XAM

Legal Documents

Data Processing Addendum

Effective Date: January 1, 2025
Last Updated: November 22, 2025

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between XAM ("we," "us," or "Processor") and you ("Customer" or "Controller") for the provision of assessment services.

This DPA sets out the terms that apply when personal data is processed by XAM on behalf of the Customer. It reflects our commitment to data protection and compliance with applicable privacy laws including GDPR, CCPA, and other regional regulations.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion
  • "Data Subject" means the individual to whom the Personal Data relates
  • "Sub-processor" means any third party engaged by XAM to process Personal Data
  • "Controller" means the entity that determines the purposes and means of processing Personal Data
  • "Processor" means the entity that processes Personal Data on behalf of the Controller

3. Scope of Processing

Categories of Data Subjects

  • Assessment creators and administrators
  • Assessment participants and test-takers
  • Workspace members and collaborators

Types of Personal Data

  • Identity data (name, email, user ID)
  • Assessment responses and performance data
  • Proctoring data (video, audio, screen recordings, behavioral analysis)
  • Technical data (IP address, device information, browser fingerprint)
  • Usage data (session logs, activity timestamps)

Purpose of Processing

  • Delivery and administration of assessments
  • Assessment integrity and proctoring services
  • Analytics, reporting, and performance insights
  • Platform improvement and AI model training
  • Security monitoring and fraud prevention

4. Processor Obligations

XAM agrees to:

  • Process Personal Data only on documented instructions from the Customer
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Customer in responding to Data Subject requests
  • Assist with data protection impact assessments where required
  • Delete or return all Personal Data upon termination of services, at Customer's choice
  • Make available all information necessary to demonstrate compliance
  • Allow for and contribute to audits and inspections

5. Security Measures

We implement and maintain comprehensive security measures including:

Technical Measures

  • End-to-end encryption for data in transit (TLS 1.3)
  • AES-256 encryption for data at rest
  • Multi-factor authentication for system access
  • Regular penetration testing and vulnerability assessments
  • Intrusion detection and prevention systems
  • Automated backup and disaster recovery

Organizational Measures

  • SOC 2 Type II certification
  • Employee background checks and security training
  • Role-based access controls with least privilege principle
  • Incident response and breach notification procedures
  • Regular security audits and compliance reviews
  • Data protection officer appointment

6. Sub-processors

The Customer authorizes XAM to engage the following sub-processors for the processing of Personal Data:

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure, data storage, and computingGlobal (with regional options)
OpenAIAI-powered question generation and analysisUnited States
Qwen (Alibaba Cloud)AI model processing and inferenceGlobal
Mistral AIAI model processing and inferenceEuropean Union

XAM will inform the Customer of any intended changes to sub-processors, giving the Customer the opportunity to object. All sub-processors are bound by data protection obligations no less protective than those in this DPA.

7. AI and Model Training

Data Usage for AI Improvement

XAM may use anonymized and aggregated assessment data to improve our AI models and services. This includes:

  • Question quality analysis and optimization
  • Assessment difficulty calibration
  • Proctoring algorithm improvement
  • Natural language processing enhancements

Important: Personal identifiers are removed before any data is used for training purposes. Individual assessment responses are never shared or sold to third parties.

8. International Data Transfers

When Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): EU-approved contractual terms with all non-EEA sub-processors
  • Adequacy Decisions: Transfers to countries with adequate data protection levels
  • Supplementary Measures: Additional technical and organizational safeguards where required
  • Data Localization: Regional data storage options available for Enterprise customers

9. Data Subject Rights

XAM will assist the Customer in fulfilling Data Subject requests including:

  • Access: Providing copies of Personal Data
  • Rectification: Correcting inaccurate data
  • Erasure: Deleting Personal Data ("right to be forgotten")
  • Portability: Exporting data in machine-readable format
  • Restriction: Limiting processing activities
  • Objection: Stopping certain types of processing

We will respond to Customer requests within 72 hours and assist in meeting regulatory response deadlines.

10. Data Breach Notification

Breach Response Commitment

In the event of a Personal Data breach, XAM will:

  • Notify the Customer without undue delay, and within 24 hours of becoming aware
  • Provide detailed information about the nature and scope of the breach
  • Describe the likely consequences and measures taken or proposed
  • Cooperate with the Customer's breach response and regulatory notifications
  • Document all breaches and remediation actions taken

11. Data Retention and Deletion

XAM will retain Personal Data only for as long as necessary:

  • Active accounts: Data retained while account is active
  • Assessment data: Retained for 7 years unless earlier deletion requested
  • Proctoring recordings: Retained for 90 days unless flagged for review
  • Logs and analytics: Aggregated data retained; identifiable logs deleted after 12 months

Upon termination or Customer request, we will securely delete or return all Personal Data within 30 days, unless retention is required by law.

12. Audits and Compliance

XAM will make available to the Customer:

  • SOC 2 Type II audit reports (upon request and under NDA)
  • Penetration testing results and security certifications
  • Documentation of technical and organizational measures
  • Right to conduct audits with reasonable notice (at Customer's expense)

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set forth in the main service agreement. XAM will indemnify the Customer for damages arising directly from XAM's breach of this DPA or violation of applicable data protection laws.

14. Term and Termination

This DPA remains in effect for the duration of the service agreement and continues until all Personal Data has been deleted or returned. The obligations in this DPA survive termination to the extent necessary to protect Personal Data.

15. Contact Information

For questions about this Data Processing Addendum or to exercise data protection rights:

XAM is a product of Ankor

Email: legal@xam.to
Address: Ankor, SP-7A Primus, Guindy Industrial Estate, Chennai, Tamil Nadu 600032
Phone: Account manager will be assignement for enterprise customers.