Data Processing Addendum

Last updated: May 28, 2026

This Data Processing Addendum forms part of the agreement between Xaion Labs, LLC and the customer using DoneDock where DoneDock processes Customer Personal Data on behalf of the customer.

1. Definitions

"Customer Personal Data" means personal data that Customer submits to DoneDock for processing through the service. "Process" and "Processing" mean any operation performed on Customer Personal Data. "Applicable Data Protection Laws" means privacy, data protection, and data security laws applicable to the processing.

2. Roles and scope

Customer is the controller or business, and DoneDock is the processor or service provider, with respect to Customer Personal Data processed to provide the service. DoneDock may separately act as controller for account, billing, website, analytics, security, and business operations data as described in the Privacy Policy.

3. Customer instructions

Customer instructs DoneDock to process Customer Personal Data as necessary to provide, secure, support, maintain, and improve the service, including running workflows, using connected services, processing AI requests, storing workflow records, and performing related support activities.

4. Customer responsibilities

Customer is responsible for the lawfulness of Customer Personal Data, workflow configuration, integration permissions, notices, consents, legal bases, data subject requests, and instructions provided to DoneDock.

5. Confidentiality and personnel

DoneDock will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality duties.

6. Security measures

DoneDock will maintain administrative, technical, and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures may include access controls, encryption in transit, credential protection, logging, backup controls, vulnerability management, and incident response processes.

7. Subprocessors

Customer authorizes DoneDock to use subprocessors to provide the service. DoneDock will maintain a list of subprocessors at Subprocessors and will use commercially reasonable efforts to impose data protection obligations on subprocessors that are materially consistent with this Addendum.

8. Data subject requests

DoneDock will provide reasonable assistance, taking into account the nature of the processing and information available to DoneDock, to help Customer respond to data subject requests. Customer is responsible for responding to requests unless DoneDock is legally required to respond directly.

9. Security incidents

DoneDock will notify Customer without undue delay after confirming a security incident affecting Customer Personal Data. DoneDock will provide information reasonably available to help Customer meet its legal obligations, provided that such notice will not be construed as an admission of fault or liability.

10. Return and deletion

Upon termination of the service, DoneDock will delete or return Customer Personal Data in accordance with the agreement and applicable law, except where retention is required for legal, security, backup, dispute-resolution, or compliance purposes.

11. International transfers

Where Customer Personal Data is transferred internationally and transfer safeguards are required, the parties will rely on applicable standard contractual clauses or another lawful transfer mechanism.

12. Audit and compliance

DoneDock will make available information reasonably necessary to demonstrate compliance with this Addendum. Any audit must be reasonable, limited in scope, subject to confidentiality, and conducted without disrupting DoneDock's operations or compromising other customers' data.

Annex 1: Processing details

Subject matter AI-powered task automation and workflow execution.
Duration The term of the customer's use of DoneDock.
Categories of data subjects Customer users, team members, contacts, customers, vendors, and other individuals whose data is processed through workflows.
Categories of data Account data, workflow data, connected-account content, files, messages, logs, prompts, outputs, and metadata.
Processing activities Collection, storage, retrieval, transmission, analysis, transformation, generation, deletion, and workflow execution.

Contact

Questions about this Addendum may be sent to info@donedock.com.