Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller," "you") and Xzect Labs Private Limited ("Processor," "we") for News Studio where we process personal data on your behalf. It supplements our Terms of Service and Privacy Policy.

By using the Service to process personal data about third parties, you agree to this DPA. If you require a signed copy, contact contact@newsstudio.io.

This DPA supports GDPR-style controller/processor expectations, international transfer safeguards, subprocessors used for hosting/analytics/payments, and alignment with payment gateway and major platform partner requirements, alongside our Privacy Policy and Security Policy.

2. Definitions

• "Personal Data" means information relating to an identified or identifiable natural person processed under this DPA.
• "Processing," "Controller," "Processor," and "Data Subject" have meanings under applicable data protection law (including GDPR where applicable).
• "Sub-processor" means a third party engaged by us to process Personal Data.
• "Standard Contractual Clauses" (SCCs) means EU/UK approved contractual clauses for international transfers, as amended.

3. Scope & Duration

This DPA applies while we process Personal Data on your behalf in connection with the Service. It terminates when all Personal Data is deleted or returned per Section 12, except obligations that survive.

4. Roles & Instructions

You are the Controller for Personal Data you submit about your audience, staff, or sources. We are the Processor and process Personal Data only on your documented instructions as set forth in the Terms, this DPA, and configuration of the Service—including publishing, storage, AI processing, and support.

If we believe an instruction infringes applicable law, we will inform you without undue delay. You warrant that you have a lawful basis and necessary notices for Processing.

5. Details of Processing

Subject matter: provision of AI news generation, scheduling, automation, and publishing services.

Duration: term of your Subscription plus retention per Section 12.

Categories of Data Subjects: your readers, customers, employees, contributors, and other individuals whose data you upload or generate.

Types of Personal Data: contact details, account identifiers, content, usage logs, social handles, and technical metadata as described in our Privacy Policy.

Sensitive data: you will not upload special category data unless permitted by law and configured with appropriate safeguards; we do not require such data for core functionality.

6. Processor Obligations

We will:

• Process Personal Data only on documented instructions unless required by law;
• Ensure personnel are bound by confidentiality;
• Implement appropriate technical and organizational measures per Section 8;
• Assist with Data Subject requests and DPIAs where reasonably required;
• Apply technical and organizational measures including monitoring, audit logs, and abuse prevention consistent with our Security Policy;
• Notify you of legally binding requests for disclosure unless prohibited;
• Cooperate with lawful child-safety and trust & safety obligations where Personal Data is implicated;
• Delete or return Personal Data at termination subject to retention law.

You will not instruct us to process Personal Data in violation of applicable law.

7. Sub-processors

You authorize our use of Sub-processors (cloud hosting, AI providers, email, analytics, payment, support) who implement comparable protections by contract. We remain liable for Sub-processor performance to the extent required by applicable law.

We will provide notice of material Sub-processor changes via website or email. You may object on reasonable grounds relating to data protection; if unresolved, you may terminate affected Processing.

8. Security Measures

We implement measures described in our Security Policy, including access controls, encryption in transit, monitoring, and incident procedures. Measures are reviewed periodically and adjusted for risk.

9. Personal Data Breach

We will notify you without undue delay after confirming a Personal Data breach affecting your workspace data, with information reasonably available to assist your regulatory notifications. You are responsible for notifying authorities and Data Subjects where required.

10. International Transfers

Personal Data may be processed in India and other countries. Where GDPR or UK GDPR applies and transfer requires safeguards, we rely on SCCs, UK IDTA addendum, or other lawful mechanisms. You may request copies of applicable transfer tools where available.

You represent that appropriate notices and consents are obtained for international transfers you instruct.

11. Data Subject Requests

We will assist you in responding to Data Subject rights requests (access, deletion, etc.) through available tools or support, within reasonable timelines. Direct requests to us may be forwarded to you unless legally required otherwise.

12. Deletion & Return

Upon termination or your written request, we will delete or return Personal Data from active systems within a reasonable period, unless retention is required by law, backups (with scheduled purge), or legal hold.

Backup retention is described in our Privacy Policy. Deleted data may persist in backups until rotation.

13. Audits

Upon reasonable notice and subject to confidentiality, you may request information necessary to demonstrate compliance. Audits more than once annually require mutual scheduling; on-site audits may be limited to enterprise plans or replaced by third-party reports where available.

14. Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms. Each party's aggregate liability for claims under this DPA follows the cap in the Terms unless mandatory law requires otherwise.

15. Governing Law

This DPA is governed by the laws of India. Courts in New Delhi, India have jurisdiction, subject to mandatory data protection forums where applicable.

If SCCs are incorporated, they prevail over conflicting terms solely for EU/UK transfer matters to the extent required.

16. Contact

DPA and privacy inquiries: Xzect Labs Private Limited — email contact@newsstudio.io