Data Processing Agreement | Xcelore

Data Processing Agreement (DPA)

Effective Date: 05-Nov-2025

This Data Processing Agreement (“DPA”) is entered into between any Business Client (“Data Controller”) and Xcelore Private Limited (“Data Processor”), a private limited company incorporated under the laws of India, bearing Company Identification Number U63122UP2023PTC187753 and GST Registration Number 09AAACX4618E1ZD, with its registered office at A-47, Third Floor, Sector 2, NOIDA, Gautam Buddha Nagar, Uttar Pradesh, India - 201301 (collectively, the “Parties”). This DPA shall be a part of the terms and conditions between the Parties and governs the processing of Personal Data by Xcelore on behalf of the Data Controller. Xcelore provides the ‘Exei’, which is an AI Agent software (“Software”) to improve customer service, automate tasks, and improve user/customer experience on platforms like websites, mobile apps, Instagram, Slack, toll-free number and other channels. The Data Controller engages Xcelore to process Personal Data to deliver the customer services. Both Parties commit to complying with applicable data protection laws and relevant AI regulations, if applicable. Any Business Client that subscribes to the services provided by Xcelore, utilises the Exei AI Agent, or acknowledges by selecting “I have read the Data Processing Agreement and I agree to the clauses contained therein” shall be deemed to have given their consent to be bound by this Agreement. Xcelore shall process Personal Data as per the Data Controller’s requirements and in response to queries submitted by the Data Controller’s Customer / End User while using the Exei AI Agent, implementing appropriate measures to ensure data security.

1. DEFINITIONS

  • Consent: A freely given, specific, informed, and unambiguous indication of agreement by the Data Controller and/or the End Users to the retention and Processing of Personal Data, expressed through a clear affirmative action.
  • Sensitive Personal Data: Personal Data requiring extra protection, including but not limited to, political affiliations, religious beliefs, race, sexual orientation, health, biometric data or financial information.
  • Personal Data: Information identifying a User, including but not limited to name, email, contact number, payment details, IP address, device information, usage data, location, chat logs, or queries.
  • Processing Personal Data: A wholly or partly automated operation or set of operations performed on Personal Data of Users / Customers and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure and destruction.
  • Software: Exei, an AI Agent powered by Xcelore, which enables AI-driven interactions to provide customer services on behalf of the Data Controller.
  • Sub-processors: Trusted service providers engaged by Xcelore to support its Services. The list of Xcelore’s sub-processors can be found here: Sub-processors.
  • Third Party: Any individual or entity other than the Customers / End Users, Data Controller, Data Processor and Sub-processors.
  • Customer / End User: An individual who is a data subject and whose Personal Data is processed, including the Data Controller’s customers or End Users.

2. SCOPE AND ROLES

2.1 Data Controller

The Data Controller alone or in conjunction with other persons determines the purpose and means of processing Personal Data through Exei. The Data Controller shall:
  • Ensure Personal Data is collected lawfully with the consent of the User / Customer.
  • Specify in its Data Privacy Policy that Xcelore’s role is that of a Data Processor and inform their Users/customers of their data rights.
  • Notify Xcelore immediately in case any User rights sends any request to exercise User rights or in case of any inquiry by any regulatory.
  • Be responsible for the legality and accuracy of the Personal Data of Users provided to Xcelore.

2.2 Data Processor (Xcelore)

Xcelore, Data Processor, processes Personal Data only as per the requirements of the Data Controller and End Users. Xcelore shall:
  • Not use Personal Data for its own purposes unless authorised by the Data Controller or required by law. In case Xcelore uses the Personal Data for its own purpose or for any other purpose not authorised by the Data Controller, Xcelore shall notify the Data Controller immediately, unless prohibited.
  • Ensure that the personnel handling Personal Data are bound by confidentiality agreements and trained in data protection.
  • Implement the security measures to protect Personal Data.
  • Assist the Data Controller in exercising the User rights requests and regulatory compliance.

2.3 Sub-processors

Xcelore engages trusted service providers to support its Services. Such service providers are contractually obligated to protect Personal Data and process it only for purposes specified by Xcelore.

3. SUBJECT MATTER AND PURPOSE

3.1 Subject Matter

Xcelore processes Personal Data to support the Data Controller’s services via Exei, including:
  • Storing and managing data in the Software’s infrastructure.
  • Processing User inputs for AI Agent responses.
  • Sharing data with the Data Controller or authorised providers as required by the Data Controller.
  • Analysing technical data to ensure security and prevent fraud.
  • Using anonymised data for AI training, if permitted by the Data Controller.

3.2 Purpose

Xcelore processes Personal Data to deliver services, enhance User interactions with AI Agent and improve the performance of the Software, while ensuring security and meeting legal obligations.

4. OBLIGATIONS OF THE DATA PROCESSOR

4.1 Lawful Processing

Xcelore shall process Personal Data only as required by the Data Controller and the End Users, unless required by law. In case Xcelore is required to process Personal Data not as per the requirements of the Data Controller, Xcelore shall notify the Data Controller promptly, unless prohibited. Xcelore shall align with the Data Controller’s legal basis for processing.

4.2 User Rights

Xcelore shall assist the Data Controller with User requests for rights like access, rectification, erasure, or portability. Xcelore shall forward the direct User requests received to the Data Controller and act only as required, and shall maintain records of such requests.

4.3 General Obligations

Xcelore shall maintain processing records, ensure confidentiality and cooperate with audits, notifying the Data Controller of legal changes impacting processing.

5. OBLIGATIONS OF THE DATA CONTROLLER

The Data Controller shall:
  • Ensure lawful data collection, including parental consent for Users under 18 years of age.
  • Notify Xcelore of User rights requests or regulatory inquiries promptly.
  • Maintain accurate, lawful Personal Data and transparent privacy policies.
  • Indemnify Xcelore for claims arising from the Data Controller’s non-compliance.

6. Security Measures

Xcelore implements robust technical and organisational measures to protect Personal Data against unauthorised access, loss, alteration, or disclosure, including:
  • Encryption: Data is encrypted in transit and at rest.
  • Access Controls: Access is restricted to authorised personnel only, with role-based permissions.
  • Security Assessments: Regular audits and vulnerability scans to maintain system integrity.
  • Contractual Safeguards: Agreements with third-party service providers to ensure compliance with data protection.

In the event of a breach: Xcelore will notify the Data Controller, mitigate the breach, cooperate in compliance, and prevent recurrence.

7. DATA TRANSFERS

Xcelore may process Personal Data on servers located outside the country where it was collected. Xcelore complies with the applicable data protection laws for international transfers. Data Controllers are responsible for ensuring that they comply with their obligations for international transfers.

8. DATA SUBJECT RIGHTS

Xcelore shall provide reasonable assistance to the Data Controller in responding to requests of Users / Customers to exercise their rights under applicable laws. Xcelore shall respond to the Data Controller’s requests for assistance within 30 days or as required under the law. If Xcelore receives a User request directly, it shall forward the request to the Data Controller and refrain from taking further action unless required by law. Xcelore shall maintain records of all User requests and actions taken, providing these to the Data Controller upon request.

9. DATA RETENTION AND DELETION

Xcelore shall retain Personal Data only for the period necessary to fulfil the purposes outlined in this DPA or as required by the Data Controller. Upon termination or expiration of the Subscription Plan, Xcelore shall either return all Personal Data to the Data Controller or securely delete all Personal Data from its systems, databases, and backups, as required by the Data Controller. Upon complete deletion of Personal Data, Xcelore shall provide the Data Controller with a confirmation that all Personal Data has been permanently deleted and is no longer accessible or recoverable.

11. LIABILITY AND INDEMNITY

11.1 Indemnification by Data Processor

Xcelore shall indemnify and hold harmless the Data Controller from any losses, fines, penalties, or claims arising from Xcelore’s breach of this DPA or applicable data protection laws, subject to the limitations mentioned in the Terms & Conditions, Privacy Policy and this DPA.

11.2 Limitation of Liability

Xcelore’s liability under this DPA shall be subject to the limits set forth in the Terms & Conditions, Privacy Policy and this DPA, except where such limitations are prohibited by applicable law. In case Xcelore’s liability arises under the applicable law, the same shall be limited to the subscription fees paid by the Data Controller/Business Client in the preceding 12 months.

11.3 Indemnification by Data Controller

The Data Controller shall indemnify and hold harmless Xcelore from any losses, fines, penalties, or claims arising from the Data Controller’s failure to comply with applicable data protection laws, or from the Data Controller’s provision of Personal Data that was not lawfully obtained or lacks a valid legal basis for processing. This indemnification shall be subject to the limitations set forth in the Terms & Conditions, Privacy Policy and this DPA, except where such limitations are prohibited by applicable law.

12. TERM AND TERMINATION

12.1 Term

This DPA shall remain in effect for the duration of the Subscription Plan.

12.2 Termination

Upon termination of the Subscription Plan, Xcelore shall immediately cease processing Personal Data and comply with the data deletion or return requirements.

13. GOVERNING LAW AND DISPUTE RESOLUTION

This DPA shall be governed by the laws of India, without regard to its conflict of law principles. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts in Noida, India, unless otherwise required by applicable law.

14. MISCELLANEOUS

14.1 Amendments

Any amendments to this DPA shall require a written agreement signed by both Parties.

14.2 Severability

If any provision of this Data Processing Agreement is found to be unenforceable, the remaining provisions shall remain in full force and effect.

14.3 Entire Agreement

This DPA, together with Terms & Conditions and Privacy Policy, constitutes the complete agreement between the Parties concerning the processing of Personal Data.

Contact Us