XAIO
Legal

Data Processing Agreement

UpdatedMay 11, 2026

This Data Processing Agreement ("DPA") is concluded between you (the "Controller") and XAIO FlexCo, Liechtensteinstraße 22a / 4, 1090 Wien, Austria, FN 672065g, Handelsgericht Wien (the "Processor" or "XAIO"), and forms an integral part of the Terms of Service. It applies whenever XAIO processes Personal Data on behalf of the Controller in connection with the Service. To the extent that XAIO processes Personal Data as Controller (e.g. account data of the Controller's representatives), the Privacy Policy applies. Capitalised terms not defined here have the meaning given in Article 4 GDPR or in the Terms.

1. Subject Matter and Duration

The Processor processes Personal Data on behalf of the Controller solely to provide the Service in accordance with the Terms, this DPA and the documented instructions of the Controller. This DPA remains in force for as long as the Processor processes Personal Data for the Controller.

2. Nature, Purpose and Scope

  • Nature of processing: collection, storage, transmission, retrieval, structuring, organisation, hosting, transformation and deletion of Personal Data through the Service.
  • Purpose: providing the AI-assisted development, collaboration, publication and operation features of the Service to the Controller.
  • Duration: for the term of the underlying subscription and for any retention period required by law.

3. Categories of Data Subjects and Personal Data

Data subjects and categories of Personal Data depend on how the Controller uses the Service and typically include:

  • Data subjects: the Controller's employees, contractors and collaborators with Account access; end users of the Controller's Published Sites or applications hosted on the Service; persons referenced in User Content.
  • Personal Data: account identifiers (name, email, role, language); collaboration metadata (project, comment, audit log); content of prompts, code, configurations, files and AI Output submitted by the Controller; technical data such as IP addresses, device identifiers, and logs; any further Personal Data the Controller chooses to process via the Service.

The Controller shall not knowingly submit Special Categories of Personal Data under Article 9 GDPR or data concerning criminal convictions under Article 10 GDPR through the Service without a clear lawful basis and appropriate safeguards.

4. Instructions and Compliance

The Processor will process Personal Data only on documented instructions of the Controller, including with regard to transfers to third countries, unless required to do otherwise by Union or Member-State law. In such a case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits this for important reasons of public interest.

The Controller's standing instructions are documented in the Terms, this DPA and the configurations made in the Service. Additional or different instructions must be in text form and may be subject to a reasonable charge if they materially exceed the scope of the Service.

The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other data-protection provisions.

5. Confidentiality of Personnel

The Processor ensures that all persons authorised to process Personal Data are bound to confidentiality (by contractual or statutory obligation) and are appropriately trained on data-protection obligations.

6. Technical and Organisational Measures (TOMs)

The Processor implements appropriate technical and organisational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk. Current measures include:

  • Confidentiality. Encrypted transport (TLS 1.2+), encrypted storage at rest (AES-256 or equivalent), role-based access control, principle of least privilege, multi-factor authentication for administrative access, segregation of customer environments.
  • Integrity. Input validation, code review, automated dependency and vulnerability scanning, audit logging for security-relevant actions.
  • Availability and resilience. Redundant infrastructure within the EU (eu-central-1, Frankfurt), automated backups, monitoring and alerting, incident-response procedures.
  • Restorability. Documented backup-restore procedures and tests of restorability.
  • Pseudonymisation. Where reasonably possible, pseudonymisation of identifiers in logs.
  • Vendor management. Due diligence on Sub-Processors and contractual flow-down of data-protection obligations.
  • Personnel. Confidentiality undertakings, background checks where lawful, ongoing security and data-protection training.
  • Secure development lifecycle. SDLC including threat modelling, code review, SAST, dependency scanning and pre-deployment security testing.

A current, more detailed description of the TOMs is available on request at security@xaio.dev. The Processor may update the measures from time to time provided the level of protection is not lowered.

7. Sub-Processors

The Controller hereby grants the Processor general written authorisation to engage Sub-Processors. A current list is published at /sub-processors.

The Processor will inform the Controller of any intended addition or replacement of Sub-Processors at least 30 days in advance, providing details of the planned change and allowing the Controller to object on reasonable data-protection grounds. If the Controller objects in writing within the notice period and the parties cannot agree on a solution within a reasonable time, the Controller may terminate the affected portion of the Service for cause; pre-paid fees for the unused remaining period will be refunded pro rata.

The Processor enters into a written agreement with each Sub-Processor that imposes data-protection obligations substantially equivalent to those set out in this DPA, in particular sufficient guarantees to implement appropriate TOMs.

8. International Transfers

The primary processing location is the European Union (Frankfurt, Germany). Where Sub-Processors process Personal Data outside the EEA (e.g. AI model providers in the United States), the Processor will ensure an appropriate transfer mechanism under Chapter V GDPR, such as: (a) processing through an EU entity covered by the EU–US Data Privacy Framework or a successor; (b) the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) including module 3 (processor-to-processor) where applicable, together with supplementary measures; (c) other lawful transfer mechanisms.

The Processor will make the relevant transfer documentation available to the Controller on request.

9. Assistance to the Controller

Taking into account the nature of the processing and the information available, the Processor assists the Controller, by appropriate technical and organisational measures and within a reasonable time, with:

  • responding to requests from data subjects under Articles 12 to 22 GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making);
  • compliance with Articles 32 to 36 GDPR (security, breach notification, data-protection impact assessments and prior consultation);
  • cooperation with supervisory authorities upon reasonable request.

The Processor may charge the Controller for assistance that materially exceeds the standard self-service capabilities provided by the Service, at the Processor's then current professional-services rates, after notice and a reasonable estimate.

10. Personal Data Breach Notification

The Processor will notify the Controller without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's Personal Data. The notification will, to the extent then known, describe the nature of the breach, categories and approximate numbers of affected data subjects and records, likely consequences and measures taken or proposed to address the breach and mitigate adverse effects. The Processor will provide further information as it becomes available.

11. Records and Audit

The Processor maintains the records of processing required by Article 30 (2) GDPR and makes available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

The Controller may, no more than once per calendar year and on at least 30 days' prior written notice (except in case of a Personal Data breach or supervisory-authority order), conduct audits at its own cost, including by means of inspections by an independent auditor that is mutually agreed and bound to confidentiality. Audits shall take place during normal business hours, not unreasonably interfere with the Processor's operations, and respect the confidentiality and security of the Processor's other customers.

The Processor will respond to reasonable audit requests by providing such documentation as it maintains from time to time, which may include the Processor's current security questionnaire, TOM documentation, penetration-test summary, and — where then held — third-party certifications (e.g. ISO 27001, SOC 2 Type II). The Processor does not currently hold ISO 27001 or SOC 2 Type II certification; any updates to this status will be reflected on /sub-processors. The Processor will participate in good-faith follow-up questions, except where mandatory law requires an on-site audit.

12. Deletion or Return on Termination

On termination of the underlying subscription and at the Controller's choice communicated in advance, the Processor will delete or return all Personal Data processed on behalf of the Controller, and delete existing copies, unless Union or Member-State law requires further storage. By default and absent timely instruction, the Processor will delete Personal Data within 30 days after termination, subject to backup-retention cycles and legal-retention requirements (in particular tax and book-keeping obligations under §§ 132 BAO and 212 UGB), during which the data will be securely isolated and access-restricted.

13. Liability

The parties' liability under this DPA is governed by Section 21 of the Terms (Limitation of Liability), without prejudice to the rights of data subjects under Article 82 GDPR. Liability between the parties to data subjects shall be allocated in accordance with Article 82 (5) GDPR.

14. Order of Precedence

In the event of any conflict between this DPA and the Terms or any Order Form on data-protection matters, this DPA prevails. The remainder is governed by Section 29 of the Terms.

15. Governing Law

This DPA is governed by the same law and subject to the same jurisdiction as the Terms (see Section 24 of the Terms).

16. Contact

Data-protection contact: privacy@xaio.dev
Security contact: security@xaio.dev

← Back to Home