Data Processing Agreement

For workspaces that handle EU/UK personal data through xlinked. This DPA is built on the SCCs and applies automatically when you create your first segment — no signature required.

§1Parties & scope

This DPA forms part of the agreement between xlinked ("Processor") and the workspace owner ("Controller") when the Controller creates a segment that processes personal data of EU/UK data subjects via xlinked. It incorporates the EU Standard Contractual Clauses (Module Two: Controller to Processor) by reference.

§2Subject matter & duration

Processing is limited to delivering LinkedIn-derived profile and company data requested through the workspace API, plus routing metadata in the audit log. Duration matches the workspace subscription unless terminated earlier under the Terms.

§3Processor obligations

• Process only on documented instructions from the Controller (API calls + workspace settings).
• Ensure personnel are bound by confidentiality.
• Implement technical and organizational measures per Annex II (see Security overview).
• Notify the Controller of personal-data breaches within 48 hours of awareness.
• Assist with data-subject requests and DPIAs where technically feasible.
• Delete or return data within 30 days of contract end, except where law requires retention.

§4Sub-processors

The current list is maintained at /legal/sub. We give 30 days' notice before adding a sub-processor; the Controller may object on reasonable grounds.

§5International transfers

Primary processing occurs in the United States (US East · Washington, D.C.). For EU/UK personal data, transfers to the US are covered by the Standard Contractual Clauses and supplementary measures in this DPA. If a sub-processor changes region, we document it on the sub-processor page within 24 hours of the change.