Data Processing Agreement (DPA) — XELIA
ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V.
Version 1.0 — Compliant with GDPR (Art. 28), Mexico LFPDPPP, Colombia Law 1581 and equivalents
Preamble. This Data Processing Agreement ("DPA") forms an integral part of the Terms and Conditions and the Privacy Notice between ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V. ("XELIA" or "Processor"), with registered office at Avenida División del Norte, Colonia Lomas de Memetla, CP 05330, Alcaldía Cuajimalpa de Morelos, Mexico City, Mexico; and the Client registered on the platform ("Controller"), whose corporate name, address and legal representative are recorded in the XELIA dashboard registration. The parties agree to govern the processing of personal data carried out by XELIA on the Client's behalf under the following clauses.
1. Definitions
- Personal Data: any information about an identified or identifiable natural person processed by XELIA on the Client's behalf.
- Controller: the Client, who determines the purposes and means of the processing.
- Processor: XELIA, who processes the data on the Controller's behalf.
- Sub-Processor: third party authorized by XELIA to support the processing (Anthropic, OpenAI, Google, Perplexity, Deepgram, Stripe, Twilio, AWS, Hetzner, Cloudflare, Meta).
- Data Subject: the natural person to whom the data belongs.
- GDPR: EU General Data Protection Regulation 2016/679.
- LFPDPPP: Federal Law on Protection of Personal Data Held by Private Parties (Mexico) 2025.
- Security breach: any incident that compromises the confidentiality, integrity or availability of the Personal Data.
2. Subject matter and scope
2.1 Subject matter of the processing
The Controller entrusts XELIA with the processing of Personal Data to provide the contracted services according to the active plan (IMPULSO, PRO, MAX or ENTERPRISE).
2.2 Nature and purpose of the processing
- Storage and management of leads, prospects and contacts.
- Execution of AI voice calls (inbound and outbound).
- Sending WhatsApp, SMS and email messages on the Controller's behalf.
- Automated analysis of conversations and insight generation.
- Content generation for the Controller's social networks.
- Reports, dashboards and performance metrics.
- Any other functionality included in the contracted plan.
2.3 Type of data processed
- Identification data (names, corporate names).
- Contact data (phones, emails, addresses).
- Commercial data (purchase history, preferences).
- Conversation data (voice, text, transcripts).
- Voice biometric data (with separate consent from the Data Subject).
- Automatically generated data (lead scores, sentiment analysis).
- Technical metadata (call duration, channels, timestamps).
2.4 Categories of Data Subjects
- Prospects and potential customers of the Controller.
- Active customers of the Controller.
- Employees of the Controller (if they use the platform).
- End users of the Controller's services.
2.5 Duration
The processing will be carried out while the Controller maintains an active contract with XELIA. Upon termination of the contractual relationship, the retention periods established in section 7 of XELIA's Privacy Notice apply.
3. XELIA's obligations as Processor
3.1 Process data only in accordance with documented instructions
XELIA shall process the Personal Data solely in accordance with the Controller's documented instructions, including the Terms and Conditions, dashboard configurations, prompts and campaign parameters. General instructions are documented in this DPA; additional specific instructions may be given in writing to privacidad@xelia.ai.
3.2 Ensure confidentiality
XELIA guarantees that all personnel authorized to process the Personal Data:
- Are subject to contractual confidentiality obligations.
- Have received data protection training.
- Access data under the "need to know" principle.
3.3 Implement technical and organizational measures
XELIA implements and maintains appropriate security measures, including:
- TLS/SSL encryption in transit for all communications.
- AES-256 encryption at rest for sensitive data.
- bcrypt + salt hashing for passwords.
- Two-factor authentication available.
- Granular multi-tenant RBAC access control.
- Firewall and WAF via Cloudflare.
- Persistent audit logs.
- Encrypted backups with 30-day retention.
- Periodic security testing.
- Automatic sanitization of sensitive data (CURP, RFC, cards, CLABE, emails, phones) before sending to external AI providers.
3.4 Assist the Controller
XELIA shall reasonably assist the Controller in:
- Handling Data Subject rights requests (ARCO, GDPR, Habeas Data, ARSOPOL).
- Carrying out data protection impact assessments (DPIA) when applicable.
- Notifying security breaches according to section 5.
- Complying with prior consultation obligations with authorities.
3.5 Delete or return data upon termination
Upon termination of service provision, at the Controller's choice, XELIA shall:
- Return the Personal Data in a structured and commonly used format (JSON/CSV), OR
- Delete the Personal Data, except where legally required to retain it.
Backups are automatically deleted after 30 days. Tax and accounting data are retained for up to 10 years in accordance with the Federal Tax Code (Mexico).
3.6 Demonstrate compliance
XELIA shall make available to the Controller all information necessary to demonstrate compliance with this DPA, including allowing and contributing to reasonable audits (maximum one per year) with 30 days' prior notice, at the Controller's cost.
4. Sub-processors
4.1 General authorization
By accepting this DPA, the Controller authorizes XELIA to engage the following sub-processors:
| Sub-processor | Country | Purpose | Safeguards |
|---|---|---|---|
| Anthropic, PBC | USA | AI analysis with Claude | Commercial contract + no training |
| OpenAI, L.L.C. | USA | Voice, transcription, moderation | Business Terms + no training |
| Google LLC (Gemini) | USA | Long context, summaries | Gemini API Paid Tier (no training) |
| Perplexity AI | USA | Real-time search | API commercial terms |
| Deepgram, Inc. | USA | Production STT and TTS | Enterprise terms + no training |
| Stripe, Inc. | USA | Payment processing | Stripe DPA + SCCs |
| Twilio, Inc. | USA | Telephony and WhatsApp | Twilio DPA + SCCs |
| Amazon Web Services | USA (us-east-1) | Email (SES), backups | AWS DPA + SCCs |
| Hetzner Online GmbH | Germany | Primary hosting | EU jurisdiction (adequacy) |
| Cloudflare, Inc. | Global | CDN and security | Cloudflare DPA + SCCs |
| Meta Platforms, Inc. | USA | WhatsApp Business Platform | Meta Business DPA |
4.2 Change of sub-processors
XELIA shall notify the Controller of any change or addition of sub-processors at least 30 days in advance by email and a dashboard banner. The Controller may raise a reasoned objection within 14 days thereafter. If an objection is raised, XELIA shall attempt a reasonable solution or, if not possible, the Controller may cancel the service without penalty.
4.3 Responsibility
XELIA is responsible for its sub-processors' compliance with data protection obligations. XELIA enters into contracts with each sub-processor imposing obligations equivalent to those of this DPA.
5. Security breach notification
5.1 Obligation to notify
XELIA shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of any security breach affecting the Controller's Personal Data.
5.2 Content of the notification
The notification will include, to the extent known at the time:
- Nature of the breach and categories and approximate number of affected Data Subjects.
- Likely consequences of the breach.
- Measures taken or proposed to address the breach.
- Point of contact for further information.
5.3 Cooperation with authorities
XELIA shall reasonably cooperate with the Controller so it can meet its notification obligations to data protection authorities and affected Data Subjects, when applicable law so requires.
6. International transfers
6.1 Primary location
Data is stored primarily on servers of Hetzner Online GmbH (Germany). Certain processing is carried out in the United States by the sub-processors listed in section 4.
6.2 Transfer mechanisms
- From the EU/EEA: XELIA relies on updated Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
- From Mexico: compliance with Chapter V of LFPDPPP.
- From Colombia: compliance with Chapter VII of Law 1581.
- From Argentina: compliance with Art. 12 of Law 25.326.
- From Chile: compliance with Title V of Law 21.719.
7. Controller's rights
The Controller has the right to:
- Receive a signed copy of this DPA.
- Receive information about sub-processors used.
- Object to sub-processor changes on reasoned grounds.
- Request reasonable assistance to handle Data Subject rights.
- Conduct audits pursuant to clause 3.6.
- Terminate the service in case of material breach of the DPA.
- Request return or deletion of data at the end of the relationship.
8. Term and termination
This DPA enters into force upon the Client's acceptance during onboarding (specific checkbox) and remains in effect for as long as a contractual relationship exists between the parties.
Obligations that by their nature must survive (confidentiality, return of data, limitations of liability) continue to apply after termination.
9. Liability
The parties' liability regarding the processing of Personal Data shall be determined in accordance with applicable data protection laws. No clause of this DPA limits liabilities that are non-waivable by law.
The general limitation of liability set forth in the Terms and Conditions also applies to this DPA, except where prohibited by law.
10. Governing law and jurisdiction
This DPA is governed by the laws of the United Mexican States. Any dispute will be submitted to the competent courts of Mexico City, without prejudice to the Data Subject's rights before data protection authorities in their own jurisdiction.
11. Acceptance
This DPA is deemed accepted by the Controller upon ticking the corresponding checkbox during XELIA's onboarding:
[ ] I have read and accept XELIA's Data Processing Agreement (DPA), version 1.0
Acceptance is recorded in audit_log with timestamp, DPA version, Client identity and equivalent digital signature.
12. Contact
For matters relating to this DPA:
- Data Protection Officer: Leonardo Abad Galán
- Official email: privacidad@xelia.ai
- Backup DPO: cibscyc@proton.me
ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V. — Mexico City, Mexico
Effective date: April 30, 2026 · Version: 1.0 (Standard Template)
© 2026 ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V. — XELIA® registered trademark.