Data Processing Agreement

Effective Date: August 1, 2025 Last Updated: August 1, 2025

1. Introduction

This Data Processing Agreement ("DPA") supplements the AI Agents House Terms of Service and governs the processing of personal data by AI Agents House ("Processor") on behalf of our customers ("Controller") in compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable privacy laws.

This DPA applies when AI Agents House processes personal data on behalf of customers who are subject to data protection laws. By using our Services, Controller agrees to the terms of this DPA.

2. Definitions

Terms used in this DPA have the meanings set forth below. Capitalized terms not defined herein have the meanings given in the Terms of Service or applicable data protection law.

"Controller" means the entity that determines the purposes and means of processing personal data
"Data Subject" means an identified or identifiable natural person
"Personal Data" means any information relating to an identified or identifiable natural person
"Processing" means any operation performed on personal data
"Processor" means the entity that processes personal data on behalf of the Controller
"Sub-processor" means any third party engaged by Processor to process personal data
"Supervisory Authority" means an independent public authority responsible for monitoring compliance with data protection law

3. Scope and Application

3.1 Scope of Processing

This DPA applies to all personal data processed by AI Agents House in connection with providing the Services, including:

AI agent monitoring data that contains personal data
Customer account information
End-user data processed through monitored AI agents
Technical data that may identify individuals

3.2 Controller Responsibilities

Controller represents and warrants that:

It has the legal authority to enter into this DPA
It has obtained all necessary consents and provided required notices for data processing
The processing instructions are lawful and compliant with applicable data protection laws
It will not instruct Processor to process personal data in violation of applicable law

3.3 Processor Responsibilities

Processor agrees to:

Process personal data only on documented instructions from Controller
Implement appropriate technical and organizational measures
Ensure confidentiality of personal data
Assist Controller in meeting its data protection obligations

4. Processing Instructions

4.1 Authorized Processing

Processor is authorized to process personal data as necessary to:

Provide the AI agent governance services as described in the Terms of Service
Comply with legal obligations applicable to Processor
Respond to legitimate requests from data subjects
Maintain security and integrity of the Services

4.2 Processing Limitations

Processor will not:

Process personal data for its own purposes
Sell or rent personal data to third parties
Use personal data for marketing without explicit consent
Process personal data outside the scope of this DPA

4.3 Changes to Instructions

Controller may modify processing instructions by:

Updating account settings in the Services
Providing written notice to Processor
Entering into a written amendment to this DPA

5. Data Categories and Purposes

5.1 Categories of Personal Data

The personal data processed may include:

Identity data: Names, usernames, employee IDs
Contact data: Email addresses, phone numbers
Technical data: IP addresses, device identifiers, session tokens
Usage data: AI agent interactions, system logs, performance metrics
Professional data: Job titles, department information, organizational roles
Financial data: Transaction patterns, risk assessments (when relevant to AI monitoring)

5.2 Categories of Data Subjects

Data subjects may include:

Controller's employees and contractors
End-users of Controller's AI agents
Customers of Controller's financial services
Third parties interacting with monitored AI agents

5.3 Processing Purposes

Personal data is processed for:

Providing AI agent monitoring and governance services
Generating compliance reports and documentation
Detecting and preventing policy violations
Maintaining audit trails for regulatory purposes
Ensuring security and preventing fraud

6. Security Measures

6.1 Technical Measures

Processor implements technical measures including:

Encryption: AES-256 encryption for data at rest and in transit
Access controls: Multi-factor authentication and role-based access
Network security: Firewalls, intrusion detection, and secure protocols
Data isolation: Logical separation of customer data
Backup and recovery: Secure backup systems and disaster recovery procedures

6.2 Organizational Measures

Processor maintains organizational measures including:

Staff training: Regular data protection and security training
Access management: Strict access controls and need-to-know principles
Vendor management: Due diligence and contractual protections for sub-processors
Incident response: Comprehensive data breach response procedures
Compliance monitoring: Regular audits and compliance assessments

6.3 Security Standards

Processor's security measures are designed to meet:

SOC 2 Type II standards (certification planned)
ISO 27001 requirements
Financial services security guidelines
GDPR technical and organizational measures

7. Sub-processing

7.1 Authorized Sub-processors

Controller provides general authorization for Processor to engage sub-processors, subject to the conditions in this DPA. Current sub-processors include:

Google Cloud Platform: Cloud infrastructure and hosting
Amazon Web Services: Cloud infrastructure and backup services
Vercel: Website hosting and content delivery
Stripe: Payment processing (for billing data only)
PostHog: Analytics and usage monitoring
Google Analytics: Website analytics

7.2 Sub-processor Requirements

All sub-processors must:

Enter into written agreements with equivalent data protection obligations
Implement appropriate technical and organizational measures
Allow audits and inspections as required
Notify Processor of any data breaches immediately

7.3 Changes to Sub-processors

Processor will:

Notify Controller of any changes to sub-processors at least 30 days in advance
Provide Controller with information about new sub-processors upon request
Allow Controller to object to new sub-processors on reasonable data protection grounds
Work with Controller to resolve objections or provide alternative solutions

8. Data Subject Rights

8.1 Assistance with Requests

Processor will assist Controller in responding to data subject requests by:

Providing access to relevant personal data within 30 days
Implementing technical measures to facilitate data portability
Deleting or anonymizing personal data as instructed
Providing information about processing activities when requested

8.2 Technical Assistance

Processor provides technical capabilities to support:

Access requests: Export functionality for personal data
Correction requests: Data modification capabilities in the Services
Deletion requests: Secure deletion procedures and confirmation
Portability requests: Standard data formats for export

8.3 Response Timeframes

Processor will respond to Controller's requests for assistance:

Urgent requests (data subject complaints): Within 72 hours
Standard requests: Within 30 days
Complex requests: Within 60 days with interim updates

9. Data Transfers

9.1 International Transfers

Personal data may be transferred to countries outside the European Economic Area, including:

United States (primary data processing location)
Other countries where sub-processors operate
Locations necessary for service delivery and security

9.2 Transfer Safeguards

For transfers to countries without an adequacy decision, Processor implements:

Standard Contractual Clauses: EU Commission-approved SCCs
Additional safeguards: Encryption, access controls, and security measures
Regular reviews: Assessment of transfer mechanisms and country conditions
Alternative measures: Implementation of supplementary measures when necessary

9.3 Transfer Documentation

Processor maintains documentation of:

All international data transfers
Legal basis and safeguards for each transfer
Assessment of destination country laws
Supplementary measures implemented

10. Data Retention and Deletion

10.1 Retention Periods

Personal data is retained according to:

Controller's instructions and account settings
Legal retention requirements applicable to Processor
Regulatory requirements in the financial services sector
Technical limitations of secure deletion procedures

10.2 Data Deletion

Upon termination of Services or Controller's request:

Customer data: Deleted within 30 days unless legally required to retain
Backup data: Deleted within 90 days according to backup rotation schedules
Log data: Deleted according to standard log retention policies
Anonymized data: May be retained for analytics and service improvement

10.3 Deletion Verification

Processor will provide:

Written confirmation of data deletion
Certificates of destruction when requested
Documentation of deletion procedures
Exception reporting for data that cannot be deleted due to legal requirements

11. Data Breach Notification

11.1 Incident Response

Upon becoming aware of a personal data breach, Processor will:

Investigate and contain the incident immediately
Assess the risk to data subjects
Document the incident and response measures
Implement remediation measures to prevent recurrence

11.2 Notification Requirements

Processor will notify Controller of personal data breaches:

Timeframe: Within 72 hours of becoming aware of the breach
Method: Email notification to designated Controller contacts
Content: Description of breach, affected data, potential consequences, and remediation measures
Updates: Ongoing updates as investigation progresses

11.3 Cooperation

Processor will cooperate with Controller to:

Assess whether notification to supervisory authorities is required
Provide information for breach notifications to data subjects
Assist with regulatory investigations
Implement additional security measures as needed

12. Audits and Compliance

12.1 Audit Rights

Controller may audit Processor's compliance with this DPA by:

Reviewing available audit reports and certifications
Requesting additional information about processing activities
Conducting on-site audits with reasonable notice (subject to confidentiality agreements)
Engaging third-party auditors (at Controller's expense)

12.2 Audit Information

Processor will provide:

SOC 2 Type II reports when available
Security certifications and compliance documentation
Policies and procedures related to data protection
Results of internal audits and assessments

12.3 Remediation

If audits identify non-compliance issues:

Processor will develop remediation plans within 30 days
Critical issues will be addressed immediately
Controller will be notified of progress and completion
Additional audits may be conducted to verify remediation

13. Liability and Indemnification

13.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service, except for:

Intentional misconduct or gross negligence
Violations of data protection law
Breach of confidentiality obligations

13.2 Data Protection Indemnification

Processor will indemnify Controller against:

Fines imposed by supervisory authorities due to Processor's non-compliance
Third-party claims arising from Processor's breach of this DPA
Costs of regulatory investigations caused by Processor's actions

13.3 Controller Indemnification

Controller will indemnify Processor against:

Claims arising from Controller's unlawful processing instructions
Violations of data subject rights caused by Controller's actions
Regulatory fines resulting from Controller's non-compliance

14. Term and Termination

14.1 Term

This DPA remains in effect for the duration of the Terms of Service and any period necessary to complete data deletion obligations.

14.2 Effect of Termination

Upon termination:

Processor will cease processing personal data (except as required for deletion)
Personal data will be deleted or returned as instructed by Controller
Copies and backups will be securely deleted according to retention schedules
Confidentiality obligations will survive termination

14.3 Survival

The following provisions survive termination:

Data deletion and return obligations
Confidentiality requirements
Liability and indemnification provisions
Audit rights (for reasonable period post-termination)

15. Dispute Resolution

15.1 Escalation Process

Data protection disputes will be resolved through:

Direct communication between designated data protection contacts
Escalation to senior management within 30 days
Mediation by mutually agreed third party
Arbitration or court proceedings as specified in Terms of Service

15.2 Regulatory Cooperation

Both parties agree to:

Cooperate with supervisory authority investigations
Provide requested information and documentation
Implement supervisory authority decisions and orders
Work together to resolve regulatory concerns

16. Contact Information

16.1 Data Protection Contacts

For Controller inquiries: Email: hello@aiagentshouse.com Subject: DPA - Controller Inquiry

For data subject requests: Email: hello@aiagentshouse.com Subject: Data Subject Request

16.2 Emergency Contacts

For urgent data protection matters (breaches, regulatory inquiries): Email: hello@aiagentshouse.com Phone: [Emergency Contact Number]

17. Amendments

17.1 Amendment Process

This DPA may be amended:

By mutual written agreement of the parties
To comply with changes in applicable law
To reflect changes in processing activities or security measures

17.2 Notification

Material changes will be communicated:

At least 30 days before effective date
Through email notification to designated contacts
By posting updated DPA on our website
Through in-platform notifications when appropriate

Acceptance: By using our Services, Controller acknowledges that it has read, understood, and agrees to be bound by this Data Processing Agreement.