Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Xcity Terms of Service between you ("Customer") and XCITY ARGENTINA INC ("Xcity"). It governs Xcity's processing of Customer Personal Data on Customer's behalf in connection with the Xcity AI- as-a-Service platform.
1. Definitions
- Personal Data means information relating to an identified or identifiable natural person, as defined under GDPR Art. 4(1) and equivalent laws.
- Customer Personal Data means Personal Data that Customer (as Controller) provides to Xcity, or that is generated, collected, or stored through the Services on Customer's instructions.
- Processing has the meaning given in GDPR Art. 4(2).
- Subprocessor means a third party engaged by Xcity to process Customer Personal Data.
- Standard Contractual Clauses ("SCCs") means the EU Commission's 2021/914 Standard Contractual Clauses, as updated.
2. Roles
For Customer Personal Data, Customer is the Controller and Xcity is the Processor. Xcity processes Customer Personal Data only on documented instructions from Customer (including the instructions implicit in Customer's normal use of the Services). Xcity is the Controller of its own account/billing data (see § 3.5).
3. Processing details
3.1 Subject matter
Provision of AI inference, agent orchestration, storage, and related Services to Customer.
3.2 Duration
The term of the underlying agreement, plus a reasonable wind-down period (see § 9).
3.3 Nature and purpose
Computation, storage, transit, model inference, logging, abuse detection, and customer support.
3.4 Categories of data subjects
End users of Customer's products and services; Customer's employees, contractors, and agents who interact with the Services; data subjects represented in content Customer submits to AI models.
3.5 Categories of Personal Data
Identifiers (email, account ID); content of API requests and responses (which may contain arbitrary Personal Data submitted by Customer); usage telemetry; logs.
Account-level data (Customer's own user records, billing details) is processed by Xcity as Controller — see Privacy Policy.
4. Security
Xcity implements appropriate technical and organizational measures, including:
- TLS 1.2+ for data in transit; AES-256 for data at rest.
- Role-based access controls; principle of least privilege; admin access audit logs.
- Encryption keys managed in dedicated KMS; rotation on schedule.
- Network segmentation; DDoS protection at the edge.
- SDLC reviews for production code; dependency scanning; vulnerability patching SLAs.
- Incident response procedure with 72-hour notification commitment (§ 6).
Detailed security controls are available under NDA. Email security@xcity.one.
5. Subprocessors
Customer authorizes Xcity to engage Subprocessors to process Customer Personal Data, subject to written terms protecting the data to a standard at least as protective as this DPA. Current Subprocessors:
- Railway Corp. — application hosting (US)
- Stripe, Inc. — payment processing (US, EU)
- Resend, Inc. — transactional email (US)
- Cloudflare, Inc. — edge networking, DDoS (global)
- Upstream model providers (when Customer routes a request to a third-party model): OpenAI, Anthropic, Google, Mistral, Meta-licensed providers, and others as configured in Customer's TokenHub key. Routing to upstream providers means Customer's data is shared with those providers under their own terms.
Xcity will provide at least 30 days' notice of any new Subprocessor or replacement (via email to the account contact). Customer may object on reasonable data-protection grounds; if we cannot accommodate the objection, Customer may terminate the affected Service.
6. Personal Data breach notification
Xcity will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the nature of the breach, the categories and approximate number of records and data subjects affected, the likely consequences, and the measures taken or proposed.
7. Data subject rights
Xcity provides self-service tools enabling Customer to access, correct, export, and delete Customer Personal Data via the dashboard and API. For data subject requests Customer cannot fulfill via the Services, Xcity will provide reasonable assistance, taking into account the nature of the Processing and the information available to Xcity.
8. International transfers
Where Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the Parties incorporate by reference the SCCs (Module Two: Controller-to-Processor) into this DPA. Argentina has an EU adequacy decision; data processed in Argentina does not require SCCs.
9. Return and deletion
Upon termination of the underlying agreement, Xcity will, at Customer's option, return or delete all Customer Personal Data within 90 days, subject to retention required by applicable law (e.g. tax records, audit logs).
10. Audits
Xcity will provide, on reasonable written request and not more than once per year, summary information demonstrating compliance with this DPA (e.g. SOC 2 reports when available, completed security questionnaires). Customer's right to conduct on-site audits is limited to cases where independent reports are insufficient and where Customer has reasonable grounds to suspect non-compliance, subject to reasonable notice and confidentiality terms.
11. CCPA/CPRA addendum
For California consumers' Personal Information processed under this DPA: Xcity is a "Service Provider" as defined in the CCPA/CPRA. Xcity does not Sell or Share (as those terms are defined in CPRA § 1798.140) Customer Personal Data. Xcity is prohibited from retaining, using, or disclosing Customer Personal Data for any purpose other than the specific purposes set forth in this DPA, except where permitted by CCPA § 1798.140(j)(1).
12. Conflict
In the event of conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to processing of Customer Personal Data.
Questions: privacy@xcity.one.