01
Definitions
The vocabulary the contract uses — controller, processor, personal data, processing, sub-processor, supervisory authority. Aligned to GDPR Art. 4 verbatim, with mappings annotated for UK GDPR, Swiss FADP, LGPD, and CCPA.
§ 01 / 06
Legal · Data Processing AgreementPre-signed · v3.2
The DPA, plain.
The PDF, ledger-signed.
The Data Processing Agreement is pre-signed by exAI and applies on signup. No countersigning round-trip required to begin processing — a counter-signed copy is available on request.
v3.2 incorporates the EU Standard Contractual Clauses (Modules 2 and 3, Commission Decision 2021/914), the United Kingdom International Data Transfer Addendum (IDTA), and is Swiss FADP-compatible by reference. Adequacy decisions cover fourteen further jurisdictions; everything else routes through SCCs with a per-country transfer impact assessment on file. This page is the operator memory: the human-readable index of the document, not the document itself.
Document state
effective2026-04-01
versionv3.2
supersedesv3.1 · 2025-09-12
pages27 · A4 · signed
governing lawRepublic of Ireland
languageEnglish (authoritative)
Signed by
exAI Limited
§ 02 / 06
Roles · controller and processor
You decide why.
We decide how to do it safely.
The DPA fixes who does what. Article 28 of the GDPR draws the line, and the same line is drawn — under different names — by UK GDPR, Swiss FADP, LGPD, PIPEDA, and CCPA Service Provider terms.
In every jurisdiction we serve, the customer is the controller and exAI is the processor. You determine the purposes and the means of processing personal data: which workspaces exist, which agents run, which end-users you onboard, and which fields are stored against which accounts.
exAI processes that personal data only on your documented instructions — the master agreement, the configuration you set in the product, and the requests your authenticated operators make through the API. We never use customer data to train any model. We never share customer data with another tenant. We never make secondary purposes of our own.
Where you act as a processor on behalf of your own end-customers — for example when you build internal tools that handle their personal data — exAI becomes a sub-processor. The same Article 28 obligations flow down through this DPA without rewriting.
Role A · controller
You are the controller.
You decide whose data is processed and why. You hold the legal basis. You manage the relationship with the data subject. exAI follows your instructions and surfaces tools that make those instructions operational — tenant-scoped keys, per-region residency flags, retention windows that bind on every workspace.
Role B · processor
exAI is the processor.
exAI hosts, runs, and observes the workspaces you create. Every action against your data is on your instruction — explicit through the API, or implicit through the configuration you maintain in the product. We do not adopt secondary purposes, do not commingle tenants, and do not sell or share personal data within the meaning of CCPA.
§ 03 / 06
DPA at a glance · twelve articles
Twelve articles,
in plain English.
Each card summarises one article of the signed PDF. The language is operator-grade, not marketing — sufficient to brief a buyer, never a substitute for the legal text. For the binding version, refer to the document itself.
02
Subject matter & duration
What we process and for how long. Subject matter: the operation of exAI Agentic OS for the customer. Duration: the lifetime of the master agreement plus the data-return window in Art. 12.
03
Nature & purpose
Why processing happens at all. Hosting, executing, and observing the workspaces, agent runs, and audit log entries the customer creates — strictly to deliver the service described in the master agreement.
04
Categories of data & subjects
Whose data and which fields. Categories: identifiers, account data, content the customer uploads, telemetry. Subjects: the customer's employees, contractors, and end-users of customer-built applications.
05
Obligations of the processor
What we promise. Process only on documented instructions, keep staff under confidentiality, implement Art. 32 security measures, assist with DSARs, and assist with DPIAs and prior consultation requests.
06
Sub-processors
Who else touches the data. We maintain a public sub-processor list at /trust, notify customers 30 days in advance of any addition or replacement, and accept written objection within 14 days.
Sub-processor list · /trust →07
Data subject rights
Access, rectification, erasure, restriction, portability, and objection. Tooling exposes each right as a one-call API; we assist within 30 days of a customer's documented request, free of additional fees.
08
Personal data breach
Notification within 72 hours of becoming aware. The notice carries the categories affected, approximate counts, likely consequences, mitigations taken, and the contact line for the customer's DPO.
09
Data transfers
Out-of-region movement runs on EU SCCs (Module 2 + 3), UK IDTA, Swiss FADP, or adequacy decisions. Transfer impact assessments and supplementary measures are documented and updated quarterly.
10
Audit rights
On reasonable notice, the customer or its mandated auditor may inspect controls. We default to providing SOC 2 Type II and ISO 27001 reports; on-site audits are scheduled within 60 days, NDA-bound.
11
Liability & indemnification
Liability follows the master agreement's cap, with carve-outs for breaches of confidentiality, infringement of IP, and gross negligence. Indemnities are mutual for third-party claims arising from each party's own acts.
12
Termination & data return
On termination, customer data is returned in a portable format within 30 days and irreversibly deleted within 60 days. Audit log retention follows the customer's regulatory window — up to 10 years.
§ 04 / 06
International transfers · the four mechanisms
Cross the border on paper,
not on hope.
Every transfer of personal data outside the customer's home jurisdiction runs on a named instrument. Four cover the vast majority of routes; a per-country transfer impact assessment closes the rest.
exAI maintains four primary transfer instruments and falls back to a fifth — Standard Contractual Clauses with supplementary measures — for everything else. The specific instrument applied to a workspace follows the customer's region of record and the chain of sub-processors involved in serving it.
Mechanism 01 — the EU Standard Contractual Clauses, Module 2 (controller-to-processor) and Module 3 (processor-to-sub- processor) under Commission Decision 2021/914. These run between customer and exAI, and exAI and every onward sub-processor that requires them.
Mechanism 02 — the United Kingdom International Data Transfer Addendum (IDTA, ICO-approved v1.0), incorporated by reference where the data exporter is established in the UK.
Mechanism 03 — Swiss Federal Act on Data Protection (revised FADP). Where Switzerland is the home jurisdiction, the EU SCCs are extended with FADP-specific overrides published by the FDPIC.
Mechanism 04 — adequacy decisions of the European Commission covering UK, Japan, South Korea, Switzerland, New Zealand, Israel, Canada (commercial), Uruguay, Argentina, Andorra, Faroe Islands, Guernsey, Isle of Man, and Jersey. Where adequacy applies, no SCCs are required for the relevant route.
region
instrument
reference
EU / EEA
SCCs · Module 2 + 3
2021/914 · effective
United Kingdom
UK IDTA · Addendum
v1.0 · ICO approved
Switzerland
Swiss FADP · SCCs
FDPIC adequacy nuance
United States
SCCs · DPF
EU-US Data Privacy Framework
Japan
Adequacy
Commission decision · 2019
South Korea
Adequacy
Commission decision · 2021
Canada (commercial)
Adequacy
PIPEDA · since 2001
Israel
Adequacy
Commission decision · 2011
Argentina · Uruguay
Adequacy
Commission decisions
Channel Islands · IoM · Faroe
Adequacy
Commission decisions
Andorra · New Zealand
Adequacy
Commission decisions
RoW
SCCs + supplementary
Per-country TIA on file
§ 05 / 06
Sub-processors · changes recorded
Thirty-day notice.
Always.
The full sub-processor list is published at /trust. The events below are the most recent additions, removals, and material updates — every one bound by the notice and objection terms in Article 6.
exAI maintains a public sub-processor list at /trust and notifies customers in writing — by email to the named contacts in the master agreement and by an in-product banner — at least thirty days before any addition or replacement of a sub-processor takes effect. The notice carries the new vendor's name, role, region of processing, transfer instrument, and the security report we hold on file.
Customers have the right to object in writing within fourteen days of the notice. If the objection is on reasonable grounds that we cannot mitigate, the customer may terminate the affected service for cause without penalty. We do not condition this right on tier or contract size.
Removals and material updates — region splits, sub-vendor changes, transfer-instrument changes — follow the same channel. Removals are accompanied by a deletion certificate from the outgoing vendor, retained against the audit log.
Added
Cloudflare Stream
Region-pinned media delivery for live workspace previews. EU traffic terminates in Frankfurt; transfer instrument: SCCs Module 2.
Added
Anthropic Claude Opus 4 (US)
Replaces Opus 3.5 as the default reasoning model. US processing only; EU customer prompts route to Claude Sonnet 4 (Frankfurt) by default.
Removed
LegacyAuth Inc.
Sunset and deprovisioned. Credentials rotated, residual data deleted, deletion certificate available on request.
Updated
Datadog
Region split — EU pipeline (eu1.datadoghq.com) now serves all EU/EEA tenants; US pipeline retained for US tenants only.
§ 06 / 06
Decide where the paper lives
Need it countersigned?
Send the form.
The pre-signed v3.2 PDF is sufficient for most procurement processes. If your procurement requires a counter-signed copy — wet ink or qualified e-signature — request one and we return it inside two business days, NDA-bound, addressed to your signatory of record.