xAI Data Processing Addendum

Last Modified: September 5, 2024

This Data Processing Addendum, including its Appendices (the "DPA"), is incorporated into and forms part of the Enterprise Terms of Service that govern your use of Grok and any and all related products, software, documentation, and online, mobile-enabled, and/or digital services (the "Agreement"). This DPA sets out the terms that apply when xAI processes Customer Data (as defined below) on your behalf in connection with the Service, including any Customer Data that you provide to xAI through our API or other business services.

You enter into this DPA on behalf of yourself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of your affiliates permitted to use the Service under the Agreement. If and to the extent the terms of this DPA conflict with the terms of the Agreement, the terms of this DPA shall control. Unless otherwise defined herein, capitalized terms used in this DPA have the same meaning given to them under the Agreement.

Definitions
1. "Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Customer Data, which may include European Data Protection Laws and U.S. Privacy Laws.
  1. "Customer Data" means Personal Data that you provide to xAI in connection with the Service and that we process on your behalf, as described in Appendix 1.
    1. "Europe" means the European Economic Area and its Member States, Switzerland, and the United Kingdom ("UK").
    2. "European Data Protection Laws" means all data protection and privacy laws and regulations of Europe, as applicable to the processing of Customer Data, including (i) the General Data Protection Regulation 2016/679 ("GDPR"); (ii) the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, "UK GDPR"); and (iii) the Swiss Federal Act on Data Protection Act of 2020 and its Ordinance ("Swiss FADP"); as may be amended, superseded, or replaced.
    3. "Personal Data" has the meaning assigned to the term “personal data” or “personal information” under Applicable Data Protection Laws
    4. "Restricted Transfer" means a transfer of Customer Data originating from Europe to a country that does not provide an adequate level of protection for personal data within the meaning of applicable European Data Protection Laws.
    5. "Security Incident" means a breach of xAI's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data in connection with the Service. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
    6. "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded, or replaced.
    7. "Subprocessor" means any third-party processor engaged by xAI to process Customer Data in order to provide the Service. Subprocessors do not include xAI's employees, contractors, or consultants.
    8. "UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, as may be amended, superseded, or replaced.
    9. "U.S. Privacy Laws" means all federal and state data protection and privacy laws and regulations of the United States, as applicable to the processing of Customer Data, including (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), and its implementing regulations ("CCPA"); (ii) the Virginia Consumer Data Protection Act (VA Code Ann. §§ 59.1-575 et seq.) ("VCDPA"); (iii) the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq.) and its implementing regulations ("CPA"); (iv) the Connecticut Data Privacy Act (Pub. Act No. 22015) ("CTDPA"); and (v) the Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.) ("UCPA"); in each case when effective and as may be amended, superseded, or replaced.
    10. The terms "controller", "data subject", "personal data", "process", "processing", "processor", and "supervisory authority" have the meanings given to them under Applicable Data Protection Laws.
Processing of Personal Data
1. Scope and Roles. This DPA applies to the extent that we process Customer Data on your behalf in connection with the provision of the Service under the Agreement. The parties acknowledge and agree that xAI is a processor and you are a controller or processor of Customer Data, as applicable, under Applicable Data Protection Laws.
2. Details of Processing. The subject matter, duration, nature, and purpose of the processing of Customer Data, and the types of Personal Data and categories of data subjects, are described in Appendix 1.
3. Your Responsibilities. You shall, in your use of the Service:
  1. comply with your obligations under Applicable Data Protection Laws, including (i) ensuring that your processing instructions to xAI comply with Applicable Data Protection Laws; and (ii) obtaining all necessary rights, consents, and authorizations required to provide Customer Data to xAI and allow us to process Customer Data as contemplated by the Agreement;
    1. without prejudice to our security obligations under Section 5.1 (Security Measures), use the Service in a secure manner, including by (i) securing your account authentication credentials; (ii) ensuring the security of systems and devices used to access the Service; and (iii) backing up or retaining copies of Customer Data as appropriate; and
    2. if you are a processor of Customer Data, (i) warrant that the relevant controller has authorized your engagement of xAI as another processor and approved your processing instructions to us; and (ii) remain responsible for any communications, notifications, assistance, and/or authorizations that may be required in connection with the processing of Customer Data.
4. xAI’s Responsibilities. We shall comply with our obligations under Applicable Data Protection Laws in our role as a processor and inform you if we cannot or can no longer meet such obligations. As a processor, we agree to:
  1. process Customer Data solely in accordance with your lawful and documented processing instructions, where such instructions are consistent with the terms of the Agreement;
    1. inform you if, in our reasonable opinion, your processing instructions infringe Applicable Data Protection Laws;
    2. if Customer Data is subject to U.S. Privacy Laws, not (i) "sell" or "share" Customer Personal Data (as defined by the CCPA or equivalent concepts under U.S. Privacy Laws); (ii) retain, use, disclose, or otherwise process Customer Data outside of our direct business relationship; or (iii) combine Customer Data with Personal Data collected or received from or on behalf of any third party; except to the extent necessary to provide the Service or otherwise permitted by U.S. Privacy Laws; and
    3. if you permit or instruct us to process Customer Data in a deidentified, anonymized, and/or aggregated form, (i) adopt reasonable measures to prevent such information from being used to infer information about, or otherwise being linked to, a particular data subject; (ii) not attempt to reidentify such information except to determine that the information has been effectively deidentified in accordance with Applicable Data Protection Laws; and (iii) contractually obligate any recipients of such information to comply with the requirements of this provision.
5. No Assessment of Compliance. Notwithstanding the foregoing, xAI is not responsible for monitoring your compliance with applicable laws or determining if your processing instructions are compliant with applicable laws. Furthermore, we have no obligation to assess Customer Data in order to identify information that is subject to specific legal requirements.
Subprocessors
1. Appointment of Subprocessors. You agree and provide a general written authorization that xAI may engage Subprocessors to process Customer Data. xAI's list of Subprocessors is available here ("Subprocessor List"). xAI shall (a) enter into a written agreement with each Subprocessor containing data protection obligations that are substantially the same as those in this DPA; and (b) remain liable for any acts or omissions of our Subprocessors that causes us to breach our obligations under this DPA.
2. Changes to Subprocessors. If you subscribe to receive email notifications as provided on our Subprocessor List, where available, then xAI will notify you if we add or replace Subprocessors at least fifteen (15) days before such changes take effect. You may object on reasonable grounds relating to data protection to our engagement of any new or replacement Subprocessor by informing us in writing within fifteen (15) days after receiving notice. Such notice shall explain the reasonable grounds for the objection. The parties shall discuss the objections in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, xAI will, at its sole discretion, either not appoint the Subprocessor or permit you to terminate the affected part of the Service in accordance with the termination provisions under the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to such termination). This termination right is your sole and exclusive remedy if you object to any new or replacement Subprocessor. If you do not exercise your right to object in the terms defined above, your silence shall be deemed to constitute an approval of such engagement.
Confidentiality
1. Confidentiality. We shall ensure that any persons authorized to process Customer Data are subject to a duty of confidentiality that survives the termination of their employment and/or contractual relationship.
2. Government Requests. We shall not disclose Customer Data to any law enforcement agency or government authority (collectively, "Government Authority") unless instructed by you or as necessary to comply with applicable laws or a valid and binding order of a Government Authority, such as a subpoena or court order. If a Government Authority requests access to Customer Data, and unless legally prohibited from doing so, we shall (a) inform the Government Authority that xAI is a processor and attempt to redirect the Government Authority to you (and we may provide your basic contact information to the Government Authority for such purposes); or (b) in the event such redirection is not possible, notify you of the request to allow you to seek a protective order or other appropriate remedy. If we are legally compelled to respond to the request, we shall review the legality of the request and determine whether the request may be challenged. In any event, we shall only disclose the minimum information required to comply with the request.
Security
1. Security Measures. We shall implement and maintain reasonable technical and organizational measures, as appropriate to the processing of Customer Data, that are designed to protect the security, confidentiality, integrity and availability of Customer Data and protect against Security Incidents, as further described in Appendix 2 ("Security Measures"). We may update or modify the Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Service.
2. Audits and Security Certifications. Upon written request, and subject to reasonable notice and confidentiality agreements, we shall provide you with access to reasonably requested documentation to demonstrate our compliance with this DPA, including providing copies of any certifications, audit reports, and/or other relevant documentation. Where appropriate, we may instead make available a summary of the results of third-party certifications and/or audits relevant to our compliance with this DPA.
3. Incident Notification. We will notify you without undue delay after we become aware of any Security Incident for which notification is required under Applicable Data Protection Laws. Such notification will describe the nature of the Security Incident and include other relevant information that we are reasonably able to disclose, taking into account the nature of the Service, the information available to us, and any restrictions on disclosing the information (such as confidentiality). Any notification that we provide relating to Security Incidents shall not be construed as an acknowledgement by xAI of any fault or liability.
Data Subject Rights Requests
1. To the extent required under Applicable Data Protection Laws and taking into account the nature of the Service, and insofar as you cannot respond using functionality made available through the Service, we shall provide you with reasonable assistance to enable you to respond to requests from data subjects seeking to exercise their rights under Applicable Data Protection Laws. In the event that we receive such requests from data subjects directly, we will promptly notify you and not respond directly to the data subject without your prior written authorization, except to inform the data subject that we are a processor and direct them to contact you.
Data Protection Impact Assessments
1. Upon reasonable written request, and to the extent required under Applicable Data Protection Laws, we shall, considering the nature of the processing and the information available to xAI, provide you with reasonable cooperation and assistance necessary to fulfill your obligation to carry out data protection impact assessments and consult with supervisory authorities related to your use of the Service. We shall comply with the foregoing by (i) complying with Section 5.2 (Audits and Security Certifications); (ii) providing the information contained in the Agreement (including this DPA); or (iii) upon request, if the information provided under sub-sections (i) and (ii) is insufficient for you to fulfill such obligations, providing additional reasonable cooperation and assistance.
International Data Transfers
1. International Data Transfers. You acknowledge and agree that xAI may transfer and process Customer Data outside Europe as necessary to provide the Service, including the United States and other countries where xAI and its Subprocessors maintain data processing operations. We shall take all such measures as are necessary to ensure such transfers are made in compliance with Applicable Data Protection Laws.
2. Standard Contractual Clauses. To the extent that your transfer of Customer Data to xAI involves a Restricted Transfer, the SCCs shall be incorporated and form an integral part of the DPA as follows:
  1. EU Transfers. In relation to Customer Data that is subject to the GDPR: (i) Module Two (Controller to Processor) or Module Three (Processor to Processor) shall apply, as applicable; (ii) in Clause 7, the optional docking clause shall apply; (iii) in Clause 9, Option 2 shall apply and the time period for prior notice of Subprocessor changes is set out in Section 3.2) Changes to Subprocessors); (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the laws of the Republic of Ireland; (vi) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; and (vii) Annexes I and II of the SCCs shall be deemed completed with the information set out in Appendices 1 and 2 of this DPA respectively.
    1. UK Transfers. In relation to Customer Data that is subject to the UK GDPR, the SCCs shall apply in accordance with Section 8.2(a) (EU Transfers) and as modified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Sections 10 and 11 of the UK Addendum. Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out in Appendices 1 and 2 of this DPA respectively, and Table 4 shall be deemed completed by selecting "neither party".
    2. Swiss Transfers. In relation to Customer Data that is subject to the Swiss FADP, the SCCs shall apply in accordance with Section 8.2(a) (EU Transfers) and the following modifications: (i) references to "Regulation (EU) 2016/679" and specific articles therein shall be replaced with references to the Swiss FADP and the equivalent articles or sections therein; (ii) references to "EU", "Union" and "Member State" shall be replaced with references to "Switzerland"; (iii) the competent supervisory authority shall be the Swiss Federal Data Protection Information Commissioner; (iv) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland"; and (v) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the applicable courts of Switzerland.
Return and Deletion of Customer Data
1. Upon termination of the Agreement, we shall delete any Customer Data in our possession in accordance with the Agreement, except to the extent that we are required to retain copies under applicable laws, in which case we shall isolate and protect such Customer Data from any further processing except to the extent required by applicable laws. For clarity, xAI may continue to process information derived from Customer Data that you have instructed us to deidentify, anonymize, and/or aggregate such that the data is no longer considered personal data under Applicable Data Protection Laws.
General Provisions
1. Legal Effect; Term. This DPA is an addendum to and incorporated into the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. This DPA supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between the parties, whether written or verbal, regarding the subject matter of this DPA, including any data processing addenda previously entered into between the parties. This DPA shall continue in force until the termination of the Agreement and so long as xAI continues to process Customer Data on your behalf.
2. Limitation of Liability. The liability of each party under this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set out in the Agreement. In no event does this DPA restrict or limit the rights of any data subject under Applicable Data Protection Laws.
3. Disclosure of this DPA. You acknowledge that xAI may disclose this DPA and any relevant privacy provisions of the Agreement to a supervisory authority or other judicial or regulatory body upon request.
4. Changes to this DPA. We may, in our sole discretion, modify or update this DPA from time to time, and so you should review this page periodically. When we change this DPA in a material manner, we will update the ‘last modified’ date at the top of this page and notify you that material changes have been made to this DPA. Your continued use of the Service after any change to this DPA constitutes your acceptance of the new DPA. If you do not agree to any part of this DPA or to any future DPA, do not access or use (or continue to access or use) the Service.
5. Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions of the Agreement, unless otherwise required by this DPA or Applicable Data Protection Laws.

Appendix 1: Description of the Processing

This Appendix describes the processing of Customer Data by the parties in connection with the Service and forms an integral part of the Agreement. Unless otherwise defined herein, capitalized terms in this Appendix have the same meaning ascribed to them in the Agreement.

(A) List of parties

Data Exporter:
Name:	The data exporter is the entity identified as the Customer in the applicable registration documents for the Service.
Address:	The data exporter's address is set out in the applicable registration documents for the Service.
Contact person's name, position, and contact details:	The data exporter's contact information is set out in the applicable registration documents for the Service.
Activities relevant to data transferred under these Clauses:	Processing activities in receiving the Service as set out in the Agreement.
Role (controller / processor):	Controller / Processor

Data Importer:
Name:	X.AI Corp.
Address:	216 Park Road, Burlingame, California, 94010, United States
Contact person's name, position, and contact details:	Head of Legal Legal, xAI 216 Park Rd. Burlingame, CA 94010 privacy+enterprise@x.ai
Activities relevant to data transferred under these Clauses:	Processing activities in providing the Service as set out in the Agreement.
Role (controller / processor):	Processor

(B) Description of the transfer

Categories of data subjects:	End users of the data exporter's products, services, or applications that access the Service and whose information is provided to xAI through the xAI API or other business services.
Categories of personal data or personal information:	The information processed through the Service is determined and controlled by the data exporter in its sole discretion. Such information may include Personal Data incidentally included within Inputs (i.e., information actively provided to Grok) and Outputs (i.e., responses generated by Grok).
Sensitive data (if applicable) and applied restrictions or safeguards:	The information processed through the Service is determined and controlled by the data exporter in its sole discretion. Subject to any applicable restrictions and/or conditions in the Agreement, such information may include sensitive data incidentally included within Inputs and Outputs, such as Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, or data relating to criminal offenses or convictions. See Appendix 2 for applied restrictions and safeguards for sensitive data.
Frequency of the transfer:	Continuous
Nature of the processing:	Collection, storage, organization, modification, retrieval, disclosure, communication, and other processing in performance of the Service as set out in the Agreement.
Purpose(s) and subject matter of the transfer and further processing:	Processing activities in performance of the Service as set out in the Agreement, including accessing Grok via our API.
Period and duration for which the personal data or personal information will be processed and retained:	In accordance with Section 9 (Return and Deletion of Customer Data) of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing:	Performance of the Service pursuant to the Agreement.

(C) Competent supervisory authority

For the purposes of the SCCs, the competent supervisory authority shall be determined in accordance with the GDPR.

Appendix 2: Security Measures

This Appendix describes the technical and organizational measures implemented by xAI to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and forms an integral part of the Agreement. Unless otherwise defined herein, capitalized terms in this Appendix have the same meaning ascribed to them in the Agreement.

The following table provides examples of the technical and organizational measures implemented by xAI.

Type of measure	Description of measure
Measures of pseudonymisation and encryption of personal data	All Customer Data is anonymized using per customer hashed identifiers, and encrypted at rest and in transit, using industry standard encryption (AES-256 encryption for data at rest and TLS 1.3 for data in transit).
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Access to Customer Data is restricted to authorized personnel only, and all personnel with access are subject to confidentiality agreements. Background checks are performed (where legally permissible) of employees with access to Customer Data. Employees are subject to annual security training. Access to Customer Data and any identifying information is further restricted through the use of hash based pseudonymisation. Technical controls are in place to restrict access to data and systems based on job functions and authority levels (e.g., in accordance with “least privilege” and "need-to-know" principles, use of unique identities for each user, enforcement of password complexity requirements, revocation of access upon termination or change in job function). Regular reviews of user access rights are performed to identify and remove invalid or inactive users and accounts. Customer Data is continuously backed up, and access controls are implemented to prevent unauthorized modification or access. Regular data integrity checks are performed to ensure the accuracy and completeness of the data. As an additional measure, Customer Data is versioned and encrypted such that it is possible to revert to a previous state, while verifying integrity. Excessive authentication failures will result in account lockout requiring administrator reset. Redundant systems and data centers are used to ensure high availability, and regular testing and maintenance is performed to prevent system failures. Disaster recovery / business continuity plans are in place to ensure prompt recovery in the event of an emergency situation or disaster. Regular security assessments and penetration testing is performed to identify and address vulnerabilities. Regular training and awareness programs are conducted for personnel to ensure they are aware of security best practices and threats. Regular monitoring and review of the processing systems and services is performed to ensure compliance with this DPA and Applicable Data Protection Laws. Any identified issues are promptly addressed and remediated by the Security Incident Response Team.
Measures for ensuring the ability to restore the availability and access to Personal data in a timely manner in the event of a physical or technical incident	Customer Data is backed up continuously with verifiable hashes allowing for verification of backup integrity. Multiple geographic zones are in place to ensure service availability is not impacted by a single point of failure. Incident management procedures, as well as business continuity and disaster recovery plans, are in place. Customer Data is versioned and encrypted such that it is possible to revert to a previous state, while verifying integrity.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing	Technical: Product Security, Enterprise Security and Infrastructure security reviews are performed on a continuous basis. Penetration testing is conducted by a third-party on a yearly basis to ensure the robustness of the organization's security controls. Organizational: Yearly disaster recovery and business continuity testing is performed to assess the resilience of our systems. Security awareness training is conducted yearly for all employees, and Secure Development & Data Handling training is provided to employees with access to Customer Data. All employees must complete an assessment following completion of the training.
Measures for user identification and authorization	Access to the platform is restricted by authentication and authorization policies, implemented within our software stack. Identification is performed by verifying the email and domain of the party accessing the platform. After the party is identified authorization checks are performed to determine the level of access and workspaces which the party has access to. Workspace administrators (customers) are able to authorize additional parties as they see fit.
Measures for the protection of data during transmission	Before data can be transmitted, authentication and authorization take place in order to verify data access rights. Following authorization, a per customer decryption key is used to retrieve the required data, and it is transmitted over a TLS 1.3 encrypted channel.
Measures for the protection of data during storage	All Customer Data is stored at rest and subject to strict access control. Access to areas housing Customer Data are limited to services necessary to process the data and to employees with the need to know. Detailed Logging and Monitoring is applied to Customer Data stores, and alerting is in place to immediately notify the Security Incident Response team of anomalous access. Customer Data at rest is encrypted with per customer AES-256 keys. These keys are only handled by machine-based services, and not made available to any employees.
Measures for ensuring physical security of locations at which personal data are processed	All xAI facilities are subject to strong physical access requirements. These include restricted entry, controlled ingress, identification of personnel, video surveillance of common areas, and 24/7 physical security monitoring.
Measures for ensuring events logging	Customer Data access is monitored at multiple points throughout its lifecycle, and centralized in a Security Information and Event Monitoring system. Storage buckets containing data are monitored continuously in real-time through immutable monitoring controls.
Measures for ensuring system configuration, including default configuration	Immutable design principles are in place to ensure that all systems are built in an approved, change-controlled manner. System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications. A Change Management Policy has been implemented. After systems are deployed, access is restricted such that the integrity of the system infrastructure is not negatively implemented. If any integrity or security issues are discovered the system can safely be rolled back to a previous state.
Measures for internal IT and IT security governance and management and Measures for certification/assurance of processes and products	xAI has in place a written information security policy, including supporting documentation. xAI has a team dedicated to information security, led by the Head of Security. xAI has adopted the NIST 800-171 Rev.3 framework as a baseline for our internal security standards.
Measures for ensuring data minimization	Only the information necessary to provide services is collected during your use of xAI systems, and all Customer Data is accessed using only anonymous identifiers. Additionally, data masking is utilized across all systems to ensure customer data is not accessed using sensitive identifiers.
Measures for ensuring data quality	Conducting stress tests of the Grok production system that is equivalent to ten (10) times the expected user base. The purpose of the test is to simulate concurrent access to Grok in order to improve site stability and confirm that the current production system can support the intended target user base.
Measures for ensuring limited data retention	Our data retention period is at our customer's discretion as it regards their user data, subject to legal requirements. Customers are able to delete their data at will. Following a data deletion request, our systems automatically delete all login data, prompt/response pairs, and billing information stored within our systems typically within 72 hours.
Measures for ensuring accountability	xAI has established enterprise support and Information Security functions, with established direct lines of contact. xAI's security team is reachable via email at security@x.ai or support@x.ai