Data Processing Agreement

GDPR and India DPDPA 2023 compliant data processing terms.

Last updated: May 14, 2026
Company: XALEN Technology Pvt Ltd, Pune, Maharashtra, India
Data Protection Officer: [email protected]
Grievance Officer: [email protected]
Compliance: GDPR (EU), DPDPA 2023 (India), CCPA (California)

Table of Contents

  1. Scope and Application
  2. Definitions
  3. Roles and Responsibilities
  4. Data Processing Terms
  5. Sub-Processors
  6. Data Retention
  7. Data Subject Rights
  8. Security Measures
  9. Breach Notification
  10. International Transfers
  11. India DPDPA 2023 Compliance
  12. Audit Rights
  13. Termination and Data Return

1. Scope and Application

This Data Processing Agreement ("DPA") forms part of the agreement between XALEN Technology Pvt Ltd ("XALEN", "Processor", "we") and the entity or person accepting these terms ("Customer", "Controller", "you") for the provision of AI infrastructure services (the "Service").

This DPA applies to the processing of Personal Data by XALEN on behalf of the Customer in connection with the Service. It supplements and is incorporated into the Terms of Service and any Master Service Agreement between the parties.

In the event of conflict between this DPA and any other agreement, this DPA prevails with respect to data processing matters.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by XALEN on behalf of the Customer in connection with the Service.
  • "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, alteration, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-Processor" means any third party engaged by XALEN to process Personal Data on behalf of the Customer.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Standard Contractual Clauses (SCCs)" means the European Commission's standard contractual clauses for the transfer of personal data to third countries.
  • "Data Fiduciary" has the meaning given under India's Digital Personal Data Protection Act, 2023.

3. Roles and Responsibilities

3.1 Customer as Controller

The Customer acts as the Data Controller (or "Data Fiduciary" under DPDPA 2023) and determines the purposes and means of processing Personal Data. The Customer is responsible for:

  • Ensuring a lawful basis for processing (consent, contract, legitimate interest, or legal obligation)
  • Providing appropriate notice to Data Subjects about the processing
  • Ensuring that Personal Data submitted to the Service is collected lawfully
  • Responding to Data Subject rights requests (with XALEN's assistance)

3.2 XALEN as Processor

XALEN acts as the Data Processor (or "Data Processor" under DPDPA 2023) and processes Personal Data solely on documented instructions from the Customer. XALEN is responsible for:

  • Processing Personal Data only as instructed by the Customer and as necessary to provide the Service
  • Implementing appropriate technical and organizational security measures
  • Ensuring personnel with access to Personal Data are bound by confidentiality obligations
  • Assisting the Customer with Data Subject rights requests and data protection impact assessments
  • Notifying the Customer promptly of any Data Breach
  • Deleting or returning Personal Data upon termination of the Service

3.3 Processing Instructions

The Customer's instructions to XALEN for processing Personal Data are as follows: process Personal Data as necessary to provide the Service in accordance with the Terms of Service, this DPA, and any additional written instructions agreed by the parties. XALEN will inform the Customer if, in its opinion, an instruction infringes applicable data protection law.

4. Data Processing Terms

4.1 Categories of Data Subjects

  • Customer's employees and contractors who access the Service
  • Customer's end users whose data is submitted via API calls
  • Customer's business contacts (billing, administrative personnel)

4.2 Types of Personal Data Processed

  • Account credentials (email, name, organization)
  • API request content (prompts and inputs submitted by Customer)
  • API response content (model outputs generated for Customer)
  • Usage metadata (timestamps, endpoints, token counts, IP addresses)
  • Billing and payment references

4.3 Purpose of Processing

Personal Data is processed solely for the purpose of providing the Service, which includes: processing API requests, authenticating users, computing usage and billing, maintaining security, and providing technical support.

4.4 Duration of Processing

Processing continues for the duration of the Customer's use of the Service, plus the retention periods specified in Section 6, or until the Customer instructs deletion.

5. Sub-Processors

5.1 Current Sub-Processors

XALEN engages the following categories of sub-processors to deliver the Service:

Sub-Processor Category Purpose Data Location
Cloud infrastructure provider Compute, storage, networking, database hosting India (Mumbai), United States (Iowa)
AI compute partners Model inference processing United States
Payment processor Payment collection and processing India
Email delivery service Transactional email (invoices, alerts, notifications) United States, European Union
Monitoring and observability Infrastructure monitoring, error tracking, uptime United States

A detailed list of specific sub-processors with entity names is available upon request to Enterprise customers under NDA. Contact [email protected].

5.2 Sub-Processor Obligations

XALEN ensures that all sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA. XALEN remains fully liable for the acts and omissions of its sub-processors.

5.3 Changes to Sub-Processors

XALEN will notify the Customer at least 30 days in advance of engaging any new sub-processor. The Customer may object to the new sub-processor by notifying XALEN within 14 days of receiving notice. If the Customer objects and XALEN cannot reasonably accommodate the objection, the Customer may terminate the affected portion of the Service without penalty.

6. Data Retention

Data Category Retention Period Basis
API request/response logs 90 days Abuse prevention, debugging, support
Model outputs Not stored (transient processing only) N/A
Usage metadata (token counts, latency) 12 months Billing, analytics, capacity planning
Billing and payment records 7 years Tax and legal compliance (Indian law)
Account information Duration of account + 30 days Service delivery
Security and audit logs 12 months Security monitoring, incident response

6.1 Custom Retention

Enterprise customers may configure custom retention policies, including:

  • Zero-retention mode: API inputs and outputs are processed in memory only and never written to persistent storage
  • Extended retention: Logs retained beyond 90 days for compliance or audit purposes
  • Geographic restriction: Data retained exclusively within a specified region

6.2 Deletion

Upon expiry of the retention period, or upon Customer's request, Personal Data is permanently deleted using cryptographic erasure (destruction of encryption keys) or multi-pass overwrite. Deletion is confirmed within 30 days of the request or retention period expiry.

7. Data Subject Rights

7.1 Assistance with Requests

XALEN will assist the Customer in fulfilling Data Subject rights requests, including:

  • Right of Access: Providing copies of Personal Data processed on behalf of the Customer
  • Right to Erasure: Deleting Personal Data upon verified request, subject to legal retention obligations
  • Right to Portability: Exporting Personal Data in a structured, machine-readable format (JSON)
  • Right to Rectification: Correcting inaccurate Personal Data
  • Right to Restriction: Restricting processing upon request while maintaining storage
  • Right to Object: Ceasing processing for specified purposes upon objection

7.2 Response Timeline

XALEN will respond to Customer's assistance requests related to Data Subject rights within 10 business days. The Customer remains responsible for communicating with the Data Subject within applicable legal timeframes (30 days under GDPR, reasonable time under DPDPA 2023).

7.3 Direct Requests

If XALEN receives a request directly from a Data Subject, we will promptly redirect the Data Subject to the Customer unless legally prohibited from doing so. We will notify the Customer of the direct request within 5 business days.

8. Security Measures

XALEN implements the following technical and organizational measures to protect Personal Data:

8.1 Encryption

  • At rest: AES-256 encryption for all stored data, including databases, backups, and logs
  • In transit: TLS 1.3 for all data in transit; TLS 1.2 as minimum
  • Key management: Encryption keys managed via hardware security modules (HSM) with automatic rotation

8.2 Access Control

  • Role-based access control (RBAC) with least-privilege principle
  • Multi-factor authentication (MFA) required for all employees accessing production systems
  • API keys stored using one-way cryptographic hashing (bcrypt)
  • Privileged access logging and quarterly access reviews

8.3 Infrastructure Security

  • Virtual private cloud (VPC) isolation with firewall rules
  • DDoS protection and Web Application Firewall (WAF)
  • Automated vulnerability scanning of infrastructure and application dependencies
  • Container isolation for workload separation

8.4 Personnel Security

  • Background checks for employees with access to Personal Data
  • Mandatory data protection training upon hiring and annually
  • Confidentiality agreements binding all personnel
  • Immediate access revocation upon employment termination

8.5 Business Continuity

  • Multi-region deployment with automatic failover
  • Daily encrypted backups with tested restore procedures
  • Disaster recovery plan with RTO of 4 hours and RPO of 1 hour

9. Breach Notification

9.1 Notification Timeline

XALEN will notify the Customer of any confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach. Where notification within 72 hours is not feasible, XALEN will provide a preliminary notification within 72 hours and a full notification as soon as additional information becomes available.

9.2 Notification Content

The breach notification will include, to the extent reasonably available:

  • Nature of the breach, including categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects
  • Name and contact details of the point of contact for further information

9.3 Cooperation

XALEN will cooperate with the Customer in investigating and remediating the breach, including providing information necessary for the Customer to fulfill its obligations to notify supervisory authorities and Data Subjects under applicable law.

9.4 Documentation

XALEN maintains a record of all Data Breaches, including facts, effects, and remedial action taken, which is available for inspection by the Customer upon request.

10. International Transfers

10.1 Transfer Mechanisms

Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country not recognized as providing adequate data protection, XALEN ensures appropriate safeguards through:

  • Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (Module 2: Controller to Processor) are incorporated by reference into this DPA
  • Supplementary measures: Technical measures (encryption in transit and at rest, pseudonymization where feasible) and organizational measures (access restrictions, data minimization)

10.2 Transfer Impact Assessment

XALEN has conducted a Transfer Impact Assessment for each country where Personal Data is processed and will provide a summary upon request. If the legal framework in a receiving country changes in a way that materially undermines the protections afforded by the SCCs, XALEN will notify the Customer and work with the Customer to implement additional safeguards or, if not feasible, cease the transfer.

10.3 Data Residency

Enterprise customers may restrict processing to specific regions:

  • India-only: All processing within Mumbai (asia-south1)
  • US-only: All processing within Iowa (us-central1)
  • EU-only: Available upon request; requires dedicated infrastructure configuration

11. India DPDPA 2023 Compliance

11.1 Applicability

This section applies where Personal Data is processed under India's Digital Personal Data Protection Act, 2023 ("DPDPA"). Where the DPDPA applies, the Customer is the "Data Fiduciary" and XALEN is the "Data Processor" as defined under the Act.

11.2 Obligations

In accordance with the DPDPA 2023, XALEN:

  • Processes Personal Data only for the purposes specified by the Customer (Data Fiduciary)
  • Implements reasonable security safeguards as prescribed under Section 8 of the DPDPA
  • Does not retain Personal Data beyond the period necessary for the specified purpose
  • Erases Personal Data upon the Customer's instruction or when the purpose is no longer being served, whichever is earlier
  • Does not transfer Personal Data to any country restricted by the Central Government under Section 16, unless the Customer provides lawful instruction

11.3 Data Principal Rights (DPDPA Section 8)

Under Section 8 of the DPDPA 2023, Data Principals ("Data Subjects") are entitled to the following rights. XALEN, as Data Processor, assists the Customer (Data Fiduciary) in fulfilling these rights upon request:

  • Right to Access (Section 8(1)): Data Principals may request a summary of the Personal Data being processed and the processing activities undertaken. XALEN provides data export functionality via the dashboard and API to facilitate this.
  • Right to Correction (Section 8(3)): Data Principals may request correction of inaccurate or misleading Personal Data, and completion of incomplete Personal Data. The Customer may submit correction requests to XALEN via the API or support channel, and XALEN will implement corrections within 15 business days.
  • Right to Erasure (Section 8(4)): Data Principals may request erasure of Personal Data that is no longer necessary for the purpose for which it was collected. Erasure requests are fulfilled within 30 days, subject to statutory retention obligations (see Section 11.6).
  • Right to Data Portability: Data Principals may request their Personal Data in a structured, commonly used, machine-readable format (JSON or CSV). XALEN supports data export via the dashboard and API.
  • Right to Withdraw Consent (Section 6(6)): Where processing is based on consent, Data Principals may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal. See Section 11.4 for the withdrawal process.

11.4 Consent Mechanism

Where the lawful basis for processing is consent under the DPDPA, XALEN implements the following consent lifecycle:

  • Collection: Consent is obtained at the point of API key issuance and account creation. By creating an account and generating an API key, the Customer (acting as Data Fiduciary) confirms that appropriate consent has been obtained from Data Principals whose data will be processed through the Service. For direct users of xalen.io, consent is collected via explicit opt-in during account registration.
  • Recording: All consent events (grant, modification, withdrawal) are recorded in a Firestore audit log with timestamps, the specific purposes consented to, and the identity of the Data Principal. Consent records are retained for the duration of the account plus 7 years for compliance purposes.
  • Management: Data Principals and Customers can view and manage consent preferences via the XALEN dashboard under Account Settings. The API also exposes consent management endpoints for programmatic control.
  • Withdrawal: Data Principals may withdraw consent at any time by (a) using the consent management controls in the dashboard, (b) submitting a written request to [email protected], or (c) requesting withdrawal through the Customer (Data Fiduciary). Upon withdrawal, XALEN ceases processing the affected Personal Data within 15 business days. The Customer is notified of all withdrawal requests.

11.5 Data Principal Notices

XALEN provides notice to Data Principals regarding the processing of their Personal Data through the following channels:

  • API Documentation: The XALEN API documentation at xalen.io/docs describes the categories of data collected, purposes of processing, and retention periods.
  • Privacy Policy: The XALEN Privacy Policy at xalen.io/privacy provides comprehensive notice of data processing activities, rights, and contact information as required under DPDPA Section 5.
  • DPO Contact: Data Principals may contact XALEN's Data Protection Officer at [email protected] for any inquiries regarding the processing of their Personal Data, to exercise their rights, or to file a grievance.

11.6 Statutory Retention and Erasure Limitations

Certain categories of Personal Data are subject to mandatory retention periods under Indian law that survive erasure or deletion requests:

  • Billing and payment records: Retained for 7 years as mandated by the India Income Tax Act, 1961 (Section 44AA) and the Central Goods and Services Tax Act, 2017 (Section 35(5)). This retention is a legal obligation and is not optional.
  • Tax invoices and GST records: Retained for a minimum of 6 years from the due date of the annual return under GST law, extended to 7 years to align with income tax requirements.
  • Audit trail records: Retained for the period required to comply with applicable regulatory or judicial proceedings.

When a Data Principal exercises the right to erasure, XALEN will erase all Personal Data except data subject to the above statutory retention obligations. The retained data will be restricted from further processing (except as required by law) and will be permanently deleted upon expiry of the applicable retention period.

11.7 Significant Data Fiduciary

If the Customer is classified as a "Significant Data Fiduciary" under the DPDPA, XALEN will cooperate with additional obligations including periodic data audits, Data Protection Impact Assessments, and appointment of a Data Protection Officer, to the extent such cooperation relates to XALEN's processing activities.

11.8 Children's Data

XALEN does not knowingly process Personal Data of children (persons under 18 years of age as defined by the DPDPA) without verifiable parental consent. The Customer warrants that any Personal Data of children submitted to the Service has been collected with valid parental consent.

11.9 Grievance Officer

In compliance with the DPDPA 2023, XALEN designates the following Grievance Officer for the purposes of addressing Data Principal complaints and grievances:

Name: Data Protection Officer, XALEN Technology Pvt Ltd
Email: [email protected]
Address: XALEN Technology Pvt Ltd, Pune, Maharashtra, India
Response time: Acknowledgment within 48 hours; resolution within 30 days of receipt of grievance

Data Principals who are not satisfied with the resolution of their grievance may escalate their complaint to the Data Protection Board of India as established under DPDPA Section 18.

12. Audit Rights

12.1 Right to Audit

The Customer (or its authorized auditor) has the right to audit XALEN's compliance with this DPA. Audits may be conducted no more than once per calendar year and upon 30 days' written notice, unless a Data Breach has occurred or a supervisory authority requires an audit.

12.2 Audit Scope

Audits may cover:

  • Technical and organizational security measures
  • Sub-processor management and contracts
  • Data deletion and retention practices
  • Breach notification procedures
  • Employee training and access controls

12.3 Alternative Evidence

XALEN may satisfy audit requests by providing:

  • SOC 2 Type II report (when available)
  • ISO 27001 certification (when available)
  • Results of third-party penetration tests (summary)
  • Completed security questionnaire (SIG or CAIQ format)

12.4 Confidentiality

Audit information is confidential. The Customer agrees to execute a non-disclosure agreement before receiving detailed audit results and to use audit information solely for verifying compliance with this DPA.

13. Termination and Data Return

13.1 Data Return

Upon termination of the Service or upon Customer's written request, XALEN will:

  • Return all Personal Data to the Customer in a structured, machine-readable format (JSON or CSV) within 30 days
  • Provide the Customer with an export of all account data, usage logs, and billing records

13.2 Data Deletion

Following data return (or Customer's instruction to skip the return), XALEN will permanently delete all Personal Data within 30 days, except where retention is required by applicable law (e.g., billing records for 7 years under Indian tax law). XALEN will provide written confirmation of deletion upon request.

13.3 Survival

The obligations in Sections 8 (Security), 9 (Breach Notification), and 12 (Audit Rights) survive termination of this DPA for as long as XALEN retains any Personal Data on behalf of the Customer.

13.4 Contact

XALEN Technology Pvt Ltd
Pune, Maharashtra, India
Data Protection Officer: [email protected]
Enterprise: [email protected]
General: [email protected]