Data Processing Agreement

Effective Date: January 1, 2026  |  Last Updated: March 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between XI Ventures, Inc. d/b/a RentAI ("Processor" or "RentAI") and the entity agreeing to these terms ("Controller" or "Hirer").

This DPA applies where and to the extent that RentAI processes Personal Data on behalf of the Controller in the course of providing the Service.

1. Introduction

RentAI provides an AI Workforce Operating System through which Hirers may engage AI Staff to perform defined roles. In the course of providing the Service, RentAI may process Personal Data on behalf of Hirers. This DPA sets out the parties' obligations with respect to such processing.

This DPA is designed to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable privacy legislation.

2. Definitions

"Personal Data"
Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
"Controller"
The Hirer, who determines the purposes and means of processing Personal Data.
"Processor"
RentAI, which processes Personal Data on behalf of the Controller.
"Sub-Processor"
Any third party engaged by RentAI to process Personal Data on behalf of the Controller.
"Data Subject"
An identified or identifiable natural person whose Personal Data is processed.
"Processing"
Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Security Incident"
Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

3. Scope and Purpose of Processing

3.1 Nature of Processing

RentAI processes Personal Data as necessary to provide AI Staff services to the Controller, including:

  • Receiving and processing data inputs provided by the Controller to AI Staff
  • Operating AI Staff to generate Outputs based on Controller data
  • Storing Outputs and activity logs in the Hirer Portal
  • Generating anonymised Calibration Data from Controller interactions

3.2 Categories of Personal Data

The categories of Personal Data processed depend on the AI Staff hired and may include:

  • Business contact information (names, email addresses, phone numbers)
  • Business operational data (financial records, customer records, regulatory filings)
  • Industry-specific data as determined by the Controller's use of AI Staff

3.3 Categories of Data Subjects

Data Subjects may include:

  • Controller's employees and contractors
  • Controller's customers and clients
  • Third parties whose data is provided by the Controller to AI Staff

4. Obligations of the Processor

RentAI shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Comply with the conditions for engaging Sub-Processors as set out in Section 6
  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and consultation obligations
  • Delete or return all Personal Data at the end of the service relationship, at the Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits

5. Obligations of the Controller

The Controller shall:

  • Ensure a lawful basis exists for all Personal Data provided to RentAI for processing
  • Provide clear instructions regarding the processing of Personal Data
  • Ensure that Data Subjects have been informed about the processing and their rights
  • Comply with all applicable data protection laws in relation to the Personal Data
  • Not provide special categories of Personal Data (sensitive data) to AI Staff unless explicitly agreed in writing

6. Sub-Processors

6.1 Authorisation

The Controller provides general authorisation for RentAI to engage Sub-Processors. RentAI shall maintain a current list of Sub-Processors and notify the Controller of any intended changes.

6.2 Current Sub-Processors

RentAI currently uses the following categories of Sub-Processors:

  • Cloud Infrastructure: Hosting and compute services
  • AI Model Providers: Large language model inference (e.g., Anthropic)
  • Payment Processing: Stripe for billing and subscription management
  • Email Services: Transactional email delivery

6.3 Obligations

RentAI shall impose data protection obligations on all Sub-Processors no less protective than those in this DPA. RentAI remains fully liable for the acts and omissions of its Sub-Processors.

6.4 Objection

The Controller may object to a new Sub-Processor by notifying RentAI in writing within 14 days of receiving notice. If the objection is reasonable and RentAI cannot accommodate it, either party may terminate the affected services.

7. Data Subject Rights

RentAI shall assist the Controller in fulfilling Data Subject rights requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

If RentAI receives a request directly from a Data Subject, RentAI shall promptly redirect the request to the Controller, unless legally required to respond directly.

8. Security Measures

RentAI implements the following technical and organisational measures:

8.1 Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Network segmentation and firewall controls
  • Intrusion detection and prevention systems
  • Regular vulnerability scanning and penetration testing
  • Automated security patching

8.2 Organisational Measures

  • Role-based access control with least-privilege principles
  • Security awareness training for all personnel
  • Incident response procedures and escalation protocols
  • Regular review and testing of security measures
  • Secure development lifecycle practices

9. Data Breach Notification

9.1 Notification Timeline

RentAI shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident involving Personal Data.

9.2 Notification Content

The notification shall include:

  • Description of the nature of the Security Incident
  • Categories and approximate number of Data Subjects affected
  • Contact point for further information
  • Description of likely consequences
  • Description of measures taken or proposed to address the incident

9.3 Cooperation

RentAI shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

10. International Data Transfers

Where Personal Data is transferred outside the Controller's jurisdiction, RentAI shall ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • UK International Data Transfer Addendum where applicable
  • Supplementary measures as necessary based on transfer impact assessments

11. Audit Rights

The Controller may audit RentAI's compliance with this DPA, subject to the following conditions:

  • Audits shall be conducted no more than once per year, unless a Security Incident has occurred
  • The Controller shall provide at least 30 days' written notice
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt RentAI's operations
  • RentAI may satisfy audit requests by providing relevant certifications, audit reports, or SOC 2 reports

12. Data Retention and Deletion

12.1 During the Agreement

RentAI shall retain Personal Data only for as long as necessary to provide the Service and comply with its obligations under this DPA.

12.2 Upon Termination

Upon termination of the service agreement, RentAI shall, at the Controller's choice:

  • Return all Personal Data to the Controller in a standard, machine-readable format; or
  • Delete all Personal Data within 30 days

RentAI may retain Personal Data to the extent required by applicable law, with appropriate safeguards in place.

12.3 Certification

Upon request, RentAI shall provide written certification that Personal Data has been deleted in accordance with this Section.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service, except that neither party's liability for breaches of data protection law shall be limited below the minimum required by applicable law.

14. Term and Termination

This DPA shall remain in effect for the duration of the service agreement between the parties. It shall automatically terminate upon the termination of the service agreement, subject to the data deletion obligations in Section 12.

15. Contact Information

XI Ventures, Inc. d/b/a RentAI

Data Protection Officer: legal@rentai.now

General Support: support@rentai.now

Security Issues: security@rentai.now