Data processing addendum.
This Data Processing Addendum ("DPA") forms part of the agreement between xFusion, Inc. ("xFusion," "we," "us") and the client ("Client," "you") for the customer support services described in the Master Services Agreement or applicable order form (together, the "Agreement"). It governs the processing of Personal Data by xFusion on behalf of Client. If there is a conflict between this DPA and the Agreement, this DPA controls for matters relating to data protection.
A countersigned copy is available on request. Email security@xfusion.io to start that process.
1. Definitions
"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA), and any other privacy or data protection laws that apply to the parties.
"Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Sub-processor" have the meanings given to them in Applicable Data Protection Laws.
"Client Personal Data" means Personal Data that xFusion processes on behalf of Client under the Agreement. This typically includes information about Client's end customers (names, email addresses, account identifiers, conversation history) and Client's internal team members (where xFusion is given access to internal tools).
2. Roles of the parties
For Client Personal Data, Client is the Controller and xFusion is the Processor. xFusion processes Client Personal Data only on documented instructions from Client, including instructions given through Client's chosen tools and configurations (helpdesk, CRM, payment system, etc.) and through written communications with xFusion's account management team.
For information that xFusion collects directly (e.g., billing contacts, candidate information in our recruiting funnel), xFusion acts as a Controller and the terms of our Privacy Policy apply.
3. Subject matter, duration, and purpose
- Subject matter: The provision of managed customer support services as described in the Agreement.
- Duration: The term of the Agreement, plus a reasonable period for return or deletion of data thereafter.
- Purpose: To respond to and resolve customer support inquiries on behalf of Client; to administer the placement, training, payroll, and management of placed team members; to report on KPIs and quality.
- Categories of Data Subjects: Client's end customers, Client's prospective customers who reach out for support, Client's internal team members who interact with placed agents.
- Categories of Personal Data: Contact details, account identifiers, support conversation content, transactional information necessary to resolve a ticket, and other data Client chooses to make available through its tools.
4. xFusion's obligations
- Process Client Personal Data only on documented instructions from Client.
- Ensure that personnel authorized to process Client Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational measures to protect Client Personal Data, as described in Section 7.
- Assist Client, taking into account the nature of processing, in responding to Data Subject requests and meeting Client's obligations under Applicable Data Protection Laws.
- Notify Client without undue delay after becoming aware of a Personal Data Breach affecting Client Personal Data.
- At Client's choice, return or delete Client Personal Data at the end of the Agreement, except where retention is required by law.
- Make available to Client information necessary to demonstrate compliance with this DPA and reasonably support audits as described in Section 9.
5. Client's obligations
- Ensure that Client has all rights, consents, and lawful bases necessary for xFusion to process Client Personal Data as instructed.
- Configure Client's tools and access controls to limit xFusion's access to what is needed to perform the services.
- Provide instructions in writing or through configuration of Client's tools, and update them as needed.
6. Sub-processors
Client authorizes xFusion to engage Sub-processors to perform parts of the services. xFusion enters into written agreements with Sub-processors that impose data protection obligations no less protective than those in this DPA, and remains liable for the acts and omissions of its Sub-processors.
Current categories of Sub-processors include: cloud hosting and infrastructure providers, communication and collaboration tools, payroll and contractor payment platforms, helpdesk and CRM platforms (where xFusion provides them rather than the Client), background check providers, and analytics and observability tools.
A current list of named Sub-processors is available on request. xFusion will give Client reasonable advance notice of any addition or replacement of a Sub-processor and provide a mechanism to object on reasonable data protection grounds.
7. Security measures
xFusion maintains a written information security program with administrative, technical, and physical safeguards designed to protect Client Personal Data, including:
- Role-based access controls and the principle of least privilege.
- Multi-factor authentication for systems that hold Client Personal Data.
- Encryption in transit (TLS) and at rest where supported by the underlying systems.
- Background checks, confidentiality agreements, and security training for personnel.
- Endpoint security, vulnerability management, and patching for company-managed devices.
- Incident response procedures, including breach notification and post-incident review.
- Periodic review of access, vendor controls, and policy effectiveness.
Additional details are described on our Security page.
8. International transfers
xFusion operates across the United States, the Philippines, and Kenya, and uses Sub-processors that may process Client Personal Data outside the country of origin. Where transfers are subject to GDPR or UK GDPR, xFusion relies on appropriate transfer mechanisms, including the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), or other valid mechanisms recognized under Applicable Data Protection Laws.
9. Audits
On reasonable written request and no more than once per twelve-month period (unless required by a regulator or following a Personal Data Breach), xFusion will provide Client with information reasonably necessary to demonstrate compliance with this DPA. Audits will be scheduled to minimize disruption, conducted under reasonable confidentiality obligations, and at Client's expense.
10. Personal Data Breach notification
xFusion will notify Client without undue delay after becoming aware of a Personal Data Breach affecting Client Personal Data. The notification will describe, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it.
11. Return or deletion of Client Personal Data
On termination of the Agreement, at Client's choice, xFusion will return or delete all Client Personal Data in its possession or control, except to the extent that retention is required by law. Where Client Personal Data lives in Client-controlled tools, return is automatic since the data remains with Client.
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.
13. Changes to this DPA
xFusion may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, our services, or our Sub-processor list. Material changes will be communicated to Client with reasonable advance notice.
14. Contact
xFusion, Inc.
Data protection contact: security@xfusion.io