How we handle your data for EU customers.

This DPA applies to all personal data that Xinvera processes on your behalf when you use the platform, including:

• Profile data of your employees or representatives who create accounts
• Signals, articles, and messages submitted by your users
• Usage data generated by your account

Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679). By using Xinvera, you (the Controller) and Xinvera (the Processor) agree to this DPA.

• Categories of data subjects — your employees, contractors, or representatives who use Xinvera under your business account.
• Types of personal data — name, tagline, business contact information (work email, phone), profile photo, industry, location, Signals, InMail messages, login activity.
• Special categories — Xinvera does not intentionally collect sensitive data (e.g., health, political opinions, biometrics). If you upload such data, you are responsible for compliance.

Xinvera shall:

• Process personal data only on your documented instructions unless required by EU or Member State law.
• Ensure that persons authorized to process data commit to confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Notify you without undue delay after becoming aware of a personal data breach affecting your data.
• Assist you with responding to data subject requests (access, rectification, erasure, restriction, portability, objection).
• Assist you with data protection impact assessments and prior consultations where necessary.
• Delete or return all personal data at the end of services (unless law requires retention).
• Make available all information necessary to demonstrate compliance with this DPA.

Xinvera uses subprocessors to provide the service, including cloud hosting, transactional email delivery, and customer support platforms. We do not use subprocessors for advertising or unauthorized data mining.

You authorize Xinvera to engage these subprocessors. Xinvera shall enter into a written agreement with each subprocessor containing data protection obligations equivalent to this DPA. Xinvera remains fully liable for subprocessor compliance.

If we add or replace a subprocessor, we will notify you via email or in-app notice. You may object within 14 days; if unreasonable, you may terminate your account.

Xinvera implements the following technical and organizational measures:

• Encryption — TLS 1.3 in transit, AES-256 at rest
• Access controls — role-based access, least privilege, multi-factor authentication for staff
• Logging and monitoring — audit logs of access to production systems
• Backup and disaster recovery — encrypted backups, geographically redundant
• Incident response — documented plan, breach notification within 72 hours of confirmation
• Regular testing — vulnerability scans and penetration tests at least annually

Personal data may be transferred from the EU/EEA/UK to Hong Kong SAR (primary processing location), Singapore, and the United States.

Xinvera relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission (2021/914/EU) as the appropriate safeguard. For transfers from the UK, we rely on the International Data Transfer Addendum.

You may request a copy of the SCCs by contacting privacy@xinvera.com.

If you receive a request from a data subject (e.g., one of your employees) to exercise their GDPR rights in relation to data processed by Xinvera on your behalf:

• You shall respond to the request (as Controller)
• Xinvera will assist by providing relevant data, enabling corrections, or deleting data as instructed
• Xinvera will not respond directly to the data subject without your authorization

Once per calendar year, you may request a third-party audit (at your expense) of Xinvera's data protection practices, subject to confidentiality and reasonable scheduling. Alternatively, Xinvera will provide a SOC 2 Type II or ISO 27001 report if available.

Upon termination of your Xinvera account:

• Xinvera will make your data available for export for 30 days
• After 30 days, personal data will be deleted from active systems within 90 days
• Data retained for legal compliance (e.g., tax records, fraud logs) will be anonymized where possible

Xinvera's total liability under this DPA is subject to the Limitation of Liability clause in the Terms of Service. Each party's liability for breaches of data protection law remains as set forth in applicable regulations.

This DPA is governed by the laws of Hong Kong SAR, except where EU data protection law requires otherwise (e.g., the SCCs refer to the law of an EU Member State). Disputes shall be resolved as set forth in the Terms of Service.

For DPA-related inquiries or to exercise your rights as Controller: dpa@xinvera.com