← Back to Home
LEGAL

Data Processing Agreement

Last updated: March 25, 2026

1. Scope & Purpose

This Data Processing Agreement ("DPA") supplements the xHireAI Terms of Service and governs the processing of personal data by xHireAI ("Processor") on behalf of the Customer ("Controller") in connection with the xHireAI platform.

2. Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person processed through the xHireAI platform.
  • "Processing" — any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • "Sub-processor" — a third party engaged by xHireAI to process Personal Data on behalf of the Controller.

3. Data Processing Terms

xHireAI processes Personal Data solely for the purpose of providing AI agent services as described in the Terms of Service. We process:

  • Call recordings and transcripts generated by AI voice agents
  • Chat conversation logs from AI chat agents
  • Lead contact information (name, phone, email) captured by agents
  • Appointment booking data

4. Security Measures

xHireAI implements appropriate technical and organizational measures, including:

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Access controls with role-based permissions
  • Regular security assessments
  • Employee security training and confidentiality agreements
  • Incident response procedures with 72-hour breach notification

5. Sub-processors

xHireAI uses the following sub-processors:

  • Cloudflare, Inc. — Infrastructure hosting, edge delivery, and Durable Objects
  • Google LLC — Gemini AI model inference (Managed Infrastructure)
  • Stripe, Inc. — Payment processing
  • SignalWire, Inc. — Voice telephony and phone number provisioning
  • Deepgram, Inc. — Speech-to-text transcription
  • Cartesia AI — Text-to-speech voice synthesis

We will notify you before adding new sub-processors and provide you the opportunity to object.

6. Data Subject Rights

xHireAI will assist the Controller in responding to data subject requests (access, correction, deletion, portability) within 30 days. Contact privacy@xhire.ai to initiate a request.

7. Data Transfers

Personal Data is processed primarily within the United States. Where data is transferred outside of the EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

8. Data Retention & Deletion

Upon termination of services, xHireAI will delete all Customer Personal Data within 30 days, unless retention is required by law. You may request immediate deletion at any time.

9. Audit Rights

The Controller may audit xHireAI's compliance with this DPA once per year, with 30 days' written notice. xHireAI will provide reasonable cooperation and access to relevant documentation.

10. Contact

For DPA inquiries, contact us at privacy@xhire.ai.

`n