Data Processing Addendum
This Data Processing Addendum (DPA) governs the processing of personal data by 10ˣ on behalf of its customers.
1. Scope and Application
This DPA applies where 10ˣ processes personal data as a data processor on behalf of a customer (data controller) in connection with the 10ˣ platform and services. This DPA is incorporated by reference into the 10ˣ Terms of Service.
2. Definitions
Personal Data: Any information relating to an identified or identifiable natural person as defined under applicable data protection law.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Data Controller: The customer who determines the purposes and means of processing personal data.
Data Processor: 10ˣ, which processes personal data on behalf of the controller.
3. Processing Instructions
10ˣ will process personal data only on documented instructions from the customer, unless required by applicable law. 10ˣ will notify the customer if it believes an instruction would violate applicable data protection law before processing.
4. Confidentiality
10ˣ ensures that persons authorized to process personal data are bound by appropriate confidentiality obligations. Personal data is not disclosed to third parties except as necessary to perform the services or as required by law.
5. Security Measures
10ˣ implements and maintains technical and organizational security measures to protect personal data against unauthorized access, loss, or destruction. These include: AES-256 encryption at rest, TLS 1.3 in transit, access controls, audit logging, and regular security assessments. Full details are available in our Security Policy.
6. Sub-processors
10ˣ may engage sub-processors to assist in providing services. All sub-processors are bound by data processing agreements with obligations equivalent to or stricter than those in this DPA. Customers may request the current list of sub-processors at any time.
7. Data Subject Rights
10ˣ will assist the customer in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction) within the timeframes required by applicable law. Requests should be directed to privacy@10xe.ai.
8. Data Breach Notification
In the event of a personal data breach, 10ˣ will notify the affected customer without undue delay, and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, and measures taken to address and mitigate the breach.
9. Data Deletion and Return
Upon termination of the services, 10ˣ will, at the customer's choice, delete or return all personal data within 14 business days. Deletion will be confirmed in writing. Backup copies will be purged within 90 days.
10. Audit Rights
Customers have the right to audit 10ˣ's compliance with this DPA, subject to reasonable notice and confidentiality obligations. 10ˣ may satisfy audit requests by providing relevant third-party audit reports (SOC 2, ISO 27001) or participating in customer-directed assessments.
11. International Transfers
Where personal data is transferred outside the EEA or UK, 10ˣ implements appropriate transfer mechanisms including Standard Contractual Clauses (SCCs) as required under applicable data protection law.
Last updated: January 2026. To execute a signed DPA or for data protection inquiries, contact privacy@10xe.ai