Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller ("Customer"): The entity or individual that has agreed to the AgentIA Terms of Use and uses the AgentIA platform.
• Data Processor ("AgentIA"): The operator of the AgentIA platform, accessible at agentia.work.

• Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and erasure.
• Sub-Processor: A third party engaged by AgentIA to process Personal Data on behalf of the Customer.
• Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.

AgentIA processes Personal Data solely for the purpose of providing the AgentIA platform service to the Customer. This includes:

• Categories of data subjects: Customer's employees, end users, and contacts
• Types of personal data: Name, email address, job title, company name, IP address, browser metadata, usage logs
• Purpose: Account management, service delivery, analytics, and customer support
• Duration: For the duration of the Customer's use of the service, plus any legally required retention period

AgentIA shall:

• Process Personal Data only on documented instructions from the Customer
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist the Customer in fulfilling obligations related to data subject rights (access, rectification, erasure, portability)
• Delete or return all Personal Data at the end of the service relationship, at the Customer's choice
• Make available all information necessary to demonstrate compliance with GDPR Article 28

AgentIA's current sub-processors may include the following providers, depending on the service configuration in use:

| Sub-Processor | Purpose | Location | |---|---|---| | Vercel | Application hosting & CDN | Depends on deployment | | Neon | Database hosting | Current configured database region | | Clerk | Authentication & identity | US / other configured regions | | Brevo | Transactional email | EU | | MailerLite | Email list management | EU | | Google Analytics | Optional usage analytics | US, only when enabled |

AgentIA will make materially relevant sub-processor changes available to customers through updated documentation or direct notice, as appropriate.

AgentIA implements the following security measures:

• Encryption in transit: TLS 1.2+ for all data transmission
• Encryption at rest: provider-managed encryption for persisted data stores
• Access control: authenticated access controls and user/session scoping
• Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security
• Bot protection: Cloudflare Turnstile on selected forms
• Webhook verification: Svix signature validation
• Environment isolation: secrets stored in environment variables

In the event of a Data Breach affecting Customer Personal Data, AgentIA shall:

• Notify the Customer without undue delay after becoming aware of the confirmed breach
• Provide the information reasonably available at the time, including the nature of the breach, likely impact, and remediation steps taken or proposed
• Cooperate with the Customer and provide reasonable assistance in relation to applicable notification obligations under GDPR Articles 33 and 34

AgentIA shall assist the Customer in responding to data subject requests under GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Requests will be processed within 30 days of receipt.

Where Personal Data is transferred outside the European Economic Area (EEA), AgentIA seeks to ensure that appropriate safeguards are in place, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Vendor contractual commitments and transfer-risk assessments where appropriate
• Additional technical or organizational safeguards based on the nature of the processing

Upon termination of the service agreement:

• AgentIA will cease processing Personal Data within 30 days
• At the Customer's request, AgentIA will delete or return all Personal Data
• AgentIA may retain Personal Data only where required by applicable law, and only for the duration required
• Confirmation of deletion will be provided upon request

For DPA-related inquiries, to request a signed copy, or to exercise rights under this agreement:

• Email: security@agentia.work
• General inquiries: info@agentia.work

This DPA is governed by the laws applicable to the main Terms of Use agreement between the parties.