GDPR

The GDPR framework may apply when XYLEX offers services to organizations or individuals in the European Economic Area, the United Kingdom, or Switzerland, or when processing activities are otherwise subject to those laws.

This page is intended as an operational summary for customers and counsel. It should be read together with our Privacy Policy, Data Processing Addendum, and any signed customer agreement.

• XYLEX acts as a controller for business operations data such as sales contacts, marketing subscriptions, supplier contacts, billing data, security logs, and website analytics used for our own purposes.
• XYLEX acts as a processor when handling customer content or other personal data solely on documented instructions from a customer that determines the purposes and means of processing.
• Customers remain responsible for their own notices, lawful basis analysis, and internal governance where they act as controllers.

• Contract necessity for onboarding, service delivery, billing, and account administration.
• Legitimate interests for core security operations, service improvement, fraud prevention, customer relationship management, and business administration where those interests are not overridden by data subject rights.
• Legal obligation where processing is required for tax, accounting, sanctions screening, law enforcement response, or other compliance duties.
• Consent where required, such as certain marketing communications or optional analytics and cookie settings.

Where applicable, you may request that we:

• confirm whether we process your personal data;
• provide access to or a copy of relevant personal data;
• correct inaccurate or incomplete information;
• erase personal data where a valid ground for erasure exists;
• restrict processing pending resolution of a dispute;
• provide personal data in a portable format where the right applies and this is technically feasible; and
• honor objections to processing where the law requires it.

We aim to respond within the time periods required by applicable law, typically within one month for GDPR requests, subject to verification and any lawful extensions.

• process personal data only on documented customer instructions;
• ensure personnel handling customer data are bound by appropriate confidentiality obligations;
• implement technical and organizational measures appropriate to the risk;
• assist customers, taking into account the nature of processing, with data subject requests, incident response, and impact assessments; and
• delete or return personal data at the end of the services where required by contract or law.

Where personal data is transferred outside the EEA, UK, or Switzerland, XYLEX may rely on standard contractual safeguards, local addenda, adequacy decisions, or other recognized transfer mechanisms. We may also apply supplementary technical, contractual, and organizational protections where appropriate.

Customers with transfer-specific contractual requirements should refer to the applicable DPA or signed agreement.

• We maintain policies and procedures designed to support privacy by design, access limitation, security monitoring, and responsible vendor management.
• We review subprocessors and require appropriate contractual protections before they receive personal data for service delivery.
• We maintain incident management processes intended to support containment, assessment, remediation, and legally required notifications.

More detail appears on our Security page.

Please submit requests through our contact page and clearly mark them as privacy or GDPR matters. We may request additional information to verify identity and confirm the scope of the request.

If you believe your rights have been infringed, you may also lodge a complaint with the competent supervisory authority in your jurisdiction.