Data Processing Agreement
Our standard DPA, forming part of the contract between you (Data Controller) and xuly.io GmbH (Data Processor). Executed electronically by your acceptance of the Terms of Service.
01. Subject matter
xuly.io processes personal data on your behalf to provide the Service described in our Terms of Service, including affiliate program credential storage, statistics ingestion, team collaboration, and notification delivery.
02. Duration
The DPA remains in force for the duration of our main agreement and any additional retention period required by law.
03. Nature and purpose of processing
Storage and retrieval of account and workspace data.
Aggregation and normalisation of affiliate statistics.
Delivery of notifications and reports.
Authentication, billing, fraud prevention, and customer support.
04. Types of personal data
Identification data (name, email, locale, timezone).
Authentication data (hashed passwords, MFA secrets, session tokens).
Team-member emails and roles.
Audit logs including IP addresses and user-agent strings.
05. Categories of data subjects
Your employees, contractors, sub-affiliates, and any individuals you invite to your workspace.
06. Processor obligations
Process personal data only on your documented instructions.
Ensure all persons authorised to process personal data are bound by confidentiality.
Implement appropriate technical and organisational security measures (see Annex II and /security).
Engage sub-processors only with your general written authorisation (list maintained at /legal/subprocessors).
Assist you in responding to data-subject requests within reasonable time.
Notify you of a personal-data breach without undue delay (target: within 24 hours of confirmation).
07. Sub-processors
We maintain an up-to-date list of sub-processors used to provide the Service. You have a right to object within 14 days of any change notification. Objection may lead to termination of the relevant service.
08. International data transfers
Where personal data is transferred outside the EEA, we rely on EU Standard Contractual Clauses (SCCs) or an adequacy decision. Enterprise customers may pin their workspace to the EU region.
09. Security measures (Annex II)
Encryption in transit (TLS 1.3) and at rest (AES-256).
Credential encryption via Supabase Vault (pgsodium / libsodium).
Role-based access control with Postgres Row-Level Security on every table.
MFA required for all staff accounts.
Continuous vulnerability scanning and quarterly penetration testing.
Logging and monitoring with automated incident alerting.
10. Termination & deletion
Upon termination of the main agreement, we delete or return all personal data within 30 days unless retention is required by law.
11. Contact
Our Data Protection Officer: dpo@xuly.io.