Policy

Standard Contractual Clauses Addendum.

This addendum describes the safeguards Xirsys uses when client personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision.

Standard Contractual Clauses Addendum

Last updated: September 16, 2025

This addendum supplements the Data Processing Agreement and applies to relevant cross-border transfers of client personal data.

DPAProcessing terms for client personal data. Privacy PolicyData handling, metrics, service traffic, and rights. Sub-processorsApproved providers and service purposes.

1. EU SCCs and UK Addendum

  • The parties incorporate the EU Commission Standard Contractual Clauses (2021), Module 2: Controller to Processor, as amended from time to time.
  • For UK transfers, the ICO International Data Transfer Addendum to the EU SCCs applies.
  • For Switzerland, references to EU law and GDPR are deemed to include Swiss FADP and the FDPIC where applicable.

2. Annex I summary

  • Data exporter: the client as controller.
  • Data importer: Xirsys, LLC as processor.
  • Data subjects: client personnel and representatives, including account users, billing contacts, and support contacts.
  • Client end users: participants in WebRTC applications only to the extent transient technical data, such as IP addresses, is relayed through Xirsys infrastructure to establish connections. Xirsys does not store IP addresses or communications content from service traffic.
  • Categories of data: client account data, contact and billing details, aggregated account metrics, and transient session data used during connection setup.
  • Frequency: continuous as necessary to provide the services.
  • Purpose: account administration, billing, support, security, service improvement, and transient relay of encrypted session traffic to facilitate real-time communications.
  • Retention: client personal data is retained according to the DPA. Service traffic, including transient IP addresses, is relayed but not stored. Aggregated, non-identifiable metrics are retained for billing and support.
  • Supervisory authority: determined under the SCCs based on the client's establishment.

3. Annex II technical and organizational measures

  • Encryption in transit and at rest for client personal data.
  • Authentication, access control, least privilege, and role-based permissions.
  • Logging, monitoring, vulnerability management, and patch management.
  • Network security, segmentation, and DDoS protections.
  • Personnel security and confidentiality commitments.
  • Secure development lifecycle and change management.
  • Incident response and breach notification processes.
  • Vendor risk management and sub-processor due diligence.
  • Business continuity and disaster recovery practices.

4. Annex III sub-processors

The current approved sub-processor list is published on the Sub-processors page. The controller authorizes these sub-processors, and Xirsys will notify the controller of material changes with an opportunity to object consistent with the SCCs and DPA.

5. Conflicts

If the SCCs conflict with another agreement, the SCCs control to the extent of the conflict for cross-border transfers.