Data Processing Addendum
Last updated: May 28, 2026
This Data Processing Addendum forms part of the agreement between Xaion Labs, LLC and the customer using DoneDock where DoneDock processes Customer Personal Data on behalf of the customer.
1. Definitions
"Customer Personal Data" means personal data that Customer submits to DoneDock for processing through the service. "Process" and "Processing" mean any operation performed on Customer Personal Data. "Applicable Data Protection Laws" means privacy, data protection, and data security laws applicable to the processing.
2. Roles and scope
Customer is the controller or business, and DoneDock is the processor or service provider, with respect to Customer Personal Data processed to provide the service. DoneDock may separately act as controller for account, billing, website, analytics, security, and business operations data as described in the Privacy Policy.
3. Customer instructions
Customer instructs DoneDock to process Customer Personal Data as necessary to provide, secure, support, maintain, and improve the service, including running workflows, using connected services, processing AI requests, storing workflow records, and performing related support activities.
4. Customer responsibilities
Customer is responsible for the lawfulness of Customer Personal Data, workflow configuration, integration permissions, notices, consents, legal bases, data subject requests, and instructions provided to DoneDock.
5. Confidentiality and personnel
DoneDock will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality duties.
6. Security measures
DoneDock will maintain administrative, technical, and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures may include access controls, encryption in transit, credential protection, logging, backup controls, vulnerability management, and incident response processes.
7. Subprocessors
Customer authorizes DoneDock to use subprocessors to provide the service. DoneDock will maintain a list of subprocessors at Subprocessors and will use commercially reasonable efforts to impose data protection obligations on subprocessors that are materially consistent with this Addendum.
8. Data subject requests
DoneDock will provide reasonable assistance, taking into account the nature of the processing and information available to DoneDock, to help Customer respond to data subject requests. Customer is responsible for responding to requests unless DoneDock is legally required to respond directly.
9. Security incidents
DoneDock will notify Customer without undue delay after confirming a security incident affecting Customer Personal Data. DoneDock will provide information reasonably available to help Customer meet its legal obligations, provided that such notice will not be construed as an admission of fault or liability.
10. Return and deletion
Upon termination of the service, DoneDock will delete or return Customer Personal Data in accordance with the agreement and applicable law, except where retention is required for legal, security, backup, dispute-resolution, or compliance purposes.
11. International transfers
Where Customer Personal Data is transferred internationally and transfer safeguards are required, the parties will rely on applicable standard contractual clauses or another lawful transfer mechanism.
12. Audit and compliance
DoneDock will make available information reasonably necessary to demonstrate compliance with this Addendum. Any audit must be reasonable, limited in scope, subject to confidentiality, and conducted without disrupting DoneDock's operations or compromising other customers' data.
Annex 1: Processing details
| Subject matter | AI-powered task automation and workflow execution. |
|---|---|
| Duration | The term of the customer's use of DoneDock. |
| Categories of data subjects | Customer users, team members, contacts, customers, vendors, and other individuals whose data is processed through workflows. |
| Categories of data | Account data, workflow data, connected-account content, files, messages, logs, prompts, outputs, and metadata. |
| Processing activities | Collection, storage, retrieval, transmission, analysis, transformation, generation, deletion, and workflow execution. |
Contact
Questions about this Addendum may be sent to info@donedock.com.