Data Processing Statement

This Data Processing Statement describes how XEO CO ("Company," "we," "our," or "us") handles and processes personal data in connection with the services we provide to our clients and through the operation of our website (www.xeoco.net). This statement supplements our Privacy Policy and is intended to provide transparency regarding our data processing practices.

1. Our Role in Data Processing

When you visit our website or communicate with us directly, we act as the data controller and determine the purposes and means of processing your personal data.

When we provide professional services to clients that involve access to or processing of their data, we act as a data processor on behalf of the client (the data controller). In such cases, we process data strictly in accordance with the client's documented instructions and the terms of the applicable service agreement.

2. Categories of Data We Process

Depending on the nature of our relationship and the services engaged, we may process the following categories of data.

Contact and identity information such as name, email address, phone number, job title, and company name.
Technical and usage data such as IP address, browser type, device information, and website interaction data.
Project and business data such as technical specifications, system documentation, and business requirements shared during service delivery.
Financial data such as billing details and payment records necessary to process invoices.

We do not process sensitive personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data) unless explicitly required by the scope of a client engagement and documented in a written agreement with appropriate safeguards.

3. Purposes of Processing

We process personal data for the following purposes: To respond to inquiries, communicate with prospective and existing clients, and manage client relationships. To deliver, manage, and improve our professional services. To process payments and maintain financial records. To operate, secure, and improve our website and digital infrastructure. To comply with applicable legal and regulatory obligations. To protect the rights, property, and safety of XEO CO, our clients, and the public.

4. Data Processing Principles

We process personal data in accordance with the following principles:

Lawfulness, Fairness, and Transparency. We process data lawfully and transparently, and we are open about our practices.
Purpose Limitation. We collect and process data only for specified, explicit, and legitimate purposes.
Data Minimization. We collect only the minimum amount of data necessary to achieve the stated purpose.
Accuracy. We take reasonable steps to ensure that personal data is accurate and up to date.
Storage Limitation. We retain data only for as long as necessary to fulfill the applicable purpose, after which it is securely deleted or anonymized.
Integrity and Confidentiality. We implement appropriate technical and organizational measures to protect data against unauthorized access, loss, or destruction.
Accountability. We maintain internal records of our data processing activities and are prepared to demonstrate compliance upon request.

5. Sub-Processors

In the course of providing services, we may engage trusted sub-processors to assist with specific functions such as cloud hosting, analytics, payment processing, or communication tools. All sub-processors are selected based on their ability to provide adequate data protection and are bound by contractual obligations consistent with this statement and applicable data protection laws.

A current list of sub-processors is available upon request.

6. Data Transfers

Our primary operations are based in the United States. If personal data is transferred to us from jurisdictions outside the United States (including the European Area or the United Kingdom), we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms to ensure that personal data receives an adequate level of protection during and after the transfer.

7. Data Security Measures

We implement and maintain appropriate technical and organizational security measures to protect personal data, including but not limited to encryption of data in transit and at rest, role-based access controls, regular security assessments and vulnerability testing, secure development practices, incident response procedures, and employee training on data protection.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of individuals, we will notify affected data controllers and, where required by law, relevant supervisory authorities without undue delay. Notifications will include a description of the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Data Subject Rights

Individuals whose personal data we process may exercise the rights described in our Privacy Policy, including the right to access, correct, delete, restrict processing of, or port their personal data. Where we process data as a processor on behalf of a client, we will refer data subject requests to the appropriate client (data controller) and assist them in fulfilling those requests in accordance with our contractual obligations.

10. Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal and contractual obligations, and resolve disputes. When data is no longer required, it is securely deleted or anonymized in accordance with our internal data retention schedule.

11. Changes to This Statement

We may update this Data Processing Statement from time to time. Changes will be reflected by an updated "Last Updated" date. Continued engagement with our services or website after changes constitutes acknowledgment of the revised statement.

12. Contact Us

If you have questions about our data processing practices, please contact us at:

XEO CO
1401 21st Street STE R, Sacramento, CA 95811, United States
Email: info@xeoco.net