Data Processing Addendum

Customer is the controller of personal data submitted to the Service. Xalgorix is the processor, acting only on Customer's documented instructions (which include the configuration of scans and the use of features as designed).

Processing is limited to: operating the Service; running scans on Customer's targets; storing findings, evidence, and reports; billing; security and abuse prevention. Duration: for the term of the agreement and the retention periods in the Privacy Policy.

Subjects: Customer's authorized users; end-users of targets being scanned (incidentally, where findings reveal exposed PII).

Data: account identifiers, scan configurations, scan results (which may include exposed PII discovered as part of a finding).

Xalgorix engages the following sub-processors, all bound by GDPR-equivalent terms:

• Cloudflare, Inc. — edge, object storage (EU regions)
• Supabase Inc. — managed Postgres (EU regions)
• Supabase Inc. — managed Postgres + authentication
• Dodo Payments — payment processing
• Resend — transactional email

We notify Customer at least 30 days before adding a new sub-processor; Customer may object on reasonable grounds and terminate if no resolution is reached.

Personal data is stored and processed in EU regions. Where a sub-processor is established outside the EEA, transfers rely on the EU Standard Contractual Clauses (2021/914) and applicable supplementary measures.

Xalgorix maintains the technical and organizational measures described at /security: TLS 1.3, AES-256 at rest, least-privilege access, MFA for staff, signed audit logs, annual penetration test, and incident response runbooks.

Xalgorix notifies Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data, including the information required by Art. 33 GDPR.

Xalgorix provides tools allowing Customer to access, export, and delete personal data in the Service. Where individuals contact Xalgorix directly, we redirect them to Customer.

Customer may, no more than once per year, request a summary of Xalgorix's most recent SOC 2 or equivalent independent audit under NDA. On-site audits are available for Enterprise customers under a separate agreement.

On termination, Xalgorix deletes Customer Data within 30 days, except where retention is required by law. A signed certificate of deletion is available on request.