Draft
This document is under review and not yet final. It will be replaced with a finalized version before paid subscriptions begin.
Data Processing Agreement
Last Updated: May 30, 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service and applies where Next Orion LLC ("Next Orion," "we," "us") processes personal data on behalf of a Customer in the course of providing the XION8 platform ("the Service").
1. Roles of the Parties
The Customer is the data controller and Next Orion LLC is the data processor. We process customer data only to provide the Service and only on the Customer's documented instructions, including as set out in the Terms of Service and this DPA.
2. Scope and Purpose of Processing
The nature and purpose of processing is the delivery of XION8's remote monitoring and management (RMM) and managed-compliance services. The types of data processed include account, device, configuration, monitoring, and compliance data. The categories of data subjects include the Customer's personnel and the users of the Customer's managed endpoints.
3. Sub-processors
Next Orion LLC uses the sub-processors listed at /legal/subprocessors. The Customer authorizes the use of these sub-processors. We give advance notice of changes to that list as described on that page, and we remain responsible for our sub-processors' compliance with this DPA.
4. Confidentiality
Our personnel who are authorized to process customer data are bound by appropriate obligations of confidentiality.
5. Security
Next Orion LLC maintains technical and organizational measures designed to protect customer data, including tenant isolation, secrets management, encryption in transit, role-based access controls, and multi-factor authentication. Further detail is available on our Security and Trust page.
6. Personal Data Breach
Next Orion LLC will notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer's data, and will provide information reasonably available to assist the Customer in meeting its own notification obligations.
7. Data Subject Requests
Taking into account the nature of the processing, Next Orion LLC will assist the Customer in responding to requests from data subjects exercising their rights under applicable data-protection law.
8. International Transfers
Customer data is processed in the United States. Where EU or UK personal data is involved, the parties rely on Standard Contractual Clauses or another lawful transfer mechanism.
9. Return and Deletion of Data
On termination, customer data is returned or deleted in accordance with the Data Export on Termination section of the Terms of Service — a 30-day retrieval window, with full deletion completed by 90 days after termination.
10. Audit
Next Orion LLC will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.
11. Contact
Next Orion LLC
PO Box 783, Edna, TX 77957
[email protected]