This SCC Addendum supplements the DPA (/policies/dpa.html) and applies where Xirsys transfers Client Personal Data from the EEA/UK/Switzerland to a third country lacking an adequacy decision.
1) EU SCCs (2021) & UK Addendum
The parties incorporate the EU Commission Standard Contractual Clauses (2021), Module 2 (Controller → Processor), as amended from time to time.
For UK transfers, the ICO International Data Transfer Addendum to the EU SCCs applies.
For Switzerland, references to EU law/GDPR are deemed to include Swiss FADP and the FDPIC.
2) Annex I (Summary)
Data Exporter: Client (Controller).
Data Importer: Xirsys, LLC (Processor).
Data Subjects:
Client personnel and representatives (e.g., billing contacts, account users).
Client end users (participants in WebRTC applications) only to the extent that transient technical data, such as IP addresses, is relayed through Xirsys infrastructure to establish connections. Xirsys does not store IP addresses or communications content.
Data Subjects: Client personnel and representatives (e.g., billing contacts, account users).
Categories of Data:
Client account data (e.g., contact and billing details).
Aggregated metrics: session counts and bytes transferred per account.
Transient IP addresses and session data during connection setup, which are not stored or retained.
Frequency: Continuous as necessary to provide Services.
Purpose of Processing: Account administration, billing, support, security, and service improvement. Includes transient relay of encrypted session traffic solely to facilitate real-time communications.
Retention: Client Personal Data per DPA §9. Service traffic, including IP addresses, is relayed but never stored. Aggregated, non-identifiable usage metrics (e.g., session counts, bytes transferred) are retained for billing and support.
Competent Supervisory Authority: Determined per SCCs based on the Client’s establishment.
3) Annex II (Technical & Organizational Measures)
Encryption in transit and at rest for Client Personal Data.
Access control (authentication, least privilege, role-based access).
Logging/monitoring, vulnerability and patch management.
Network security, segmentation, and DDoS protections.
Personnel security and confidentiality commitments.
Secure development lifecycle and change management.
Incident response and breach notification processes.
Vendor risk management and sub-processor due diligence.
Business continuity and disaster recovery.
4) Sub-processors (Annex III)
A current list of approved sub-processors (e.g., cloud hosting, support, payments) is published at Sub-processors. Controller authorizes these sub-processors; Xirsys will notify Controller of material changes with an opportunity to object consistent with the SCCs/DPA.
5) Conflicts
In case of conflict between the SCCs and any other agreement, the SCCs control to the extent of the conflict for cross-border transfers.