Data Protection Addendum

Last Updated: December 16, 2025

This Data Protection Addendum (“DPA”), as amended from time to time, is an integral part of the Master Service Agreement (https://www.xtype.io/terms) as may be updated from time to time ("Agreement") by and among Company and Customer (as these terms defined in the Agreement). This DPA shall have effect on the date the Agreement becomes effective ("Effective Date").

Unless otherwise defined in the Agreement or this DPA, all capitalized terms used in this DPA will have the meanings assigned to them in Exhibit A of this DPA (titled “Definitions”).

1.    Roles. This DPA applies whenever Customer Personal Data is processed by Company for the purpose of providing the Subscription Services to Customer. In this context, Company is a “Processor” for Customer; while Customer is a “Controller” (as each of those terms is defined in the Data Protection Laws, as applicable; any similar corresponding classification shall apply under any Data Protection Laws, as defined therein) with respect to Personal Data. The details of processing under this DPA are as set out in Exhibit B hereto.

2.   Compliance with laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of the Agreement and this DPA with respect to processing and protection of Customer Personal Data, including, without limitation, any applicable Data Protection Laws..

3. Customer Instructions. The parties agree that this DPA and the Agreement, as well as any ordering documents directed from time to time by Customer to Company in writing within the scope of the Agreement, constitute Customer’s documented instructions regarding Company's processing of Customer Personal Data (“Documented Instructions”). Company will process Customer Personal Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Company and Customer, including agreement on any additional fees payable by Customer to Company for carrying out such instructions.

4. Personal Data Ownership. Customer shall remain the owner of the Customer Personal Data at all times and nothing herein or in the Agreement shall transfer any title to the Personal Data to Company.

5. Confidentiality of Personal Data. Company will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Subscription Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order), subject to Section 15 below.

6.  Confidentiality Obligations of Company's Personnel. Company restricts its personnel from Processing Customer Personal Data without authorization by Company, based on role and need to know. Company imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

7.   Security of Data Processing

7.1.  Without derogating from the foregoing, Company has implemented and will maintain the technical and organizational security measures for protecting the Customer Personal Data as described in Company's Security Standards attached as Exhibit D to this DPA.

8.   Sub-processing.

8.1.  Company’s current list of Sub-processors is included in Exhibit C (“Sub-processor List”) and is hereby approved by the Customer. The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by the Customer.

8.2.  Customer shall send an email to compliance@xtype.io with the subject SUBSCRIPTION TO SUB-PROCESSORS NOTIFICATION, to subscribe to notifications of new Sub-processors, and if Customer subscribes, Company shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Customer Personal Data in connection with the provision of the Subscription Services.

8.3. Objection Right for Sub-processors. Customer may reasonably object to Company’s use of a Sub-processor for reasons related to the Data Protection Laws by notifying Company promptly in writing within three (3) business days after receipt of Company’s notice in accordance with the mechanism set out in Section 8.2 and such written objection shall include the reasons related to the Data Protection Laws for objecting to Company’s use of such Sub-processor. Failure to object to such Sub-processor in writing within three (3) business days following Company’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-processor, as permitted in the preceding sentences, Company will use reasonable efforts to make available to Customer a change in the Subscription Services or recommend a commercially reasonable change to Customer’s use of the Subscription Services to avoid Processing of Customer Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. Suppose the Company is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days. In that case, Customer may, as a sole remedy, terminate the applicable. This DPA with respect only to those Subscription Services which cannot be provided by the Company without the use of the objected-to Sub-Processor by providing written notice to the Company provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to the Company. Until a decision is made regarding the Sub-Processor, the Company may temporarily suspend the Processing of the affected Customer Personal Data. Customer will have no further claims against the Company due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.

8.4.   Agreements with Sub-processors. In accordance with Articles 28.7 and 28.8 of the GDPR, if and when the European Commission lays down the standard contractual clauses referred to in such Article, the Parties may revise this DPA in good faith to adjust it to such standard contractual clauses. This Section 5 shall not apply to subcontractors of the Company which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors

9.    Data Subject Rights

Taking into account the nature of the Subscription Services, should a data subject for which Company acts as a processor hereunder contact Company with regard to any rights granted to it under applicable Data Protection Laws, Company will forward such requests to Customer and use commercially reasonable efforts to assist Customer in complying with such request, to the extent related to Company's operations and Subscription Services provided to the Customer.

10.  Security Breach Notification.

10.1.  Security Incident. Company will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

10.2. Company's Assistance. Company will include in the notification under section 10.1(a) such information about the Security Incident as Company is reasonably able to disclose to Customer, taking into account the nature of the Subscription Services, the information available to Company, and any restrictions on disclosing the information, such as confidentiality undertakings towards third parties or rights and freedoms of natural persons.

10.3. Communication. Notification(s) of Security Incidents, if any, and any other notifications required or authorized hereunder, will be delivered to the below mentioned point of contact (in case of Company) and as indicated by the Customer at the time of subscription for the Subscription Services (or as subsequently informed by a party hereto in writing):

 

440 N Barranca Ave. Suite 7741 Covina,  

CA, 91723, US

 

support@xtype.io

 

https://xtype.service-now.com/

 

 

11.  Audits.

11.1.  Provision by Company of third-party security and compliance documentation shall, in principle, fulfill Company’s audit obligations under this Section 11. Such documentation may include, as available, summaries or copies of Company’s most recent security assessments and certifications (such as SOC 2 reports, ISO 27001 certifications, penetration test executive summaries, or equivalent documentation).

11.2. Upon Customer’s written request (no more than once annually) and subject to confidentiality obligations, Company shall provide such documentation to Customer, together with any other audit or compliance reports reasonably deemed by Company capable to demonstrate Company’s compliance with this DPA and applicable Data Protection Laws.

11.3. Only where (i) Customer’s applicable regulator explicitly requires audit measures beyond the provision of such documentation, or (ii) Customer has reasonably substantiated in writing that such documentation is insufficient to demonstrate Company’s compliance with specific requirements of applicable Data Protection Laws or this DPA, may Customer request additional specific documentation for audit purposes.

11.4. For clarity, Company shall not be required to provide Customer with direct access to its systems (including those that Process Customer Personal Data) or to its physical premises. Under no circumstances shall Customer be granted access to any data or environments belonging to other customers of Company.

11.5.  If, after following the process set out in Sections 11.1–11.3, Customer demonstrates that it still requires further assurance to meet its regulatory obligations, Customer may request that an independent third-party auditor conduct an audit on its behalf. Such engagement shall be (i) no more than once annually, unless Customer’s applicable regulator explicitly requires otherwise, (ii) subject to Company’s prior written consent, and (iii) contingent on an executed confidentiality agreement between the third-party auditor, Customer, and Company. Customer shall bear all costs related to such third-party audit. Customer shall provide Company with any audit report(s) generated in connection with such audit without undue delay following receipt

11.6. Customer may use any audit report(s) provided or produced under this Section 11 solely for the purposes of satisfying its regulatory audit requirements and/or confirming Company’s compliance with this DPA and applicable Data Protection Laws. Such audit report(s) shall constitute the confidential information of both parties.

11.7.  Customer shall exercise its rights under this Section 11 with due regard to minimizing disruption to Company’s business operations.

12.  Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Subscription Services and the information available to Company, Company will reasonably assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the applicable information Company makes available under this Section 12.

13. Data transfers outside EEA, Switzerland or UK.  

13.1.  With respect to any transfer (and any subsequent onward transfer) of Personal Data by Company from any EEA member state or from Switzerland, to a country which is not EEA member state or another country that has not been recognized as granting and adequate level of protection to personal data by the EU Commission or the Swiss Federal Data Protection Authority (as applicable) (“Approved Jurisdiction”), the Parties hereto hereby agree to execute and incorporate into this DPA the Standard Contractual Clauses, with the elections and supplements set forth in Exhibit D attached hereto.

13.2. Company shall be deemed the “data importer” and Customer the “data exporter” under the Standard Contractual Clauses.

13.3.  If the European Commission subsequently amends the Standard Contractual Clauses at a date later than the Effective Date of this DPA, such amended terms will supersede and replace any Standard Contractual Clauses executed between the parties, without any further action required of the Parties hereto.

13.4.  Where UK GDPR applies, with respect to any transfer (and any subsequent onward transfer) of Personal Data by Company from the UK to any country outside the EEA or outside an Approved Jurisdiction or to a country that has not been designated by the UK authorized authority as providing an adequate level of protection for Personal Data, the Parties agree that such processing shall be subject to the UK SCC, subject to the IDTA attached as Exhibit F hereto.

13.5.  Alternative Data Export Solution. The parties agree that the data export solutions identified in Section 13 may not apply if and to the extent that Company adopts an alternative data export solution for the lawful transfer of personal data (as recognized from time to time under the Data Protection Laws) from the EEA, Switzerland or UK, as applicable, in which event, Company shall notify Customer of such alternative data export solution and it shall apply instead.

13.6.  In case of a conflict between the provision of the DPA and the provisions of the Standard Contractual Clauses or the UK SCC, the provisions of the Standard Contractual Clauses and/or the UK SCC shall apply, as applicable, unless the DPA provides more stringent protection to Personal Data and the rights of individuals in which case the latter shall prevail.

14.  Obligations under the CCPA

14.1.  To the extent that Company processes Personal Data of Californian residents and its Processing activities fall under the scope of the CCPA:

14.1.1. Company shall not sell Personal Data (as the term "sell" is defined under the CCPA). Company is also prohibited from retaining, using or disclosing such Personal Data for a commercial purpose other than providing the Subscription Service to the Customer under the Agreement, and from retaining, using or disclosing such Personal Data outside of the Agreement.

14.1.2.  Company acknowledges and understands its obligations under this clause, and will comply with them.

15.  Third Party Data Access Requests

15.1.  If Company becomes subject to a binding order or request for disclosure by a law enforcement authority or other competent government authority involving Personal Data that Company processes on behalf of Customer then, to the extent that Company identifies that such legal proceeding is in conflict with applicable Data Protection laws, Company shall make reasonable efforts, unless legally prohibited, to:

15.1.1.  Immediately notify Customer of the binding order or request unless such notification is legally prohibited;

15.1.2.  Inform the law enforcement authority or such other competent government authority that Company is merely a processor of the Personal Data and is not authorized to disclose the Personal Data without Customer’s consent;

15.1.3.  Request that such law enforcement authority or such other competent government authority direct its request directly at Customer; and

15.1.4.  Use reasonable efforts to assist the Customer in its efforts to oppose the request or order, if applicable; at Customer's expense.

15.2.  If Company provides access to or discloses Personal Data in response to third party legal process either with Customer authorization or due to a mandatory legal compulsion, then Company will only disclose such Personal Data to the extent it is legally required to do so and in accordance with applicable lawful process.

15.3.    Data Subjects have the right to enforce, as third-party beneficiary, sections ‎15.1 -‎15.2 against Company in accordance with Clause 3 of the Standard Contractual Clauses.

15.4. Clauses 15.1 and 15.2 shall not apply in the event that Company has a good-faith belief the government request is necessary due to an emergency involving immediate danger of death or serious physical injury to an individual. In such event, Company shall notify Customer of the data disclosure as soon as possible following the disclosure and provide Customer with full details of the same, unless such disclosure is legally prohibited.

16. In the event such binding order or any subsequent disclosure or action by Company prevents or would prevent Company from complying with the Standard Contractual Clauses or the Documented Instructions of Customer, Company agrees, pursuant to Clause 8(1)(b) of the Standard Contractual Clauses, to promptly inform the Customer of its inability to comply.

17. Return or Deletion of Personal Data. During the term of the Agreement and for a period of 30 days following the effective date of termination or expiration of the Agreement (“Termination Date”), Customer may request in writing to retrieve or delete Personal Data. Following the lapse of 30 days as of Termination Date, Company will delete all Personal Data unless prohibited by law or the order of a governmental or regulatory body, or if the retention of the Personal Data is required in order to fulfill any legal rights of Company, to defend any legal proceedings, or if such action may subject Company to liability.

18. Duties to Inform. Where Personal Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Company, Company will inform Customer without undue delay. In addition, Company shall inform Customer without undue delay, when its obligations under this DPA or applicable Data Protection Laws; in which case Customer shall have the right to right to stop transmitting Personal Information, and/or request cessation of Processing.

19. Representations and Warranties. Customer represents and warrants to Company that: (1) it has the right and the authority to provide the Customer Personal Data to Company for its use of such Customer Personal Data pursuant to the Agreement and this DPA, including transfers thereof outside the EEA, UK and/or Switzerland, as stipulated hereinabove; (2) It has provided any required notices and to the extent required, has obtained any required consents from individuals as required by Data Protection Laws to collect and process their Personal Data, including, through Company (3) It is fully and solely responsible for the confidentiality, integrity and availability, of the Customer Personal Data it collects and provides to Company (except when and as processed by Company) (4) the processing of the Customer Personal Data including the provision thereof to Company will not violate any Data Protection Laws and/or any other applicable laws (5) The essence of this Agreement shall be made available to any Data Subject by Customer upon such Data Subject’s request.

20. Indemnity. To the extent Company shall be subject to any enforcement action or any third party claim, based on any acts or omissions of Customer related to the Customer Personal Data, or any failure by Customer to comply with any applicable Data Protection Laws, Customer shall hold Company harmless and fully indemnify Company at its first demand, for any expenses, losses and damages, including without limitation, reasonable attorney’s fees and any fines and levies, incurred by Company in connection with and as a result of such enforcement action or claim.

21. Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreements between the parties including the Agreement and this DPA, the terms of this DPA will prevail. In case the applicable Data Protection Laws change in a way that this DPA is no longer adequate for the purpose of governing lawful data processing as stipulated herein, the Parties agree that they will negotiate in good faith to review and amend the Agreement in light of the new legislation.

22. Jurisdiction and Governing Laws. The governing law and the applicable jurisdiction for any dispute arising out of this DPA shall be as set out in the Agreement; except that with respect to Customers having an establishment within the EEA, for any matters arising out of the Standard Contractual Clauses, or the UK SCC, or which arise out of the DPA but are superseded by the Standard Contractual Clauses and/or the UK SCC, as applicable, the Parties submit to the jurisdiction of the competent courts of the EEA member state in which the main establishment or the sole establishment of the Customer resides (or UK, as applicable).

23. General Provisions. Neither Party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, that either Party may assign this DPA, without the other Party’s consent (but upon providing notice) in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets; including, inter alia, Company may transfer the Personal Data processed by the Company hereunder to the purchaser or successor or surviving entity, as the case may be; provided however that the latter shall Process such Customers' Personal Data under the terms of this DPA and/or any other terms to be agreed to by the Customer. This DPA is the complete and exclusive statement of the mutual understanding of the Company and Customer, and supersedes and cancels all previous written and oral agreements, communications, and other understandings relating to the subject matter of this DPA, and all waivers and modifications must be in a writing signed by both Parties, except as otherwise provided herein.

 

Exhibit A - Definitions

 

Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

Affiliate” means an entity that is either controlling, controlled by, or under a common control, with the subject matter entity, whereby “control” shall mean the direct or indirect holding of more than 50% of equity ownership or voting rights.  

"CCPA" means California Consumer Privacy Act of 2018

Users” shall have the meaning ascribed to this term in the Agreement.

Data Subject” has the meaning assigned to it in the GDPR or CCPA, as applicable; any similar corresponding classification shall apply under any applicable Data Protection Laws.

Data Protection Laws” means all applicable laws, regulations, and requirements of regulatory guidance, in any jurisdiction, relating to data protection, privacy, and confidentiality of personal data, including, without limitation to GDPR, PPL or CCPA and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended and re-enacted from time to time, applicable to either party under the Agreement, including, without limitation, GDPR in relation to processing of Personal Data of EEA Data Subjects or CCPA in relation to the processing of Personal Data of California Data Subjects. Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

EEA” means the European Economic Area.

GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Processing” has the meaning given to it in the Data Protection Laws, and “process”, “processes” and “processed” will be interpreted accordingly.

PPL” the Protection of Privacy Law 1981 and the regulations enacted thereunder, and any amendments or replacements to the foregoing

Security Incident” means a breach of Company's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

Standard Contractual Clauses” or "EU SCC" means Annex 1, attached to and forming part of this DPA pursuant to the European Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.  

Customer Personal Data” means Personal Data of any User other than information collected upon registration to the Subscription Services.  

Personal Data” as defined in the Data Protection Laws as applicable

UK SCC” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses or the International Data Transfer Agreement as issued by the UK Commissioner under S119A(1) of the Data Protection Act 2018, attached as Appendix 2 hereto, including any amended, extended, re-enacted or consolidated version in force from time to time.

 

Exhibit B – Data Processing Details

  1. List of Parties:
  1. Controller (Data exporter(s) for the purpose of Standard Contractual Clauses):

Name: Customer's entity that has executed the Agreement

Address: Customer's entity's address

Contact person’s name, position and contact details: As provided by Customer on registration to the Subscription Services

Activities relevant to the data transferred under these Clauses: provision of the Subscription Services

Role (controller/processor): Controller

Data Protection Officer contact details: As provided by Customer on registration to the Subscription Services or as published by Controller  

EU representative contact details: as provided by Customer on registration to the Subscription Services, if applicable

  1. Processor (Data importer(s) for the purpose of Standard Contractual Clauses):

Name: xtype.io Inc.  

Address: 440 N Barranca Ave. Suite 7741 Covina, CA, 91723, US

Contact person’s name, position and contact details: Yonatan Adomi, General Counsel,

yonatan.admoni@xtype.io

Activities relevant to the data transferred under these Clauses:  provision of the Subscription Services

Role (controller/processor): Processor

Data Protection Officer contact details: compliance@xtype.io  

UK representative contact details: compliance@xtype.io

  1. Description of data processing
  1. Subject matter. The subject matter of the data processing under this DPA is Customer Personal Data provided to Company or made accessible to Company by Customer in the context of the performance of the Agreement, and provisions of the Subscription Service.
  1. Duration. The duration of the data processing under this DPA is determined by Customer. Customer has the sole discretion to remove any Customer Personal Data (without prejudice to any other right under any applicable law to request access, deletion or restriction of processing granted to any Data Subject, to the extent granted).
  1. Purpose. The purpose of the data processing under this DPA is to enable the proper use by Customer of the Subscription Services, as intended and provided by Company to Customer, under the Agreement and in accordance with terms of the Agreement.
  1. Nature of the processing: the processing of the Personal Data is comprised of storing, analyzing, computing, transferring, organizing and presenting of data, including without limitation the Customer Personal Data, as part of the Subscription Service, for the benefit of the Customer’s purposes.
  1. Categories of Data: the Personal Data processed hereunder may contain the following:  

Pertaining to Customer Users: (i) first and last name; (ii) email address; (iii) an identification number assigned by the Company's Subscription Service platform to the User ; (iv) name of the employing company.

  1. Categories of data subjects: The data subjects may include any persons using the Subscription Services for and on behalf of the Customer, such as its employees, consultants, contractors, and agents of Customer.  
  1. The frequency of the processing:  On an ongoing basis.
  1. The period for which the personal data will be retained: in accordance with the DPA

  1. Competent supervisory authority in accordance with Clause 13:

EU/EEA: [Customer to provide] the identity of its Lead Supervisory Authority (Data Exporter’s LSA).

Switzerland: FDPIC.

UK: ICO.

Exhibit C – Sub-Processor List

Entity Name
Sub-Processing Purpose
Data Handled
Hosting Region
Connection
Security Controls
AWS Elastic Kubernetes (EKS)
Cloud infrastructure for the xtype SaaS (Ku- bernetes/EKS, storage, networking)
Configuration meta- data (update-set IDs, names, versions, status); application/plug-in names and versions; PII limited to user names; Optional artifacts (if enabled): Ex- amples: ServiceNow XML update files, fix scripts, app/scoped-app XML bun- dles attached to release packages;
us-west-2 (Oregon, USA), 3 AZs
AWS,APIs (EKS/S3/KMS, etc.) over HTTPS/TLS 1.2+ (TLS 1.3 where sup- ported)
Customer-initiated API calls only, no call-backs; role-based access. SOC-2 type II; hardened servers; Client-side encrypted on the customer’s ServiceNow instance with customer- managed keys; xtype receives only encrypted blobs and never has de- cryption keys. No customer content/records are visible to xtype
Auth0 (Okta Customer Identity Cloud)
OAuth2/OIDC authorization server for API access
client credential, access to- kens, minimal auth meta- data/logs
US
HTTPS
Encryption in transit/at rest; short-lived tokens; JWKS for signature verification
Confluent Cloud
Managed Kafka
event streaming
Limited Personal Data only with short topic retention
US
Kafka Protocol over TLS1.2+
Encryption in transit/at rest, short topic retention, names- pace/topic isolation
Temporal Cloud
Durable workflow orches- tration
Workflow state identi- fiers/telemetry (no customer content)
US
gRPC over TLS1.2+
Encryption in transit/at rest, namespace isolation, execu- tion history retention per policy

Exhibit D - Security Standards

  1. Scope & Principles
    xtype maintains administrative, technical, and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our program follows defense-in-depth, least privilege, and privacy-by-design principles, aligned to SOC 2 Type II controls and industry best practices.
  1. Governance & Compliance
  • Policies & training: Formal security, access, incident-response, secure-development, and vendor-risk policies; mandatory security & privacy training for all personnel with annual refreshers.
  • Independent assurance: Annual external penetration testing and SOC 2 Type II attestation. Remediation is tracked to closure.
  • Vendor management: Risk-based due diligence, DPAs; change notifications provided via our support portal.
  1. Architecture & Isolation
  • Cloud infrastructure: Hosted on AWS with multi-AZ redundancy, environment segregation (production/staging/test), and strict network segmentation.
  • Customer content boundaries & metadata-only processing: xtype orchestrates syncs and governance actions using operational metadata (e.g., object identifiers, environment names, job IDs, timestamps, status flags, non-content checksums).
  • No customer content/IP in the backend: Customer ServiceNow content and IP remain in Customer instances. The xtype backend does not require or store payload contents, credentials, or other sensitive customer information. All network flows are customer-initiated from ServiceNow to xtype; there are no backend-initiated connections into Customer systems.
  • Minimal PII handling (traceability only): To display provenance and audit trails, xtype may process limited account identifiers surfaced by ServiceNow (e.g., usernames associated with update sets or actions). Such identifiers are treated as operational metadata, scoped by role-based access, excluded from payload logs, and retained only per log retention policy. No special-category information, behavioral profiling, or marketing use.
  • Optional customer uploads: If Customers choose to upload artifacts (e.g., XML or fix scripts) during release workflows, content is encrypted client-side within Customer’s ServiceNow instance with Customer-held keys before transit; xtype cannot decrypt it and treats it as an opaque artifact in transit.
  1. Encryption & Key Management
  • In transit: TLS (modern ciphers; TLS 1.2+ with 1.3 preferred) for all external service endpoints.
  • At rest: Strong encryption (e.g., AES-256) for storage and backups; keys managed via AWS KMS with separation of duties and access logging.
  • Secrets hygiene: Centralized secret storage with least-privilege access. xtype API tokens are automatically rotated daily. Other internal service credentials are rotated on risk-based triggers (e.g., personnel/access changes, compromise indicators, or configuration changes).
  1. Access Control & Identity
  • RBAC & least privilege: Role-based access with need-to-know scoping; periodic access reviews and immediate revocation on role change or offboarding.
  • Strong auth: MFA enforced for privileged access; SSO supported for console and admin tooling.
  • Customer-side controls: Fine-grained application roles and permissions; audit trail for sensitive operations.
  1. Network & Platform Security
  • Segmentation & hardening: security groups, and minimal inbound exposure; hardened AMIs and container images; automated configuration baselines.
  • Edge protections: input validation, xtype’s API is not public, which reduces exposure to volumetric attacks.
  • Monitoring: Centralized logging, metric and alerting pipelines
  1. Secure Development & Testing
  • SDLC: Secure coding standards, peer review, and CI/CD with automated checks.
  • Security testing: SAST, dependency and container image scanning, and DAST on critical services; blocking severity SLAs for fixes.
  • Feature flags & gradual rollout: Risk-reduced releases via feature flags and phased enablement.
  1. Vulnerability & Patch Management
  • Scanning cadence: Continuous scanning of images, dependencies, and infrastructure.
  • Remediation SLAs: Critical - expedite; High - target within days; Medium/Low - tracked in backlog with risk-based prioritization.
  • Third-party advisories: Subscription to vendor and CERT feeds; emergency patching process defined.
  1. Logging, Monitoring & Incident Response
  • Audit logging: Authentication events (including login attempts), administrative actions, and security-relevant application events are logged and retained per policy. AWS control-plane activity is captured. Logs are designed to exclude payload contents; they may include limited operational identifiers (e.g., usernames) for traceability.
  • Monitoring & alerting: We maintain baseline health and availability monitoring with threshold-based alerts delivered to internal engineering channels. Alerts are reviewed during business hours with expedited escalation for high-severity issues.
  • Incident response: A documented Incident Response process governs triage, containment, remediation, recovery, and post-incident review. Roles and communication paths are defined, including coordination with affected Customers as needed.
  • Breach notification: Customers are notified without undue delay and within applicable legal timeframes once a notifiable personal-data breach is confirmed.
  1. Business Continuity & Disaster Recovery
  • Backups: Automated daily backups with encrypted storage.
  • Resilience: Multi-AZ deployment and automated service restarts for common failure modes.
  • Deletion: On Customer request, Customer Personal Data is returned or deleted.
  1. Data Subject Rights & Cooperation
    xtype will assist the Customer (as controller) in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability) and in performing DPIAs or consultations with supervisory authorities, in each case to the extent required under applicable law.
  1. Subprocessors

Subprocessors. xtype uses a small set of infrastructure/platform providers under their standard subscription terms. We rely on each vendor’s published DPA/transfer mechanism and review their public security attestations (e.g., SOC 2/ISO) on a risk-based cadence. Customer content remains in Customer’s ServiceNow instances; subprocessors primarily handle infrastructure/operational metadata. Our current subprocessor list is published, and we notify Customers of material changes according to the DPA.

Annex 1 – Standard Contractual Clauses

The Terms of the EU Standard Contractual Clauses  shall be incorporated by reference to this DPA as follows:

  1. With regards to clauses 8 to 18 of the Standard Contractual Clauses, Module Two will apply. The Parties agree to include the optional Clause 7 (Docking clause) to the Standard Contractual Clauses incorporated into this Addendum. For the purpose of Clause 9 (a) Option 2: General Written Authorization shall apply. In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body. In Clause 17, Option 1 shall apply.  
  1. Annex I to the EU SCC Shall have the details set in Exhibit B of the DPA.
  1. Annex II to the EU SCC shall have the details set here: The current list of subprocessors is published in the xtype Support Portal Knowledge Base and is incorporated by reference into this DPA. It is accessible at https://xtype.service-now.com (search: “Subprocessors”). If the URL or article slug changes, xtype will provide the updated location and continue to provide advance notice of material changes as set out in the DPA.
  1. Annex III to the EU SCC shall have the details set in Exhibit D of the DPA.

Exhibit F – UK IDTA

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Exhibit D - Security Standards

  1. Scope & Principles
    xtype maintains administrative, technical, and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our program follows defense-in-depth, least privilege, and privacy-by-design principles, aligned to SOC 2 Type II controls and industry best practices.
  1. Governance & Compliance
  • Policies & training: Formal security, access, incident-response, secure-development, and vendor-risk policies; mandatory security & privacy training for all personnel with annual refreshers.
  • Independent assurance: Annual external penetration testing and SOC 2 Type II attestation. Remediation is tracked to closure.
  • Vendor management: Risk-based due diligence, DPAs; change notifications provided via our support portal.
  1. Architecture & Isolation
  • Cloud infrastructure: Hosted on AWS with multi-AZ redundancy, environment segregation (production/staging/test), and strict network segmentation.
  • Customer content boundaries & metadata-only processing: xtype orchestrates syncs and governance actions using operational metadata (e.g., object identifiers, environment names, job IDs, timestamps, status flags, non-content checksums).
  • No customer content/IP in the backend: Customer ServiceNow content and IP remain in Customer instances. The xtype backend does not require or store payload contents, credentials, or other sensitive customer information. All network flows are customer-initiated from ServiceNow to xtype; there are no backend-initiated connections into Customer systems.
  • Minimal PII handling (traceability only): To display provenance and audit trails, xtype may process limited account identifiers surfaced by ServiceNow (e.g., usernames associated with update sets or actions). Such identifiers are treated as operational metadata, scoped by role-based access, excluded from payload logs, and retained only per log retention policy. No special-category information, behavioral profiling, or marketing use.
  • Optional customer uploads: If Customers choose to upload artifacts (e.g., XML or fix scripts) during release workflows, content is encrypted client-side within Customer’s ServiceNow instance with Customer-held keys before transit; xtype cannot decrypt it and treats it as an opaque artifact in transit.
  1. Encryption & Key Management
  • In transit: TLS (modern ciphers; TLS 1.2+ with 1.3 preferred) for all external service endpoints.
  • At rest: Strong encryption (e.g., AES-256) for storage and backups; keys managed via AWS KMS with separation of duties and access logging.
  • Secrets hygiene: Centralized secret storage with least-privilege access. xtype API tokens are automatically rotated daily. Other internal service credentials are rotated on risk-based triggers (e.g., personnel/access changes, compromise indicators, or configuration changes).
  1. Access Control & Identity
  • RBAC & least privilege: Role-based access with need-to-know scoping; periodic access reviews and immediate revocation on role change or offboarding.
  • Strong auth: MFA enforced for privileged access; SSO supported for console and admin tooling.
  • Customer-side controls: Fine-grained application roles and permissions; audit trail for sensitive operations.
  1. Network & Platform Security
  • Segmentation & hardening: security groups, and minimal inbound exposure; hardened AMIs and container images; automated configuration baselines.
  • Edge protections: input validation, xtype’s API is not public, which reduces exposure to volumetric attacks.
  • Monitoring: Centralized logging, metric and alerting pipelines
  1. Secure Development & Testing
  • SDLC: Secure coding standards, peer review, and CI/CD with automated checks.
  • Security testing: SAST, dependency and container image scanning, and DAST on critical services; blocking severity SLAs for fixes.
  • Feature flags & gradual rollout: Risk-reduced releases via feature flags and phased enablement.
  1. Vulnerability & Patch Management
  • Scanning cadence: Continuous scanning of images, dependencies, and infrastructure.
  • Remediation SLAs: Critical - expedite; High - target within days; Medium/Low - tracked in backlog with risk-based prioritization.
  • Third-party advisories: Subscription to vendor and CERT feeds; emergency patching process defined.
  1. Logging, Monitoring & Incident Response
  • Audit logging: Authentication events (including login attempts), administrative actions, and security-relevant application events are logged and retained per policy. AWS control-plane activity is captured. Logs are designed to exclude payload contents; they may include limited operational identifiers (e.g., usernames) for traceability.
  • Monitoring & alerting: We maintain baseline health and availability monitoring with threshold-based alerts delivered to internal engineering channels. Alerts are reviewed during business hours with expedited escalation for high-severity issues.
  • Incident response: A documented Incident Response process governs triage, containment, remediation, recovery, and post-incident review. Roles and communication paths are defined, including coordination with affected Customers as needed.
  • Breach notification: Customers are notified without undue delay and within applicable legal timeframes once a notifiable personal-data breach is confirmed.
  1. Business Continuity & Disaster Recovery
  • Backups: Automated daily backups with encrypted storage.
  • Resilience: Multi-AZ deployment and automated service restarts for common failure modes.
  • Deletion: On Customer request, Customer Personal Data is returned or deleted.
  1. Data Subject Rights & Cooperation
    xtype will assist the Customer (as controller) in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability) and in performing DPIAs or consultations with supervisory authorities, in each case to the extent required under applicable law.
  1. Subprocessors

Subprocessors. xtype uses a small set of infrastructure/platform providers under their standard subscription terms. We rely on each vendor’s published DPA/transfer mechanism and review their public security attestations (e.g., SOC 2/ISO) on a risk-based cadence. Customer content remains in Customer’s ServiceNow instances; subprocessors primarily handle infrastructure/operational metadata. Our current subprocessor list is published, and we notify Customers of material changes according to the DPA.

Annex 1 – Standard Contractual Clauses

The Terms of the EU Standard Contractual Clauses  shall be incorporated by reference to this DPA as follows:

  1. With regards to clauses 8 to 18 of the Standard Contractual Clauses, Module Two will apply. The Parties agree to include the optional Clause 7 (Docking clause) to the Standard Contractual Clauses incorporated into this Addendum. For the purpose of Clause 9 (a) Option 2: General Written Authorization shall apply. In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body. In Clause 17, Option 1 shall apply.  
  1. Annex I to the EU SCC Shall have the details set in Exhibit B of the DPA.
  1. Annex II to the EU SCC shall have the details set here: The current list of subprocessors is published in the xtype Support Portal Knowledge Base and is incorporated by reference into this DPA. It is accessible at https://xtype.service-now.com (search: “Subprocessors”). If the URL or article slug changes, xtype will provide the updated location and continue to provide advance notice of material changes as set out in the DPA.
  1. Annex III to the EU SCC shall have the details set in Exhibit D of the DPA.

Exhibit F – UK IDTA

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date
Exporter (who sends the Restricted Transfer)
Importer (who receives the Restricted Transfer)
The Parties
Full legal name:  as provided in Exhibit B 
Trading name (if different): as provided in Exhibit B      
Main address (if a company registered address): as provided in Exhibit B      Official registration number (if any) (company number or similar identifier): as provided in Exhibit B  
Full legal name: Xtype.io Inc. Trading name (if different): NA Main address (if a company registered address): 440 N Barranca Ave. Suite 7741 Covina, CA, 91723, US
Parties’ details
Full Name (optional): as provided in Exhibit B      
Job Title:  as provided in Exhibit B      Contact details including email:   as provided in Exhibit B  
Key Contact
Signature (if required for the purposes of Section ‎2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs
​​☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:​ Date:  : Effective Date as defined in the DPA Reference (if any): N/A Other identifier (if any):  N/A Or ​​☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: ​
Module
Module in operation
Clause 7 (Docking Clause)
Clause 11  (Option)
Clause 9a (Prior Authorisation or General Authorisation)
Clause 9a (Time period)
Is personal data received from the Importer combined with personal data collected by the Exporter?
1
1

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: as provided in Exhibit B

Annex 1B: Description of Transfer: as provided in Exhibit B

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: as provided in Exhibit B

Annex III: List of Sub processors (Modules 2 and 3 only): See Annex III of EU SCC as provided in Exhibit B

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section ‎19: ​​☒ Importer​ ​​
☒ Exporter​ ​​
☐ neither Party​

Privacy and Data Protection PolicyXtype.IO Ltd. (“us”, “we" or “our”) operates this website (the “Website”) and the related propriety Enterprise Application Lifecycle Management Services which are provided under separate agreement (the “Subscription Services”, and collectively with the Website, the “Services”).

We value your privacy and have posted this Privacy Policy to inform you of our practices regarding the collection, use and disclosure of personally identifiable information which we collect or are provided with in connection with your use of the Services (hereinafter, “Personal Data”).

By using the Services, you agree to the collection and use of information (including, without limitation, Personal Data) in accordance with this Privacy Policy.

We collect several different types of data for various purposes to provide and improve our Services to you.

Processing of any Personal data collected from our customers in the framework of our Services is subject to terms of the Data Processing Addendum located at https://www.xtype.io/dpa.html (“DPA”).

The Personal Data You Provide

While using our Services, we may ask you to provide us with certain Personal Data, which may include, but is not limited to:


(i) Email address
(ii) First name and last name
(iii) Phone number
(iv) Address, State, Province, ZIP/Postal code, City
(v) Demographic Information
(vi) Information concerning professional background
(vii) Billing Information


When you contact us, or when we contact you, we may receive and process any Personal Data that you provide us.


Though you are not required by law to provide us your Personal Data, failing to provide us with any necessary Personal Data might jeopardize our ability to provide you with essential services. We will not use or disclose your Personal Data for purposes other than those specified in this Privacy Policy.

The Personal Data that we collect

When you access our Services, our servers log certain 'traffic/session' information from your device, such as the country from which you use the Service, the browser type, operating system, geo-location and the Internet Protocol (IP) address. We also collect information about your activity, for example your log-in and log-out time, the duration of sessions, viewed webpages or specific content on webpages, etc. ("Usage Data").We do not collect any Personal Data of our customer’s end users, however we may collect Personal Data (such as the log-in details) of our Customers’ personnel in connection with provision of our Services.

Aggregated and Analytical Information

We may use Google Analytics and additional or other analytics tools, from time to time, to learn about how users use the website and Subscription Services, in support of our Service-related activities and operations. The privacy practices of these tools are subject to their own privacy policies and they use their own cookies to provide their service (for further information about cookies, please see the ‘Cookies’ section in this policy).


For further information about the Google Analytics privacy practices, please read their Privacy Policy at: https://policies.google.com/
privacy?hl=en


You can also read How Google uses data when you use Google partners’ sites or apps at: https://policies.google.com/technologies/
partner-sites We reserve the right to use anonymous, statistical or aggregate data for any purpose, including, but not limited to, improving the content of our Website and the functionality of our Service, marketing, and analyzing the use of our Website and our Services. We may also disclose such anonymous aggregate information to our partners or third-party service providers, excluding any Personal Data, except as otherwise provided in this Privacy Policy

Tracking & Cookies Data

We use cookies and similar tracking technologies to track the activity on our Services and hold certain information.


Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Services.


You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services.

You can find more information about cookies and other online tracking technologies through the US Federal Trade Commission and the EU Commission websites at: https://www.consumer.ftc.gov/articles/0042-online tracking or https://wikis.ec.europa.eu/display/
WEBGUIDE/04.+Cookies+and+similar+technologies

If you wish to learn more about the types of cookies that we and our service providers use, and the ways these cookies are used, please contact us at: compliance@xtype.io.

What we do with your Personal Data

We use the Personal Data we collect and receive to provide you with Services, to study and analyze the functionality of our Services, to analyze users' activities, and to maintain, develop and improve our Services.

We may use your email address, and other contact information you provide, to contact you when necessary, to send you reminders and to provide you information and notices about our Services and the products and services of our commercial partners.

We obey the law and expect you to do the same. If necessary, we may use your Personal Data to enforce our terms, policies and legal agreements, to comply with court orders and warrants and assist law enforcement agencies, to collect debts, prevent fraud, misappropriation, infringements, identity thefts and any other misuse of our Services, and to take any action in any legal dispute and proceeding.

Disclosing Personal Data to Others

We will disclose your Personal Data to service providers and other third parties as necessary to fulfill the purposes for collecting the information and deliver the Services to you. We may also disclose your Personal Data to our affiliates - these include any subsidiaries, sister-companies and parent companies.


Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).Additionally, circumstances may arise where we may be required to transfer your Personal Data to other entities in connection with a merger, acquisition, reorganization or sale of assets or in the event of liquidation or bankruptcy.

Removal of Personal Data from Our System

At any time, you can unsubscribe our mailing lists or newsletters, by sending us an opt-out request to: marketing@xtype.io.

At any time, you can exercise your following opt-out options:(i) Object to the disclosure of your Personal Data to a third party, other than to third parties who act as our agents to perform tasks on our behalf, under our instructions, or third party publishers who received such Personal Data pursuant to the Terms and/or separate agreement with you; and (ii) object to the use of your Personal Data for a purpose that is materially different from the purposes for which we originally collected such Personal Data.

You can exercise your choice by contacting us at: compliance@xtype.io Following the termination or expiration of the Services, we will stop collecting any Personal Data from or about you. However, we will store and continue using or making available your Personal Data according to our data retention section in this Privacy Policy.

“Do Not Track” Signals

We do not support Do Not Track (“DNT”). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

Legal Basis for Processing Personal Data Under General Data Protection Regulation (GDPR)If the data protection laws of the European Union apply to you, then the following terms will apply:

Our legal basis for collecting and using the Personal Data described in this Privacy Policy (when we act as data controllers):(i)when you register to the Services we process the contact information that you provide to us, for the purpose of sending you from time to time (by email, SMS text message, telephone, post or other electronical means) information about our Services which may be important or of interest to you;(ii) when processing of your Personal Data is necessary for us to perform our agreement with you;(iii) when the processing of your Personal Data is necessary for us to comply with legal obligations to which we are subject, or to protect your and others’ vital interests;(iv)when processing of your Personal Data is necessary for legitimate interests, such as cyber security and data protection, fraud detection, service maintenance and control, support, back-up, data disaster recovery.

Processing of your Personal Data under these lawful grounds, are not subject to your consent to this Privacy Policy.

In addition to your rights under other sections in this Privacy Policy, you have the following rights:(i) to access the Personal Data as specified below;(ii) to contact us if you want to withdraw your consent to the processing of your Personal Data; exercising this right will not affect the lawfulness of processing based on consent before its withdrawal;(iii) to request to delete or restrict access to your Personal Data -  we may postpone or deny your request if your Personal Data is in current use for providing the Services (for example you have a pending claim) and/or according to other legitimate purposes such as compliance with regulatory requirements.

If you exercise one (or more) of the above-mentioned rights, in accordance with the provisions of applicable law, you may request to be informed that third parties that hold your Personal Data, in accordance with the relevant parts of this Privacy Policy, will act accordingly.(iv) you may ask to transfer your Personal Data in accordance with your right to data portability;(v) you may object to the processing of your Personal Data for direct marketing purposes;(vi) you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you and/or similarly significantly affecting you;(vii)You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).We do periodical assessments of our data processing and privacy practices, to make sure that we comply with this Privacy Policy, to update this Privacy Policy when needed, and to verify that this Privacy Policy is displayed properly and accessible.

A summary and further details about your rights under the European Union data protection laws, is available on the European Commission’s website at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en

Accessing Your Personal Data

At any time, you may contact us at: compliance@xtype.io   and request to access the Personal Data that we keep about you. Note that when you send us a request to exercise your rights, we will need to reasonably authenticate your identity and location. We will ask you to provide us credentials to make sure that you are who you claim to be and may ask you further questions to understand the nature and scope of your request.

If you find that the Personal Data on your account is not accurate, complete or updated, then please provide us the necessary information to correct it.

If you’d like us to delete Personal Data that you have provided, please contact us at: compliance@xtype.io and we will respond in a reasonable time.  Please be advised that we may retain and use your Personal Data as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.  In addition, after we delete your Personal Data, residual copies may take some time before they are deleted from our active servers and may remain in our backup systems.

This deletion will not change or delete Personal Data which may have already been shared with third parties, as permitted in this Privacy Policy or any other agreement between you and us.

If you have any concerns about the way we process your Personal Data, you are welcome to contact our data protection team at: compliance@xtype.io.  We will look into your enquiry and make good-faith efforts to resolve any existing or potential claim you may have. If you remain unsatisfied with our response, you may also refer the matter to the relevant supervisory authority.

Retention of Data

We will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of the Services, or when we are legally obligated to retain this data for longer time periods.

Transfer of Data

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

We store and process information in Amazon AWS US East and EU regions where our clusters run.

If you are a resident in a jurisdiction where transfer of your Personal Data to another jurisdiction requires your consent, then you provide us your express and unambiguous consent to such transfer. You can contact our data protection team at: compliance@xtype.io for further information about data transfer.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Data Security

We will use our best efforts to protect the confidentiality of your Personal Data. We use reasonable data security measures in line with industry standards. We also adopted strict rules that include technical and physical administrative measures for protecting your Personal Data, including protecting against Personal Data misuse and against unauthorized hacking.

Although we make efforts to protect your privacy, we cannot guarantee that the Service will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse. Should, despite of our security measures, a security breach occur that is likely to result in a risk to the data privacy of a data subject, we will inform the relevant data subjects and other affected parties, as well as relevant authorities when required by applicable data protection and privacy laws, about the security breach as soon as reasonably possible.

Service Providers

We may employ third party companies and individuals to facilitate our Services, to provide the Services on our behalf, to perform Service-related services or to assist us in analyzing how our Services are used.


These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Links to Other Websites

Our Service may contain links to other websites that are not operated by us. If you click on a third- party link, you will be directed to that third party's website. We strongly advise you to review the privacy policy of every website you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party websites or services.

Children's Privacy

We do not knowingly collect Personal Data from anyone under the age of 18. By Agreeing to this Privacy Policy, you indicate that you are over the age of 18 and you consent also to the process the Personal Data of your children or legal dependents under the age of 18 (if applicable) in accordance to this Privacy Policy. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, please contact us at compliance@xtype.io.

Data Controller: Xtype.IO Ltd.

Address: Avshalom Haviv 4, 6949503, Tel Aviv, Israel

Phone: +1 920 709 8645

EU representative: compliance@xtype.io

Data Protection Officer: compliance@xtype.io

Part 2: Mandatory Clauses

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
  1. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum  

  1. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum
This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs
The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information
As set out in Table ‎3.
Appropriate Safeguards
The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum
The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
Approved EU SCCs
The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO
The Information Commissioner.
Restricted Transfer
A transfer which is covered by Chapter V of the UK GDPR.
UK
The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws
All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR
As defined in section 3 of the Data Protection Act 2018.
  1. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.  
  1. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  1. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
  1. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.  
  1. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.  

Hierarchy  

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.
  1. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
  1. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

  1. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
  1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;  
  1. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
  1. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
  1. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.
  1. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.
  1. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:  
  1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
  1. In Clause 2, delete the words:

“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

  1. Clause 6 (Description of the transfer(s)) is replaced with:

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

  1. Clause 8.7(i) of Module 1 is replaced with:

“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

  1. Clause 8.8(i) of Modules 2 and 3 is replaced with:

“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

  1. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
  1. References to Regulation (EU) 2018/1725 are removed;
  1. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
  1. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
  1. Clause 13(a) and Part C of Annex I are not used;  
  1. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
  1. In Clause 16(e), subsection (i) is replaced with:

“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

  1. Clause 17 is replaced with:

“These Clauses are governed by the laws of England and Wales.”;

  1. Clause 18 is replaced with:

“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

  1. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.  

Amendments to this Addendum  

  1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  1. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  1. From time to time, the ICO may issue a revised Approved Addendum which:  
  1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
  1. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.  

  1. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:  
  1. its direct costs of performing its obligations under the Addendum; and/or  
  1. its risk under the Addendum,  

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

  1. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Alternative Part 2 Mandatory Clauses:

Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.