In short: if your organization uses Aion for others (Team or Enterprise), this addendum sets out how we process personal data on your behalf under Article 28 of the GDPR.
1. Roles
The customer is the data controller. Xheight is the data processor (or, for CCPA, the service provider) and processes personal data only on the customer's documented instructions.
2. Scope of processing
- Subject matter: providing the Aion service.
- Duration: the term of the agreement.
- Nature and purpose: AI-assisted vision support for end users.
- Data subjects: the customer's authorized users.
- Data categories: account data, and, where enabled, voice, image, location, and biometric data.
3. Our commitments
- Confidentiality and appropriate security, including encryption of sensitive data.
- Special protection for biometric data: encrypted, never plaintext, never returned to the client.
- Help with data-subject requests and breach notification.
- Use of authorized subprocessors only — see subprocessors.
- Deletion or return of data at the end of the agreement.
4. International transfers
Where personal data is transferred internationally, we rely on Standard Contractual Clauses and the UK Addendum, with additional safeguards as needed.
5. How to execute
To put this addendum in place, contact legal@xheight.com.