xonPlus Logo

Data Processing Agreement

How we process personal data on your behalf when you use the xonPlus Platform

Data Processing Agreement (DPA)

TL;DR

When you use xonPlus, you are the data controller and we (XposedOrNot / xonPlus) are your data processor. This DPA is part of our Terms of Service and is automatically accepted when you subscribe. We only process data on your instructions, keep it encrypted and access-controlled, use vetted sub-processors (listed in Annex 3) with 30 days' notice before changes, notify you of any breach within 72 hours, support EU/UK transfers via the Standard Contractual Clauses, and return or delete your data when you leave.

How this DPA applies

By subscribing to or using the xonPlus Platform, you (the “Customer”) agree to this Data Processing Agreement (“DPA”). It forms part of and supplements the xonPlus Terms of Service (the “Agreement”) and should be read together with our Privacy Policy. If there is any conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails.

1. Background and Purpose

This DPA governs our processing of personal data on your behalf in connection with your subscription to and use of the xonPlus Platform (xonEnterprise+, xonConsumer+, xonAPI+, and xonThreatIntel+). It is intended to ensure that such processing complies with applicable data protection laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (“CCPA”) as amended, the Digital Personal Data Protection Act of India, the Personal Information Protection and Electronic Documents Act of Canada (“PIPEDA”), and any other applicable privacy or data protection legislation (“Applicable Data Protection Laws”).

2. Definitions

Capitalised terms not defined here have the meaning given in the Agreement or in Applicable Data Protection Laws. In particular:

  • “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” and “Special Categories of Personal Data” have the meanings given in the GDPR (or equivalent terms under other Applicable Data Protection Laws).
  • “Customer Personal Data” means any personal data submitted to, accessed through, or generated by the Platform on your behalf — including data submitted for monitoring (e.g. email addresses, domain names, employee credentials, executive identities) and data generated through monitoring (e.g. exposure alerts and monitoring results).
  • “SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914, as amended or replaced from time to time.
  • “Sub-processor” means any third party we engage to process Customer Personal Data on our behalf in connection with the Services.

3. Roles of the Parties

  • For the processing of Customer Personal Data, you act as the Controller (or, where you process personal data on behalf of your own end-users or clients, as a Processor), and we act as the Processor (or Sub-processor, as applicable).
  • Where you act as a Processor on behalf of a third-party Controller, you warrant that you have obtained all necessary authorisations to engage us as a Sub-processor on the terms of this DPA.
  • Each party is individually responsible for compliance with its own obligations under Applicable Data Protection Laws.

4. Details of Processing

The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1 (Processing Details) below.

5. Customer Obligations

You shall:

  • Ensure Customer Personal Data is collected and submitted to the Platform in compliance with Applicable Data Protection Laws and with all required notices, consents, and lawful bases.
  • Be solely responsible for the accuracy, quality, and legality of Customer Personal Data and how you acquired it.
  • Be responsible for your documented instructions to us. Your use of the Platform in accordance with the Agreement and our documentation constitutes your documented instructions.
  • Not submit Special Categories of Personal Data, payment card data, or government-issued identifiers to the Platform unless we expressly agree in writing as part of the service configuration.
  • Promptly notify us if you believe any instruction or processing may infringe Applicable Data Protection Laws.

6. Our Obligations as Processor

We shall:

  • Process Customer Personal Data only on your documented instructions (including for international transfers), unless required by law to which we are subject — in which case we will inform you first, unless the law prohibits this on important grounds of public interest.
  • Ensure personnel authorised to process Customer Personal Data are bound by confidentiality.
  • Implement appropriate technical and organisational measures, as described in Annex 2.
  • Engage Sub-processors only in accordance with Section 9.
  • Assist you, by appropriate technical and organisational measures and insofar as possible, in responding to data subject rights requests, in securing processing, in breach notification, in data protection impact assessments, and in prior consultation with supervisory authorities.
  • At your choice, delete or return all Customer Personal Data after the end of the Services, in accordance with Section 15.
  • Make available the information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR (or equivalent provisions).

7. Confidentiality of Personnel

We ensure that any personnel authorised to process Customer Personal Data are subject to written confidentiality obligations no less restrictive than the confidentiality provisions of our Terms of Service, and receive appropriate training on their data protection responsibilities.

8. Security of Processing

How we protect your data

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access controls and the principle of least privilege
  • Network segmentation, logging, and monitoring
  • Regular vulnerability assessments and incident response procedures

We regularly review and, where appropriate, update these measures to maintain a level of security appropriate to the risk, taking into account the state of the art and the nature, scope, and purposes of processing. Full details are in Annex 2.

9. Sub-processors

  • You provide general written authorisation for us to engage Sub-processors, subject to this Section. The current list is in Annex 3.
  • We will give you at least 30 days' prior notice of any addition or replacement of a Sub-processor (the “Change Notice”), so that you can object.
  • If you reasonably object on legitimate data protection grounds, notify us in writing within 15 days of the Change Notice. We will discuss a resolution in good faith. If none is reached, we will either (i) not appoint the proposed Sub-processor, or (ii) let you terminate the affected Services without penalty, with a pro-rata refund of any prepaid fees for the unused portion (notwithstanding the no-refund provisions of our Terms of Service).
  • We enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than this DPA, and we remain fully liable for their performance.

10. Data Subject Rights

Taking into account the nature of the processing, we will provide reasonable assistance, by appropriate technical and organisational measures and insofar as possible, to help you fulfil your obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, and objection).

If we receive a request directly from a data subject relating to Customer Personal Data, we will, where legally permitted, promptly forward it to you and will not respond directly except on your instructions or as required by law.

11. Personal Data Breach Notification

72-hour notification

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. To the extent available, the notification will include:

  • the nature of the breach, including categories and approximate number of data subjects and records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address and mitigate it; and
  • a point of contact where more information can be obtained.

We will cooperate and provide reasonable assistance in investigating, mitigating, and remedying the breach, and in fulfilling any notification obligations to authorities or data subjects. Notification is not an acknowledgement of fault or liability.

12. Data Protection Impact Assessments

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities where required by Applicable Data Protection Laws. We may charge a reasonable fee where the requested assistance goes beyond the standard documentation made available to subscribers.

13. International Data Transfers

We are established in India, and we and our Sub-processors may process Customer Personal Data outside the European Economic Area (“EEA”), the UK, Canada, or your country of establishment.

Where processing involves a transfer of personal data from the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties comply with the SCCs, incorporated by reference, with the following selections:

  • Module Two (Controller to Processor) where you are a Controller; Module Three (Processor to Sub-processor) where you are a Processor.
  • Clause 7 (Docking clause): does not apply.
  • Clause 9 (Sub-processors): Option 2 (general written authorisation), with a 30-day notice period as in Section 9.
  • Clause 11 (Redress): the optional independent dispute resolution language does not apply.
  • Clause 17 (Governing law): the law of the Republic of Ireland.
  • Clause 18 (Forum and jurisdiction): the courts of Ireland.
  • Annexes I, II and III to the SCCs are completed by Annexes 1, 2, and 3 to this DPA.

For transfers subject to the UK GDPR, the parties comply with the UK International Data Transfer Addendum to the EU SCCs issued by the UK ICO, incorporated by reference.

For transfers subject to other Applicable Data Protection Laws, the parties implement such other transfer mechanisms as those laws require.

14. Audits and Inspections

  • On reasonable prior written request and not more than once per calendar year, we will make available the information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and our reasonable security protocols.
  • Where that information is insufficient, you may, at your cost and on at least 30 days' written notice, audit our relevant processing activities no more than once per calendar year (except where required by a supervisory authority or following a confirmed Personal Data Breach). Audits are conducted during normal business hours, without unreasonably interfering with our operations, and are subject to the confidentiality obligations of the Agreement.

15. Return or Deletion of Data

When you leave

  • Within 30 days of termination or expiry of the Agreement, we will, at your choice, return or delete all Customer Personal Data in our possession or control (including copies held by Sub-processors), and provide written certification on request.
  • We may retain Customer Personal Data where required by applicable law, keeping it confidential and not processing it further except for the purpose for which it must be retained.
  • Aggregated, anonymised, or de-identified data that no longer constitutes personal data may be retained and used for legitimate business purposes, including service improvement and threat intelligence research.

16. Liability

  • Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, except where mandatory provisions of Applicable Data Protection Laws (including Article 82 of the GDPR) provide otherwise.
  • Any administrative fines or penalties imposed directly on a party by a supervisory authority are borne by that party, except where they result from the other party's breach of this DPA.

17. Term, Precedence, and General

  • Term: This DPA takes effect with the Agreement and remains in force for as long as we process Customer Personal Data on your behalf. Sections on confidentiality, breach notification, return/deletion, and liability survive termination as required.
  • Order of precedence: in the event of conflict, the order is (1) the SCCs (where applicable); (2) this DPA; (3) the Agreement.
  • Governing law: without prejudice to Section 13 (which governs the law and forum for the SCCs), this DPA is governed by the laws of India, and disputes are resolved in accordance with the dispute resolution provisions of our Terms of Service.
  • Amendments: we may amend this DPA where required to comply with changes in Applicable Data Protection Laws by giving 30 days' notice; other changes will be communicated in accordance with our Terms of Service.
  • Severability: if any provision is held invalid or unenforceable, the remaining provisions continue in full force and effect.

Annex 1 — Processing Details

Subject matter

Our processing of Customer Personal Data to provide the xonPlus Platform (xonEnterprise+, xonConsumer+, xonAPI+, xonThreatIntel+) and related breach monitoring and threat intelligence services.

Duration

For the term of your subscription, plus any retention or deletion period set out in Section 15.

Nature and purpose

Matching identifiers you submit against breach and exposure datasets; continuously monitoring for new exposures; generating and delivering exposure alerts; providing dashboards, reporting, and API access; and providing related threat intelligence — all on your behalf and on your instructions.

Frequency

Continuous and ongoing for the duration of the subscription.

Types of personal data

  • Email addresses and domain names submitted for monitoring
  • Usernames and credentials (often submitted or matched as hashed values)
  • Executive and employee identities (names and associated identifiers)
  • Account and contact details for Customer users of the Platform
  • IP addresses and technical/usage data generated through use of the Platform
  • Monitoring results and exposure alerts generated by the Platform

The Platform is not intended for Special Categories of Personal Data, payment card data, or government-issued identifiers, which should not be submitted unless expressly agreed in writing (see Section 5).

Categories of data subjects

  • Your employees, executives, and contractors
  • Your end-users, customers, or clients whose identifiers you submit for monitoring
  • Other individuals whose personal data is contained in the identifiers you choose to monitor

Annex 2 — Technical and Organisational Measures

We implement and maintain the following measures to ensure a level of security appropriate to the risk:

Encryption in transit

All data transmitted between you and the Platform, and between Platform components, is encrypted using TLS 1.3 or equivalent industry-standard protocols.

Encryption at rest

Customer Personal Data stored in databases, object storage, and backups is encrypted using AES-256 or equivalent.

Access controls

Role-based access controls, principle of least privilege, mandatory multi-factor authentication for administrative access, and regular access reviews.

Authentication

Strong password policies, MFA for privileged accounts, and secure storage of credentials using salted, adaptive hashing algorithms.

Network security

Firewalls, network segmentation between environments, intrusion detection and prevention, DDoS protection, and restricted ingress/egress rules.

Logging and monitoring

Centralised logging of access and administrative actions, automated anomaly detection, and 24/7 alerting on critical events.

Vulnerability management

Regular vulnerability scans, patch management, periodic third-party penetration testing, and a documented secure development lifecycle.

Incident response

Documented incident response plan, defined roles and responsibilities, breach notification procedures aligned with Section 11, and post-incident review.

Backup and recovery

Encrypted backups, regular backup integrity testing, and documented disaster recovery procedures with defined RPO and RTO targets.

Data minimisation

Collection limited to data necessary for the purposes in Annex 1; pseudonymisation and hashing applied where feasible (e.g. credential matching).

Pseudonymisation

Where supported, identifiers may be hashed before submission and matched on hashed values, reducing direct exposure of plaintext credentials.

Personnel security

Background checks where lawful, written confidentiality undertakings, and regular data protection and security awareness training.

Sub-processor management

Due diligence on all Sub-processors, back-to-back contractual data protection terms, and ongoing monitoring of performance and compliance.

Physical security

Hosting in data centres operated by reputable cloud providers with industry-standard physical security controls. We do not operate our own physical data centres.

Business continuity

Documented business continuity and disaster recovery plans, periodically tested, covering loss of key personnel, infrastructure, or third-party services.

Data segregation

Logical separation of Customer data within multi-tenant environments, with controls to prevent unauthorised cross-tenant access.

Secure deletion

Documented procedures for secure deletion of Customer Personal Data on termination or request, including from backups in accordance with backup rotation cycles.

Annex 3 — Approved Sub-processors

The following Sub-processors are authorised at the date of this DPA. We maintain an up-to-date list and notify you of any additions or replacements in accordance with Section 9.

Google LLC / Google Cloud EMEA Limited (Google Cloud Platform)

Purpose: Cloud infrastructure hosting, database storage, and compute for the Platform; storage of Customer Personal Data submitted for monitoring.

Location: United States (Google Cloud US regions); may be replicated to additional regions for redundancy and disaster recovery.

Safeguards: EU SCCs in the Google Cloud Data Processing Addendum; encryption in transit and at rest by default.

Cloudflare, Inc.

Purpose: CDN, TLS termination, DDoS protection, and web application firewall for traffic to and from the Platform (Customer Personal Data in transit only).

Location: Cloudflare global edge network (no persistent storage of Customer Personal Data).

Safeguards: EU SCCs in the Cloudflare Data Processing Addendum; data processed in transit only.

Mailjet SAS (a Sinch company)

Purpose: Delivery of transactional emails, account notifications, and breach alerts to Customer users.

Location: France / European Union.

Safeguards: EU SCCs in the Mailjet Data Processing Addendum; data hosted within the EU.

Lemon Squeezy, LLC

Purpose: Subscription billing and payment processing as Merchant of Record (checkout, payment authorisation, sales tax, and invoicing).

Location: United States.

Safeguards: PCI-DSS compliance; EU SCCs in the Lemon Squeezy Data Processing Addendum.

PayPal, Inc. / PayPal (Europe) S.à r.l. et Cie, S.C.A.

Purpose: Payment processing for subscription fees where PayPal is selected as the payment method.

Location: United States and Luxembourg.

Safeguards: PCI-DSS compliance; EU SCCs applied by PayPal for EEA-originating transactions.

Google LLC (Google Analytics)

Purpose: Website and product usage analytics; understanding aggregate user behaviour and Service performance.

Location: United States.

Safeguards: EU SCCs in the Google Ads Data Processing Terms; IP anonymisation enabled; configured to avoid collecting identifiable Customer Personal Data where reasonably possible.

PostHog, Inc.

Purpose: Product analytics, feature usage tracking, and session monitoring to operate and improve the Platform.

Location: United States (PostHog US Cloud).

Safeguards: EU SCCs in the PostHog Data Processing Addendum; configured to minimise capture of identifiable Customer Personal Data.

Contact

For any questions about this DPA, data protection, or to exercise the rights and processes described above:

Email:

GitHub: github.com/xposedornot

Twitter: @xposedornot

Last Updated: June 2026. This DPA forms part of the xonPlus Terms of Service and is accepted when you subscribe to or use the Platform. We encourage you to review it periodically for any updates.