Data Processing Addendum

1. How to Execute This DPA

This DPA is incorporated by reference into the agreement between DoubleXL, Inc. ("DoubleXL") and the customer entity ("Customer") for the Services (the "Agreement"). Customers using the Services to process Personal Data are deemed to have accepted this DPA upon acceptance of the Terms of Service or execution of an Order Form or Master Subscription Agreement. A countersigned copy is available on request to legal@double-xl.com.

2. Definitions

Capitalized terms not defined here have the meanings given in the Agreement or in applicable Data Protection Laws (GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and analogous laws).

• Customer Personal Data means Personal Data included in Customer Data processed by DoubleXL on behalf of Customer.
• Data Protection Laws means all laws and regulations applicable to the processing of Personal Data under the Agreement.
• Subprocessor means any third party engaged by DoubleXL to process Customer Personal Data.
• Standard Contractual Clauses (SCCs) means the EU SCCs adopted by Commission Implementing Decision (EU) 2021/914.
• UK Addendum means the UK International Data Transfer Addendum to the SCCs issued by the UK ICO.

3. Roles and Scope

The parties acknowledge that, for Customer Personal Data processed under the Agreement, Customer is the Controller (or processor acting on behalf of a controller) and DoubleXL is the Processor (or sub-processor). For California, DoubleXL is a Service Provider; for Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana, DoubleXL is a Processor.

4. Processing Particulars

• Subject matter: provision of the Services.
• Duration: the term of the Agreement, plus the deletion period in Section 11.
• Nature and purpose: hosting, storing, processing, analyzing, generating Outputs from, and securing Customer Data to deliver the Services and Customer-directed features.
• Categories of Data Subjects: Customer personnel, end users, contacts, customers of Customer, and other individuals whose Personal Data is contained in Customer Data.
• Categories of Personal Data: identifiers (name, email, phone), profile data, business contact data, communications content (email, messages, meeting audio/video, transcripts), files and documents, usage and device metadata, and any other categories Customer chooses to upload or generate.

5. Customer Instructions

DoubleXL will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do otherwise by applicable law. The Agreement, this DPA, the Services configuration, and the Documentation constitute Customer's complete and final instructions. If DoubleXL believes an instruction infringes Data Protection Laws, it will inform Customer.

6. Confidentiality of Personnel

DoubleXL will ensure that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations and have received appropriate training on Data Protection Laws.

7. Security Measures

DoubleXL implements appropriate technical and organizational measures to protect Customer Personal Data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls, least-privilege provisioning, and mandatory MFA for personnel
• Network segmentation, WAF, DDoS protection, and secrets management
• Centralized logging, anomaly detection, and on-call incident response
• Secure software development, dependency scanning, peer code review, and periodic third-party penetration testing
• Business-continuity and disaster-recovery procedures with regular testing
• A security program aligned with SOC 2; current reports available under NDA

A current summary of measures is published on our Security page.

8. Subprocessors

Customer authorizes DoubleXL to engage the Subprocessors listed at /subprocessors. DoubleXL will (a) impose contractual data-protection obligations on each Subprocessor that are at least as protective as this DPA; (b) remain liable for Subprocessor performance; and (c) provide at least 30 days' advance notice of any new Subprocessor through the subscription mechanism on the Subprocessors page. Customer may object on reasonable, documented data-protection grounds within that notice period; if the parties cannot resolve the objection, Customer may terminate the affected Services and receive a pro-rata refund of prepaid fees for the unused term.

9. International Transfers

Where DoubleXL processes Customer Personal Data originating from the EEA, UK, or Switzerland in a country not recognized as providing an adequate level of protection, the transfer will be governed by the SCCs (Module Two: Controller to Processor, or Module Three: Processor to Sub-processor, as applicable), incorporated by reference. The UK Addendum applies to UK transfers, and the Swiss FADP addendum applies to Swiss transfers. Customer is the data exporter; DoubleXL is the data importer. Docking clause, optional clauses, and Annexes are set out in Annex I below.

10. Personal Data Breach Notification

DoubleXL will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required by applicable Data Protection Laws to the extent then known, and will be supplemented as additional information becomes available. DoubleXL will provide reasonable cooperation to support Customer's own notification obligations to supervisory authorities and Data Subjects.

11. Return and Deletion

On termination of the Agreement, Customer may export Customer Personal Data for 30 days using self-service tools or by written request. Thereafter, DoubleXL will delete or de-identify Customer Personal Data within 30 days, with backups purged within 90 days, except where retention is required by applicable law. DoubleXL will provide written certification of deletion on request.

12. Data Subject Requests

The Services provide functionality enabling Customer to respond to Data Subject access, correction, deletion, portability, restriction, and objection requests. Where a Data Subject contacts DoubleXL directly, DoubleXL will promptly forward the request to Customer and will not respond substantively except as instructed by Customer or required by law.

13. Assistance to Customer

Taking into account the nature of the processing and the information available, DoubleXL will provide reasonable assistance to Customer with: (a) Data Protection Impact Assessments and prior consultations with supervisory authorities; (b) security obligations; (c) Personal Data Breach handling; and (d) responding to Data Subject requests. Assistance beyond the Services' built-in functionality may be subject to reasonable fees.

14. Audits and Records

DoubleXL will make available to Customer the information necessary to demonstrate compliance with this DPA, including by providing its most recent SOC 2 report and security documentation under NDA. Customer (or an independent auditor mandated by Customer and reasonably acceptable to DoubleXL) may conduct an audit no more than once per 12 months, on at least 30 days' written notice, during business hours, subject to confidentiality, and at Customer's expense, unless a Personal Data Breach has occurred or a supervisory authority requires more frequent audits.

15. California Service-Provider Terms

Where Customer is a Business and DoubleXL is a Service Provider under the CCPA/CPRA, DoubleXL will: (a) process Personal Information only for the Business Purposes set out in the Agreement; (b) not sell or share Personal Information; (c) not retain, use, or disclose Personal Information for any purpose other than the Business Purposes or as otherwise permitted by the CCPA; (d) not combine Personal Information received from Customer with Personal Information from other sources, except as permitted; and (e) notify Customer if it determines it can no longer meet its CCPA obligations. Customer may take reasonable steps to remediate unauthorized use.

16. HIPAA and Sensitive Data

The Services are not designed for and do not by default process Protected Health Information (PHI) governed by HIPAA, cardholder data outside Stripe-hosted flows, government IDs, or other categories of regulated sensitive data. Customer will not submit such data unless the parties have executed a Business Associate Agreement or other written instrument expressly permitting it.

17. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability set out in the Agreement. The SCCs, where incorporated, govern the parties' liability vis-à-vis Data Subjects in accordance with Clause 12 of the SCCs.

18. Order of Precedence

In the event of conflict, the order of precedence is: (1) the SCCs (where applicable); (2) this DPA; (3) the Agreement.

19. Changes to This DPA

DoubleXL may update this DPA from time to time to reflect changes in law or our Services. Material changes will be notified at least 30 days before they take effect. Continued use of the Services after the effective date constitutes acceptance.

Annex I — SCC Particulars

A. List of Parties

Data exporter: Customer, as identified in the Agreement.
Data importer: DoubleXL, Inc., 212 Crossroads Blvd, #620, Saratoga Springs, UT 84048, USA. Contact: privacy@double-xl.com.

B. Description of Transfer

As described in Section 4 above. Frequency: continuous for the duration of the Agreement. Retention: per Section 11.

C. Competent Supervisory Authority

For EEA transfers, the supervisory authority of the EEA Member State in which the data exporter is established (or, where the exporter is not established in the EEA, the supervisory authority of the Member State in which the exporter's representative or affected Data Subjects are located). For UK transfers, the UK ICO. For Swiss transfers, the FDPIC.

Annex II — Technical and Organisational Measures

The measures described in Section 7 of this DPA and on our Security page.

Annex III — Subprocessors

The Subprocessors listed at /subprocessors, as updated from time to time in accordance with Section 8.

Contact