in the Terms of Service.

Privacy PolicyHow Xirsys handles account data, metrics, and service traffic. SCC AddendumInternational transfer terms for EEA, UK, and Switzerland data. Sub-processorsCurrent providers used to support delivery of the services.

1. Roles and definitions

  • Controller: the client.
  • Processor: Xirsys, LLC.
  • Client personal data: account, contact, billing, and support information provided to Xirsys.
  • Service traffic: encrypted, transient media and signaling data, including IP addresses, relayed through STUN/TURN infrastructure only to establish and maintain real-time sessions. Service traffic is not stored as communications content by Xirsys.
  • Metrics data: aggregated account-level usage data, such as session counts, bytes transferred, uptime, and error rates, retained for billing, operations, security, and support.
  • Data protection laws: applicable privacy and data protection laws, including GDPR, UK GDPR, CPRA, Swiss FADP, and other applicable requirements.

2. Subject matter and duration

Xirsys processes client personal data to provide the services for the term of the Terms of Service and this DPA.

3. Nature and purpose of processing

Processing supports account administration, authentication, support, billing, security, and service improvement. Xirsys relays encrypted service traffic transiently to facilitate session connectivity and does not store service traffic content. Metrics data is stored at the account level for billing, operations, and support.

4. Categories of data and data subjects

  • Data: client contact, billing, identity, support, and aggregated metrics data.
  • Data subjects: client personnel and representatives, such as developers, billing contacts, support contacts, and account users.
  • End users: participants in client applications only to the extent their encrypted session traffic, including transient IP addresses, is relayed through Xirsys infrastructure. Xirsys does not store end-user communications content or identifiers from service traffic.

5. Processor obligations

  • Process client personal data only on documented controller instructions.
  • Keep client personal data confidential and require personnel confidentiality.
  • Maintain appropriate technical and organizational measures, including encryption, access controls, monitoring, least privilege, and vulnerability management.
  • Assist the controller with data subject requests and security obligations where applicable to client personal data.
  • Notify the controller without undue delay of a personal data breach affecting client personal data.

6. Sub-processors

Xirsys may engage sub-processors for cloud hosting, payments, support tools, analytics, and related operations. Xirsys imposes equivalent data protection terms on sub-processors and remains responsible for their performance. The current list is available on the Sub-processors page.

7. International transfers

Where client personal data is transferred outside the EEA, UK, or Switzerland, Xirsys uses appropriate safeguards, including the EU 2021 Standard Contractual Clauses and the UK Addendum as described in the SCC Addendum.

8. Audits and information

Upon reasonable request, Xirsys will make information available to demonstrate compliance, including security summaries, policies, or third-party reports, and will allow audits subject to reasonable notice, confidentiality, and frequency limits.

9. Return and deletion

Upon request, Xirsys will delete client personal data within 30 days unless retention is required by law. Service traffic content is never stored. Metrics data is retained according to Xirsys retention practices for billing, security, and planning.

10. Liability

Each party's liability is governed by the Terms of Service. Nothing in this DPA limits liability that cannot be limited by law.

11. Miscellaneous

If terms conflict, the Standard Contractual Clauses control for international transfers, then this DPA controls over the Terms of Service with respect to processing client personal data. Governing law is California, without prejudice to mandatory protections under applicable data protection laws.