XellvioXellvio

Data Processing Addendum (DPA)

Last updated: June 20, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Xellvio ("Xellvio," "Processor") and the Customer ("Controller") and applies to Xellvio's processing of personal data on the Customer's behalf in connection with the Xellvio platform (https://xellvio.com, the "Service"). Where the Customer's End User contact data is processed, the Customer is the controller and Xellvio is the processor.

1. Definitions

Terms such as "personal data," "processing," "controller," "processor," "data subject," and "supervisory authority" have the meanings given under applicable data-protection law (including the GDPR and UK GDPR). "Applicable Data Protection Law" means all privacy and data-protection laws applicable to the processing.

2. Roles and Scope

The Customer is the controller and Xellvio is the processor of Customer Data containing personal data. Xellvio processes such personal data only to provide and support the Service and on the Customer's documented instructions, including as set out in the Terms and this DPA. Xellvio will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

3. Customer Obligations

The Customer warrants that it has a valid legal basis and all necessary consents for the personal data it uploads and the messages it sends, that its instructions comply with Applicable Data Protection Law, and that it has provided required notices to data subjects.

4. Xellvio Obligations

Xellvio will: (a) process personal data only on documented instructions; (b) ensure persons authorized to process are bound by confidentiality; (c) implement appropriate technical and organizational security measures (Annex B); (d) assist the Controller, taking into account the nature of processing, with data-subject requests and with security, breach-notification, and impact-assessment obligations; and (e) make available information reasonably necessary to demonstrate compliance.

5. Subprocessors

The Customer authorizes Xellvio to engage subprocessors to provide the Service. Current subprocessors are listed in our Subprocessor List. Xellvio imposes data-protection obligations on each subprocessor substantially similar to those in this DPA and remains responsible for their performance. Xellvio will give notice of intended changes to subprocessors, and the Customer may object on reasonable data-protection grounds.

6. Data Subject Requests

Taking into account the nature of the processing, Xellvio will assist the Controller by appropriate measures, insofar as possible, to respond to data subjects exercising their rights. If Xellvio receives a request directly from a data subject, it will, where permitted, direct them to the Controller.

7. Personal Data Breach

Xellvio will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to assist the Controller in meeting its notification obligations.

8. International Transfers

Where processing involves transfer of personal data across borders, the parties will rely on an appropriate transfer mechanism under Applicable Data Protection Law, such as the Standard Contractual Clauses, which are incorporated by reference where applicable.

9. Deletion and Return

Upon termination of the Service, Xellvio will, at the Controller's choice, delete or return Customer Data containing personal data, except where retention is required by law, within a commercially reasonable period.

10. Audit

Xellvio will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and security conditions and reasonable notice.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

Annex A — Details of Processing

  • Subject matter: provision of the Xellvio messaging platform.
  • Duration: the term of the Customer's account.
  • Nature and purpose: hosting, storing, transmitting, and delivering messages and managing contacts and consent on the Controller's behalf.
  • Categories of data subjects: the Customer's contacts and message recipients (End Users); the Customer's authorized users.
  • Categories of personal data: names, mobile phone numbers, consent records, message content, and engagement/delivery data.
  • Special categories: none intended; the Customer must not upload special-category data without a lawful basis and appropriate safeguards.

Annex B — Security Measures

Xellvio maintains measures including: encryption of sensitive credentials in transit and at rest; access controls and least-privilege permissions; tenant isolation through row-level security; secrets management; logging and monitoring; secure software-development practices; and incident-response procedures.

Annex C — Subprocessors

See the current Subprocessor List, including (by way of example) the messaging infrastructure provider (Twilio), cloud hosting and database provider, and payment processor.

Contact

Xellvio — privacy@xellvio.com