Data Processing Addendum

For customer content and personal data processed in connection with the service, the customer acts as the controller or business, and xmailCloud acts as the processor or service provider, except where xmailCloud determines its own independent purposes under applicable law.

Each party will comply with obligations applicable to it under relevant privacy and data protection laws.

The subject matter of processing is the provision of business email hosting, mailbox administration, authentication, support, billing operations, and related service functionality.

Processing continues for as long as xmailCloud provides the service to the customer and for any additional period required for secure deletion, legal compliance, or contract closeout obligations.

xmailCloud processes personal data to host mailboxes, route and store email, manage accounts and domains, authenticate users, provide customer support, monitor platform health, secure the environment, and deliver requested service features.

Where enabled, xmailCloud may also process prompts or relevant message data to provide AI-assisted workflows such as summaries, drafting help, or signature generation at the customer’s direction.

The categories of personal data processed may include names, email addresses, account identifiers, login metadata, message metadata, billing contacts, support records, and other customer-provided or service-generated operational data.

Data subjects may include customer employees, administrators, contractors, clients, correspondents, prospects, and other individuals whose personal data is included within service use.

• Process personal data only on documented customer instructions, unless otherwise required by law.
• Ensure personnel with access to personal data are subject to confidentiality obligations.
• Implement appropriate technical and organizational measures to protect personal data.
• Assist the customer with reasonable requests related to data subject rights, impact assessments, and security incidents where required by law.
• Delete or return personal data at the end of the services, subject to legal retention obligations.

xmailCloud may use subprocessors to support infrastructure hosting, mailbox delivery, authentication, object storage, payment processing, and monitoring. xmailCloud remains responsible for ensuring subprocessors are bound by data protection obligations appropriate to the services they perform.

Upon request and where commercially reasonable, xmailCloud may provide customers with current subprocessor information relevant to the services they use.

Where personal data is transferred across jurisdictions, xmailCloud will implement transfer safeguards required by applicable law, which may include contractual measures, regional hosting commitments, or other approved mechanisms.

xmailCloud will maintain incident response procedures designed to identify, contain, investigate, and remediate security incidents affecting personal data.

Where legally required, xmailCloud will notify the customer without undue delay after becoming aware of a confirmed personal data breach affecting customer-controlled data.

Upon reasonable written request, xmailCloud will provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and proportionality safeguards.

Any audit or assessment must avoid unreasonable disruption, duplication of existing assurance materials, or exposure of confidential information relating to other customers or platform security controls.

At the end of the services, xmailCloud will delete or return personal data to the extent required by applicable law, contractual commitment, and technical capability, except where storage is required for legal, security, or accounting purposes.