Data Processing Addendum

1. Overview & scope

This DPA applies to all processing of personal data carried out by AI Agentics and our subprocessors on Customer's behalf under the Agreement. It governs Customer Personal Data — personal data contained in prompts, documents, knowledge bases, vector stores, tool inputs and outputs, conversation transcripts, and logs that you submit to or generate on the platform when running LLM agents and agentic workflows.

Where the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, or analogous laws apply to your use of the platform, this DPA forms a binding part of the Agreement. If there is any conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA prevails. This DPA does not apply to data for which AI Agentics is the independent controller, such as account and billing information, which is governed by our privacy policy.

2. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. The key roles are summarised below.

3. Roles & responsibilities

The Customer is the controller and AI Agentics is the processor with respect to Customer Personal Data. Where the Customer is itself acting as a processor for a third-party controller, AI Agentics acts as a sub-processor. Each party complies with the data-protection laws applicable to it.

• Customer responsibilities. You determine the purposes and means of processing, ensure you have a valid legal basis and any required consents, give us complete and accurate instructions, and configure agent tools, memory, and retention appropriately for the data you submit.
• AI Agentics responsibilities.We process Customer Personal Data only on your documented instructions (including via your use of the platform's settings and APIs), keep it confidential, ensure personnel are bound by confidentiality, and implement the security measures described below.
• Documented instructions. The Agreement, this DPA, and your configuration of the service constitute your complete instructions. We will tell you if, in our opinion, an instruction infringes applicable data-protection law.

We do not use Customer Personal Data to train foundation models, and we do not sell personal data. Customer content is processed solely to provide and support the service.

4. Processing details

The following table describes the nature, purpose, duration, and scope of processing, as required by Article 28(3) GDPR.

5. Subprocessors

You authorise AI Agentics to engage subprocessors to help deliver the service — for example, cloud infrastructure providers, model inference providers, and observability tooling. We maintain a current list of subprocessors describing each provider's role and processing location.

• Flow-down obligations. Each subprocessor is bound by a written contract imposing data-protection obligations no less protective than those in this DPA.
• Change notice.We will give at least 30 days' advance notice (via email or our subprocessor page) before adding or replacing a subprocessor, giving you time to object on reasonable data-protection grounds.
• Liability.AI Agentics remains responsible to the Customer for each subprocessor's performance of its data-protection obligations.

To request the current subprocessor list or register an objection, contact our privacy team.

6. Security measures

AI Agentics implements appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art and the risks of processing (Article 32 GDPR).

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256), including vector stores and logs.
• Access control on a least-privilege basis, with SSO, role-based permissions, and audited administrative access.
• Network & tenant isolationso each customer's agents, memory, and tool credentials remain logically separated.
• Monitoring & logging with full tracing of agent decisions, tool calls, and data access for accountability.
• Independent assurance, including SOC 2 Type II and regular penetration testing.

Full details, certifications, and current status are published on our security page. Live availability is reported at our status page.

7. International data transfers

Where processing of Customer Personal Data involves a transfer out of the European Economic Area, the UK, or Switzerland to a country without an adequacy decision, AI Agentics relies on the European Commission's Standard Contractual Clauses (SCCs), which are incorporated into this DPA by reference and completed as follows:

• Module Two (controller-to-processor) applies where the Customer is a controller; Module Three (processor-to-processor) applies where the Customer is a processor.
• For UK transfers, the UK International Data Transfer Addendum to the SCCs applies; for Swiss transfers, the SCCs are read with the amendments required by the Swiss FADP.
• AI Agentics carries out transfer impact assessments and applies supplementary measures, such as encryption and access limitations, where appropriate.

Customers can request information on data hosting regions and, where available, configure regional data residency for storage of agent content.

8. Data subject rights assistance

Taking into account the nature of the processing, AI Agentics assists the Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under the GDPR.

If we receive a data subject request directed at Customer Personal Data, we will promptly notify the Customer and, unless legally required to respond, direct the data subject to the Customer rather than acting on the request ourselves.

9. Data breach notification

AI Agentics maintains an incident response program to detect, contain, and remediate security incidents. If we become aware of a personal data breach affecting Customer Personal Data, we will notify the Customer without undue delay and, in any event, within 72 hours of confirming the breach.

• The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected (where known), the likely consequences, and the measures taken or proposed.
• We will provide reasonable cooperation and information to help the Customer meet its own breach-notification obligations to supervisory authorities and data subjects.
• Our notification is not an acknowledgement of fault or liability.

10. Audits

AI Agentics makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates.

• We satisfy audit requests primarily by providing our current SOC 2 report, penetration-test summaries, and security documentation on request.
• Where these materials are insufficient to address a specific regulatory requirement, the Customer may request an on-site or remote audit on reasonable prior notice, no more than once per year, during business hours, and subject to confidentiality.
• Audits must not unreasonably disrupt our operations or compromise the confidentiality or security of other customers' data.

11. Return & deletion of data

Upon termination or expiry of the Agreement, and at the Customer's choice, AI Agentics will return or delete all Customer Personal Data, unless retention is required by applicable law.

• Export. The Customer may export agent content, knowledge bases, and logs through the platform before the relationship ends.
• Deletion window. Unless the Customer requests earlier deletion, we delete Customer Personal Data from active systems within 30 days of termination, and from backups within the normal backup-rotation cycle.
• Certification. On request, we will confirm in writing that deletion has been completed.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory, is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA combined. Nothing in this DPA limits liability that cannot be limited under applicable data-protection law, including liability to data subjects under Article 82 GDPR.

13. Contact & Data Protection Officer

For questions about this DPA, to exercise audit rights, to request the subprocessor list, or to reach our Data Protection Officer, please use the contacts below. We aim to acknowledge data-protection enquiries within five business days.

• Privacy & DPO: reach the team through our contact page.
• Security disclosures: see our security program for reporting channels.
• Related policies: the privacy policy, terms of service, and cookie policy form the wider framework governing your use of AI Agentics.