Data Processing Agreement
This Data Processing Agreement (“DPA”) applies where Xalec AI processes personal data on behalf of a customer (“Controller”) in connection with Xalec AutoML Services or Reproducible Analytics Studio. It is incorporated into and forms part of the Terms of Service.
Last updated: 16 June 2026 — Effective: 16 June 2026
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable data protection law, including the Kenya Data Protection Act 2019 (“KDPA”) and, where applicable, the EU General Data Protection Regulation (“GDPR”).
“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means.
“Controller” means the customer who determines the purposes and means of the Processing.
“Processor” means Xalec AI, acting on the Controller’s instructions.
“Sub-processor” means any third party engaged by Xalec AI to assist in Processing on the Controller’s behalf.
“Services” has the meaning given in the Terms of Service.
2. Scope and roles
This DPA applies where the Controller uploads or submits Personal Data to the Services. The Controller is the data controller. Xalec AI is the data processor. Xalec AI will process Personal Data only on documented instructions from the Controller, including as set out in these Terms and this DPA, unless required to do so by applicable law.
3. Controller obligations
- The Controller warrants that it has a lawful basis for processing and transferring Personal Data to Xalec AI under applicable data protection law.
- The Controller is responsible for providing required notices to and obtaining any required consents from data subjects before uploading their Personal Data.
- The Controller must not upload Personal Data relating to special categories (including health, biometric, or genetic data) without first executing a supplementary written agreement with Xalec AI that covers the additional security and legal requirements for such data.
- The Controller shall inform Xalec AI promptly of any restriction, condition, or instruction that affects Xalec AI’s ability to process Personal Data under this DPA.
4. Processor obligations — Xalec AI
Xalec AI agrees to:
- Process Personal Data only on the Controller’s documented instructions and not for any other purpose, except as required by law.
- Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, loss, or destruction, including encrypted transmission, access controls, and audit-oriented logging.
- Notify the Controller without undue delay after becoming aware of a Personal Data breach that affects the Controller’s Personal Data. Notification will include, where available, the nature of the breach, the categories and approximate number of data subjects and records affected, and the measures taken or proposed to address the breach.
- Provide reasonable assistance to the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible given the Processing performed.
- Assist the Controller in meeting its obligations under applicable data protection law, including with respect to data protection impact assessments, consultation with supervisory authorities, and security obligations, to the extent such assistance is reasonably within Xalec AI’s control.
- At the Controller’s written request, delete or return all Personal Data after the end of the service provision, unless retention is required by applicable law.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and permit and contribute to reasonable audits conducted by the Controller or its auditors, subject to reasonable notice and confidentiality protections.
5. Sub-processors
The Controller grants Xalec AI general authorization to engage Sub-processors. Xalec AI will enter into data processing agreements with Sub-processors that impose obligations no less protective than those in this DPA. Current Sub-processors may include cloud infrastructure providers, object storage providers, and AI inference API providers. Xalec AI will inform the Controller of any intended changes to Sub-processors and give the Controller a reasonable opportunity to object.
6. International transfers
Xalec AI will not transfer Personal Data outside the jurisdiction where it was collected unless the transfer is covered by an appropriate safeguard under applicable law (including adequacy decisions, standard contractual clauses, or equivalent mechanisms under the KDPA). Where the Controller is subject to GDPR and a transfer to a third country is involved, the parties agree to execute the applicable EU Standard Contractual Clauses as a supplementary instrument.
7. Special categories of data
Reproducible Analytics Studio is designed to support epidemiological, biomedical, and survey research, which may involve health data, biometric data, or other special categories under applicable law. Before uploading such data, the Controller must contact Xalec AI at legal@xalec.ai to execute a supplementary addendum covering enhanced security, access controls, and retention practices appropriate for that data category.
8. Retention and deletion
Unless the parties have agreed otherwise in writing, Xalec AI will retain Personal Data only for as long as necessary to deliver the Services. Upon termination of the service relationship, or upon written request from the Controller, Xalec AI will securely delete or return Personal Data within a reasonable period, except where retention is required by applicable law.
9. Applicable law
This DPA and any dispute arising from it are governed by the laws of Kenya, including the Kenya Data Protection Act 2019 and the Data Protection (General) Regulations 2021. Where the Controller is established in the European Union or European Economic Area, the GDPR shall additionally apply to any Personal Data of EU data subjects.
10. How to request a signed DPA
To execute a countersigned version of this DPA for your organization, contact Xalec AI and label your message as a “DPA request”. Include your organization name, jurisdiction, a brief description of the data you intend to process, and whether any special category data is involved.