Founding 25 · 2.99 3.99 EUR/month for life · 24 spots left

Data Processing Agreement

Last updated 17 June 2026

This Data Processing Agreement (DPA) applies when you use Xello to process personal data of third parties (for example people named in your Trello cards or comments). For that data you act as the data controller and Xello acts as your data processor. For your own account data, Xello is the controller (see our Privacy Policy). This page should be reviewed by your counsel before you rely on it contractually.

Subject matter and duration

We process personal data on your behalf only to provide the Xello service, for as long as your account is active. On account deletion, the data is deleted (see Retention below).

Our obligations as processor

  • Process personal data only on your documented instructions (your use of the product).
  • Keep the data confidential and ensure our staff are bound by confidentiality.
  • Apply appropriate technical and organisational security measures (see below).
  • Assist you with data-subject requests and with your security and breach obligations.
  • Notify you without undue delay of a personal data breach affecting your data.

Security measures

  • Access tokens encrypted at rest (AES-256-GCM).
  • TLS in transit, HSTS, strict security headers.
  • Session cookies HttpOnly, Secure, SameSite.
  • Server-side request forgery (SSRF) protection on outbound fetches.
  • Encrypted backups on French infrastructure.
  • Least-privilege access and audit logging.

Sub-processors

We use the sub-processors listed on our Sub-processors page. You authorise these and we will give reasonable prior notice before adding a new one so you can object.

International transfers

Where a sub-processor is outside the EU, transfers are covered by EU Standard Contractual Clauses and/or the EU-US Data Privacy Framework.

Data-subject requests and deletion

We help you respond to access, correction, erasure, portability and objection requests. You can delete your account and all Xello-side data yourself from Settings > Plan > Danger zone, or ask us.

Contact

Data-protection requests: privacy@xello.pro.