Data Processing Addendum

Last Updated: November 2, 2025

This Data Processing Addendum is part of the agreement between Advanced Structures India Pvt. Ltd. (ASI) and the Customer. It describes how ASI processes Personal Data on behalf of the Customer when the Customer uses xcPEP and xcPROC.
This DPA is read together with the Terms of Service at tos.xcpep.com and the information at trust.xcpep.com. Capitalized terms have the meaning given in the Agreement unless defined here.
ASI aligns its processing with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by CPRA (CCPA/CPRA). ASI is not claiming compliance with other privacy regimes or other security certifications.

1. Definitions

Data Protection Laws means GDPR and CCPA/CPRA, to the extent they apply to the Customer’s use of the services.
Personal Data means any information about an identified or identifiable natural person that ASI processes for the Customer as part of Customer Data.
Processing means any operation performed on Personal Data such as storage, use, disclosure, or deletion.
Sub-processor means a third party that ASI authorizes to process Personal Data to help deliver the services.
Standard Contractual Clauses (SCCs) means the European Commission standard contractual clauses for transfers of personal data to third countries (EU 2021/914).

1A. Details of Processing

1A.1 Subject Matter. The subject matter of the processing is the Personal Data that the Customer or its users submit to the services or that ASI processes on behalf of the Customer in connection with providing xcPEP and xcPROC.
1A.2 Duration. The duration of the processing is the term of the Agreement and any post-termination retention period described in this DPA.
1A.3 Nature and Purpose. The nature and purpose of the processing is to provide, operate, secure, support, and improve the services for the Customer, to handle support requests, and to meet legal and contractual requirements.
1A.4 Types of Personal Data. Typical personal data processed includes business contact details (name, business email, designation), identifiers (usernames, SSO IDs), service usage and audit logs, and any personal data that the Customer chooses to include in Customer Data.
1A.5 Categories of Data Subjects. Data subjects may include the Customer’s employees, contractors, consultants, and other personnel who are authorized to use the services, and any individuals whose personal data the Customer chooses to include in Customer Data.

2. Roles and Instructions

2.1 Controller and Processor

The Customer is the controller (or business under CCPA/CPRA). ASI is the processor (or service provider under CCPA/CPRA). The Customer decides the purposes and means of Processing. ASI will process Personal Data only on the Customer’s documented instructions.

2.2 Customer’s Instructions

By using the services, the Customer instructs ASI to process Personal Data to provide, operate, secure, and support xcPEP and xcPROC; to process Personal Data as initiated by Customer’s users; and to process Personal Data to follow reasonable written requests from the Customer, for example support tickets. ASI will not sell or share Personal Data as those terms are used in CCPA/CPRA, will not use Personal Data for its own purposes, and will not combine Personal Data received from the Customer with personal information from other persons or sources except as permitted to provide and secure the services or as otherwise permitted by CCPA/CPRA.

2.3 Customer’s Responsibilities

The Customer is responsible for having a lawful basis to provide Personal Data to ASI, for giving required notices and collecting required consents, and for ensuring that its use of the services and its instructions to ASI comply with GDPR and CCPA/CPRA. If the Customer is acting for another controller, the Customer confirms it is authorized to pass that controller’s instructions to ASI.

2.4 Customer’s Responsibilities

ASI will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests by data subjects to exercise their rights under applicable Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection)

3. Confidentiality and Security

3.1 Confidentiality

ASI will ensure that people who are authorized to process Personal Data are under an appropriate duty of confidentiality and only access data when needed for the service.

3.2 Security Measures

ASI maintains technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, appropriate to the risk and consistent with applicable Data Protection Laws.

A summary of ASI’s technical and organizational measures is set out in Annex II (TOMs) and is incorporated into the Standard Contractual Clauses; a current descriptive version is also maintained at trust.xcpep.com. In the event of any inconsistency between the Trust Center materials and this DPA (including Annex II), this DPA and Annex II will control.

ASI may update the technical and organizational measures from time to time to reflect improvements or changes in security practices, provided such updates do not materially reduce the overall protection of Personal Data. Any material reduction will be notified to Customer in advance through the Trust Center or by email.

3.3 Customer Configuration

The Customer is responsible for how it configures the services, what fields it uses to store Personal Data, and which users it grants access to.

4. Sub-processors

4.1 Use of Sub-processors

The Customer authorizes ASI to use Sub-processors to deliver hosting, support, communications, and similar functions. The current list is referenced in Annex III and maintained at trust.xcpep.com.

4.2 Protections for Sub-processors

ASI will have a written agreement with each Sub-processor that requires the Sub-processor to protect Personal Data at least to the level described in this DPA. ASI remains responsible to the Customer for Sub-processors.

4.3 Changes to Sub-processors

ASI will give advance notice of new Sub-processors by posting at trust.xcpep.com or by email. If the Customer has a reasonable data protection objection, the Customer can notify ASI within 10 days. The parties will try to find a solution. If they cannot, the Customer may terminate the affected service and ASI will refund prepaid fees for the unused part.

5. International Data Transfers

5.1 Location of Processing

ASI is based in India. Personal Data may be stored and processed in India or in other locations where ASI or its Sub-processors operate, as needed to provide the services. Where the applicable Order Form specifies a supported data residency or hosting location, ASI will process Personal Data in line with that configuration.

5.2 Transfers from the EEA

Where Personal Data is transferred from the UK, the parties agree the UK IDTA or the UK Addendum to the EU SCCs (as applicable); where Personal Data is transferred from Switzerland, the parties agree the Swiss addendum/adjustments to the EU SCCs as required by the FDPIC. The information needed to complete the SCCs is taken from this DPA, the Agreement, and the information at trust.xcpep.com. If the SCCs are updated or replaced, the parties will work together in good faith to adopt the updated mechanism.

5.3 Government Requests

If ASI receives a lawful request from a public authority to disclose Customer Personal Data, ASI will, where legally permitted, notify the Customer before disclosing so the Customer may seek a protective order or other remedy. ASI will disclose only the minimum amount of Personal Data required to comply with the request. Where a request is overbroad or unclear, ASI will, where reasonable, challenge or seek to narrow the request.

6. Requests from Individuals

6.1 Assistance with Impact Assessments. Taking into account the nature of the processing and the information available to ASI, ASI will provide reasonable assistance to the Customer with data protection impact assessments and with consultations with supervisory authorities, to the extent required by GDPR and relating to the services.
6.2 Scope and Costs. Where such assistance requires material effort beyond making available existing documentation at trust.xcpep.com, the parties will agree on the scope and on a reasonable reimbursement of ASI’s costs.

7. Personal Data Breach

If ASI confirms a Personal Data breach that affects Personal Data processed for the Customer, ASI will notify the Customer without undue delay and in any case within 48 hours of confirmation. The notification will describe, to the extent known at the time, what happened, what data is involved, and what actions ASI is taking.
ASI will investigate, contain, and mitigate the breach and will cooperate with the Customer so the Customer can meet its own notification duties. Notification is not an admission of fault.

8. Return and Deletion

When the services end, or earlier if the Customer asks, ASI will either return Customer Data (including Personal Data) in a commonly used format or delete it, according to the Customer’s choice, unless ASI is required by law to retain some data. Backups will be deleted in the normal backup cycle.
ASI may retain minimal data such as logs or billing records to evidence service delivery, subject to confidentiality and security.

9. Information and Audits

ASI will make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits and inspections conducted by Customer or an auditor mandated by Customer, subject to reasonable notice, scope, confidentiality, and safety/security requirements on written request to infosec@xcpep.com no more than once per year. If the Customer has a legal requirement that cannot be met by reviewing that material, the parties will discuss a reasonable additional review subject to notice, scope, and confidentiality. Any additional audits or inspections beyond the standard materials may be subject to ASI’s then-current professional services rates and to scheduling to avoid disruption of ASI’s operations.

10. Conflict, Liability, and Updates

If there is a conflict between this DPA and the Agreement about data protection, this DPA will apply. This DPA does not increase ASI’s liability. All disclaimers and limitations in the Agreement also apply to this DPA.
If GDPR or CCPA/CPRA change in a way that makes this DPA incomplete, the parties will work together in good faith to update it. ASI may publish an updated version at tos.xcpep.com consistent with the change process in the Agreement.

11. Governing Law and Term

This DPA follows the governing law and dispute resolution terms in the Agreement, except where the SCCs require otherwise.
This DPA stays in effect for as long as ASI processes Personal Data for the Customer.
Questions about this DPA or data protection at ASI can be sent to infosec@xcpep.com.

ANNEX I

A. LIST OF PARTIES
Data exporter(s):
Name: Customer (As set forth in the relevant Order Form/Agreement)

Address: As set forth in the relevant Order Form/Agreement

Contact person’s name, position, and contact details: As set forth in the relevant Order Form/Agreement

Activities relevant to the data transferred: Use of xcPEP cost engineering and analysis services

Signature and date: As set out in the Agreement

Role: Controller

Data importer(s):
Name: Advanced Structures India Private Limited

Address: No. 40, 2nd Floor, 100 Feet Road, Hal 3rd Stage, New Thippasandra, Bangalore 560075, India

Contact person’s name, position, and contact details:
Name: Tanmay Naik
Position: Chief Information Security Officer
Email: infosec@xcpep.com

Activities relevant to the data transferred: Provision of xcPEP cost engineering platform and related services

Signature and date: As set out in the Agreement

Role: Processor

B. DESCRIPTION OF TRANSFER
Categories of data subjects: Customer’s authorized users of the xcPEP Services, including employees, contractors, and other personnel.

Categories of personal data transferred:
Contact information: (name, email address, phone number)
Authentication data: (username, encrypted passwords)
Usage data: (login times, feature usage, system interactions) and user-generated content within the xcPEP platform

Sensitive data transferred: No sensitive personal data is intentionally collected or processed. If sensitive data is inadvertently included in user-generated content, it is subject to the same protections as other Personal Data.

Frequency of transfer: Continuous basis during the term of the Agreement.

Nature of the processing:
– Collection and storage of Personal Data
– User authentication and access management
– Provision of cost engineering and analysis services
– Customer support and technical assistance
– System monitoring and maintenance

Purpose(s) of data transfer and further processing: To facilitate the performance of the xcPEP Services as described in the Agreement, including user account management, service delivery, customer support, and service improvement.

Retention period: Personal Data will be retained for the duration of the Agreement and for a period of up to three (3) years after termination, unless longer retention is required by applicable law or shorter retention is requested by the Controller.

For transfers to sub-processors: The subject matter, nature, and duration of processing by sub-processors is limited to hosting, infrastructure services, and technical support as necessary for the provision of the xcPEP Services.

C. COMPETENT SUPERVISORY AUTHORITY
For data exporters established in the EEA: The competent supervisory authority is as determined by application of Clause 13 of the EU Standard Contractual Clauses.

ANNEX II

Governance and scope

Information Security Management System (ISMS) with management approval, policies, and roles; risk‑based control selection and periodic reviews.

Security awareness and role‑based training; policy acknowledgments; phishing simulations.

Identity and access management

Single Sign‑On with MFA for workforce and admin access; least‑privilege RBAC with SoD; joiner–mover–leaver workflows and quarterly access reviews.

Just‑in‑time elevation for privileged tasks; break‑glass accounts isolated and monitored; API and service credentials stored in a secrets vault and rotated.

Data protection

Encryption in transit (TLS 1.2+ with modern ciphers and HSTS) and at rest (AES‑256 or provider‑equivalent); centralized key management and rotation.

Data classification drives access, logging, retention, and DLP where applicable; secure deletion procedures and validated data erasure at end‑of‑life.

Application security and SDLC

Secure‑by‑design lifecycle with threat modeling, peer review, secure coding standards (OWASP‑aligned), and protected branches.

CI/CD security gates: SAST, SCA, secrets and IaC scanning; pre‑release DAST and targeted VAPT; SBOM generation, pinned dependencies, artifact signing, and provenance.

Vulnerability and patch management

Continuous scanning of apps, images, and infrastructure; risk‑based remediation SLAs with verification rescans.

Baseline hardening and timely OS/firmware/agent patching; configuration drift detection and remediation.

Malware and endpoint protection

Enterprise EDR/anti‑malware with real‑time protection, behavioral/ransomware detection, scheduled scans, and agent health monitoring.

Application allow‑listing for critical systems; macro/script controls; removable‑media restrictions with on‑access scanning.

Network and perimeter security

Segmented VPC/VNet design separating prod/stage/dev; least‑privilege security groups/ACLs and egress controls.

Managed firewalls, WAF for public apps, CDN, and upstream DDoS protections; ZTNA/VPN with MFA for admin access; mTLS where applicable.

Wireless/NAC with 802.1X; guest networks isolated; DNS filtering; SPF, DKIM, DMARC for email authenticity.

Logging, monitoring, and detection

Centralized collection of auth, system, application, and network logs; time synchronized; immutable retention per policy.

NDR alerting with playbooks; threat‑intel enrichment; anomaly and exfiltration detection; on‑call escalation and post‑incident reviews.

Backup, resilience, and DR

Scheduled encrypted backups with cross‑region/cross‑account replicas and immutable restore points; restore tests against RTO/RPO.

High availability across multiple AZs; health checks, autoscaling, canary/staged rollouts, and documented rollback procedures.

Change and deployment management

Formal change management for infrastructure and code; approvals and audit trails; least‑privilege CI/CD credentials; environment separation enforced.

Third‑party and sub‑processor security

Due diligence and contractual security obligations for sub‑processors; scope‑limited integrations; continuous monitoring and notice/objection process for changes.

Incident response and breach notification

Defined incident classification, containment, eradication, and recovery procedures; customer communications and post‑incident summaries.

Personal data breach notification to customers without undue delay in line with contractual commitments.

Privacy by design

Data minimization, purpose limitation, and pseudonymization where appropriate; documented DPIA support and privacy reviews for material changes.

Retention and disposal

Documented retention schedules for production data, logs, and backups; secure deletion and certificate of destruction (where applicable); records of disposition.

Physical and cloud provider security

Use of reputable cloud providers with independent certifications; provider data‑center physical controls; least‑privilege IAM and SCPs at the account/org level.

Maintenance and assurance

– Periodic control testing, internal audits, and management reviews; risk register updates and corrective actions tracked to closure; versioned TOMs with review cadence.

ANNEX II

The current list of authorized sub‑processors is maintained at trust.xcpep.com