Data Processing Agreement

• “Controller” — You, the customer, who determines the purposes and means of processing personal data using Xlork's Services.
• “Processor” — Xlork, which processes personal data on behalf of the Controller.
• “Personal Data” — Any information relating to an identified or identifiable natural person that is processed through the Services.
• “Sub-processor” — A third-party engaged by Xlork to process Personal Data on behalf of the Controller.
• “Data Protection Laws” — GDPR, UK GDPR, CCPA/CPRA, and any other applicable data protection legislation.

This DPA applies when Xlork processes Personal Data on your behalf through the Services. You act as the Controller and Xlork acts as the Processor.

Types of data processed: Names, email addresses, and any data fields your end users upload via the Xlork importer (as defined by your column configuration).

Purpose of processing: To provide the data import Services — parsing, mapping, validating, and delivering imported data to your application.

Xlork shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Security)
• Assist the Controller in fulfilling data subject requests and compliance obligations
• Delete or return all Personal Data upon termination of the agreement, at the Controller's choice
• Make available information necessary to demonstrate compliance with this DPA

Xlork may engage sub-processors to assist in providing the Services. We will:

• Maintain a current list of sub-processors available upon request
• Notify you of any new sub-processor additions at least 30 days in advance
• Ensure sub-processors are bound by data protection obligations no less protective than this DPA

If you object to a new sub-processor, you may terminate the affected Services by providing written notice within 30 days.

Xlork will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection) by providing appropriate technical and organizational measures. If Xlork receives a request directly from a data subject, we will promptly redirect them to the Controller unless legally required to respond.

Xlork implements appropriate technical and organizational measures to protect Personal Data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and principle of least privilege
• Regular security patching and vulnerability scanning
• Monitoring, logging, and anomaly detection

For full details, see our Security page.

In the event of a confirmed Personal Data breach, Xlork will notify the Controller without undue delay and no later than 72 hours after becoming aware. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.

If Personal Data is transferred outside your jurisdiction, Xlork will ensure adequate safeguards are in place as required by applicable Data Protection Laws — such as Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms recognized under UK or other applicable law.

Imported data is processed transiently during the import session and is not stored by Xlork beyond what is necessary to deliver the import results to your application.

Upon termination of the agreement or upon your written request, Xlork will delete or return all Personal Data within 30 days, unless retention is required by applicable law.

The Controller may audit Xlork's compliance with this DPA. Xlork will make available relevant information and allow for audits conducted by the Controller or an appointed third-party auditor, subject to reasonable notice and confidentiality obligations. Audits shall be conducted no more than once per year unless required by a supervisory authority.

For questions about this DPA or to exercise your rights: