Data Processing Agreement
Last updated: May 2025 — governs how AgentCorp processes personal data on your behalf.
1. Definitions
In this Data Processing Agreement: 'Controller' means the organization using AgentCorp (you). 'Processor' means AgentCorp. 'Sub-processor' means any third party engaged by AgentCorp to process data on the Controller's behalf. 'Personal Data' has the meaning given under applicable data protection law. 'Processing' means any operation performed on Personal Data.
2. Scope and Purpose
This DPA applies where AgentCorp processes Personal Data on behalf of the Controller in connection with the provision of the platform. AgentCorp acts as a Processor under applicable data protection laws, including the GDPR where applicable. Processing is carried out solely for the purpose of delivering the contracted services.
3. Controller Obligations
The Controller represents and warrants that: (a) it has a lawful basis for processing the Personal Data it submits; (b) it has provided appropriate notices and obtained necessary consents from data subjects; (c) the instructions it provides to AgentCorp comply with applicable law. AgentCorp is not responsible for Controller's compliance with data protection laws.
4. Processor Obligations
AgentCorp will: (a) process Personal Data only on documented instructions from the Controller; (b) ensure that persons authorized to process the data are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist the Controller in responding to data subject rights requests; (e) delete or return all Personal Data upon termination of services, at the Controller's election.
5. Sub-processors
AgentCorp may engage sub-processors to assist in delivering the service. Current sub-processors include: Supabase (database infrastructure), Clerk (authentication), and major cloud providers. AgentCorp will notify the Controller of intended changes to its sub-processor list at least 14 days in advance. The Controller may object to new sub-processors within that period.
6. Security Measures
AgentCorp implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include: encryption in transit and at rest, access controls, audit logging, regular security testing, and incident response procedures.
7. Data Subject Rights
AgentCorp will promptly notify the Controller if it receives a request from a data subject exercising rights under applicable law (e.g., access, erasure, portability). AgentCorp will not respond to such requests without the Controller's instruction, unless required by law. AgentCorp will provide reasonable assistance to the Controller in fulfilling such requests.
8. Personal Data Breach Notification
AgentCorp will notify the Controller without undue delay — and no later than 72 hours after becoming aware — of a Personal Data breach affecting data processed under this DPA. The notification will include: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
9. International Transfers
Where processing involves the transfer of Personal Data to a country outside the European Economic Area or the United Kingdom that is not subject to an adequacy decision, AgentCorp will ensure that appropriate safeguards are in place (e.g., Standard Contractual Clauses). Details of applicable transfer mechanisms are available on request.
10. Audit and Compliance
AgentCorp will make available to the Controller all information necessary to demonstrate compliance with this DPA. AgentCorp will allow for and contribute to audits conducted by the Controller or an auditor appointed by the Controller, subject to reasonable prior notice, confidentiality obligations, and cost-sharing arrangements.
11. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, AgentCorp will, at the Controller's choice, delete or return all Personal Data within 30 days, and confirm in writing that processing has ceased, unless retention is required by applicable law.