DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") forms part of the Terms of Service (/tos) between Client (Controller) and Xirsys, LLC (Processor). Capitalized terms not defined here have the meanings in the ToS.

1) Roles & Definitions

• Controller: Client.
• Processor: Xirsys, LLC.
• Client Personal Data: Account, contact, billing, and support information the Client provides to Xirsys.
• Service Traffic: Encrypted, transient media/signaling data (including IP addresses) relayed via STUN/TURN solely to establish and maintain real-time sessions; never stored.
• Metrics Data: Aggregated account-level usage data (e.g., session counts, total bytes transferred, uptime/error rates) retained for billing, operations, and security; not linked to identifiable End Users.
• Data Protection Laws: GDPR/UK GDPR, CPRA, Swiss FADP, and other applicable laws.

2) Subject Matter & Duration

Xirsys processes Client Personal Data to provide the Services for the term of the ToS and this DPA.

3) Nature & Purpose of Processing

Account administration, authentication, support, billing, security, and service improvement. Xirsys relays encrypted Service Traffic (including IP addresses) only transiently to facilitate session connectivity and does not process or store Service Traffic content. Metrics Data is stored at the account level for billing, operations, and support.

4) Categories of Data & Data Subjects

• Data: Client contact/billing/identity data; support content; Metrics Data (aggregate, non-content).
• Data Subjects: - Client personnel/representatives (e.g., developers, billing contacts, support contacts). - End Users of Client applications, solely to the extent that their encrypted session traffic (including IP addresses) is transiently relayed through Xirsys infrastructure; no End User communications content or identifiers are stored.

5) Processor Obligations

• Process only on Controller’s documented instructions.
• Keep Client Personal Data confidential; ensure personnel confidentiality.
• Implement appropriate technical and organizational measures (encryption at rest/in transit for Client Personal Data, access control, monitoring, least privilege, vulnerability management).
• Assist Controller with data subject requests and security obligations (Articles 32–36 GDPR) where applicable to Client Personal Data.
• Notify Controller without undue delay of a Personal Data breach affecting Client Personal Data.

6) Sub-processors

Xirsys may engage sub-processors (e.g., cloud hosting, payments, support tools). Xirsys will impose data protection terms equivalent to this DPA and remains responsible for sub-processors’ performance. See the current list at Sub-processors; we will notify of material changes.

7) International Transfers

Where Client Personal Data is transferred outside the EEA/UK/Switzerland, Xirsys will use appropriate safeguards, including the EU 2021 SCCs and the UK Addendum, as detailed in the SCC Addendum (/policies/scc.html).

8) Audits & Information

Upon reasonable request, Xirsys will make available information to demonstrate compliance (e.g., security summaries, policies, third-party reports) and allow audits subject to reasonable advance notice, confidentiality, and frequency limits.

9) Return & Deletion

Upon request, Xirsys will delete Client Personal Data within 30 days, unless retention is required by law. Service Traffic content is never stored; Metrics Data is retained per our retention schedule for billing, security, and planning.

10) Liability

Each party’s liability is as set out in the ToS. Nothing in this DPA limits liability that cannot be limited by law.

11) Miscellaneous

Conflicts are resolved in favor of the SCCs (for transfers) and then this DPA over the ToS with respect to processing of Client Personal Data. Governing law: California, without prejudice to mandatory protections under applicable Data Protection Laws.

Last Updated: September 16, 2025