Legal
Data Processing Addendum
Working version - last reviewed 2026-06-03
EXO acts as a data processor for your tenant. You (the agency) are the data controller for your workspace data and your clients' data. This page summarises how that relationship operates today.
Sub-processors: full live list at /legal/privacy. Notification of sub-processor changes via in-app banner + email with at least 14 days' notice for material additions.
Data residency: tenant data stored in Supabase EU (Ireland) region. Vercel function execution can occur in US edge regions for latency; no tenant data is persisted at the edge layer.
International transfers: where transfers occur (e.g. Anthropic + OpenAI inference is US-based), they rely on Standard Contractual Clauses + the EU-US Data Privacy Framework where applicable.
Data-subject requests: forward any subject access, erasure, or portability request to hello@exo-ai.ai. We assist with response within 5 business days.
Breach notification: 24-hour notification to your named workspace admin for any confirmed breach affecting your tenant data, with reproduction details + remediation timeline.
Audit rights: enterprise tier includes annual audit-on-request (3 working days' notice). Other tiers receive our most recent SOC 2 / penetration-test summary on request.
A full signable DPA + executable Standard Contractual Clauses land with the formal terms doc when EXO Ltd incorporates. Email us sooner if you need an interim signed copy for procurement.
The full legal document lands when EXO Ltd incorporates. The summary above describes how we actually operate today.
Questions, data-subject requests, or enterprise-specific addendums: hello@exo-ai.ai