Legal

Data Processing Addendum

Last updated: 2026-04-16

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", "Controller") and [Company Legal Entity] ("ai-agents.bar", "Processor") for the use of the Services and governs the processing of personal data on Customer's behalf in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and equivalent data protection laws.

This page reproduces the standard template. A counter-signed copy, including any negotiated amendments and your details in Annex 1, can be requested via the form at the bottom of this page.

1. Definitions

Capitalised terms used but not defined in this DPA have the meaning given in the Terms of Service or applicable Data Protection Laws. For clarity:

  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data; in this DPA, the Customer.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller; in this DPA, ai-agents.bar.
  • "Personal Data" means any information relating to an identified or identifiable natural person, processed by Processor on behalf of Controller in connection with the Services.
  • "Sub-processor" means any third party engaged by Processor to process Personal Data on Controller's behalf.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Data Protection Laws" means the GDPR, the UK GDPR, the Swiss FADP and any other applicable laws on the processing of personal data.
  • "SCCs" means the Standard Contractual Clauses approved by the European Commission Decision 2021/914, including subsequent amendments, and equivalent UK and Swiss instruments.

2. Subject matter & duration

The subject matter of the processing is the provision of the Services as described in the Terms of Service and Documentation. The duration of the processing corresponds to the term of the Customer's subscription, plus any retention period required to fulfil contractual or legal obligations as described in section 9.

3. Nature & purpose of processing

Processor processes Personal Data on documented instructions from Controller for the purpose of providing, securing, maintaining and improving the Services, including: enabling user access, executing AI agent runs, performing integrations, generating logs and reports, providing customer support and complying with legal obligations.

Processor will not process Personal Data for any other purpose unless required by applicable law, in which case Processor will inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4. Categories of data subjects & personal data

The categories of Data Subjects and Personal Data processed under this DPA are described in Annex 1. Controller is responsible for determining the lawfulness of submitting any specific category of Personal Data to the Services.

5. Processor obligations

Processor will:

  1. Documented instructions. Process Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required to do so otherwise by applicable law.
  2. Confidentiality. Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
  3. Security. Implement and maintain the technical and organisational measures set out in Annex 2 to ensure a level of security appropriate to the risk.
  4. Sub-processors. Engage Sub-processors only in accordance with section 6.
  5. Assistance. Assist Controller as set out in section 7 to enable Controller to comply with its obligations under Data Protection Laws.
  6. Breach notification. Notify Controller of Personal Data breaches as set out in section 8.
  7. Return / deletion. Return or delete Personal Data as set out in section 9.
  8. Audit. Make available to Controller information necessary to demonstrate compliance, and allow audits as set out in section 11.

6. Sub-processors

Controller provides general written authorisation for Processor to engage Sub-processors to provide the Services, subject to the conditions of this section.

Processor maintains an up-to-date list of Sub-processors, available on request and via subscription notifications. Processor will inform Controller of any intended addition or replacement of Sub-processors at least 30 days in advance, giving Controller the opportunity to object on reasonable data-protection grounds. If the parties cannot resolve the objection, Controller may terminate the affected portion of the Services.

Processor will impose data-protection obligations on Sub-processors that are no less protective than those in this DPA, and remains fully liable to Controller for the performance of each Sub-processor's obligations.

7. Assistance to Controller

Taking into account the nature of the processing and the information available to Processor, Processor will assist Controller, by appropriate technical and organisational measures and to the extent reasonably possible, in:

  • Responding to Data Subject requests under Articles 15–22 GDPR.
  • Ensuring compliance with the obligations under Articles 32–36 GDPR (security, breach notification, DPIAs and prior consultation).
  • Providing the information needed to demonstrate compliance, where Controller cannot reasonably obtain such information through the standard self-service tools made available in the Services.

8. Personal Data breach notification

Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Controller's Personal Data. The notification will, to the extent reasonably possible, describe:

  • The nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach and mitigate its effects.
  • The contact point for further information.

Processor will provide additional information as it becomes available and cooperate reasonably with Controller's response.

9. Return or deletion of Personal Data

Upon termination or expiration of the Services, Processor will, at Controller's choice, delete or return all Personal Data to Controller, and delete existing copies, unless storage is required by applicable law. Standard self-service export tools are available throughout the term and for a defined period after termination as described in the Documentation.

Backup copies will be deleted in accordance with Processor's documented backup-retention schedule, after which Personal Data will be irretrievable.

10. International transfers

Where Processor or its Sub-processors transfer Personal Data outside the European Economic Area, the United Kingdom or Switzerland to a country not subject to a recognised adequacy decision, the transfer will be governed by the SCCs, which are hereby incorporated by reference into this DPA. The parties agree:

  • For EU transfers: Module Two (Controller to Processor) of the SCCs applies; for transfers Processor to Sub-processor, Module Three applies.
  • The optional clauses of the SCCs are deemed selected as follows: docking clause (Clause 7) — included; Option 2 of Clause 9(a) (general written authorisation, with 30-day notice); Option 1 of Clause 17 (governing law as per the Member State of Controller's establishment, or as otherwise required); Clause 18(b) (jurisdiction of the Member State courts).
  • For UK transfers: the UK International Data Transfer Addendum is incorporated and deemed completed using equivalent details.
  • For Swiss transfers: the SCCs apply with the modifications required by the Swiss FADP and FDPIC guidance.

Processor maintains transfer impact assessments and supplementary measures (including encryption, pseudonymisation and access restrictions) for each transfer scenario, available on request.

11. Audit

Processor will make available to Controller, upon reasonable request, the audit reports and certifications it maintains (including SOC 2 Type II and ISO/IEC 27001), summaries of penetration tests and the latest version of Annex 2.

Where the foregoing is not sufficient to demonstrate compliance, Controller may, at its own expense and no more than once per year (unless required by a competent supervisory authority), conduct an audit limited to information necessary to verify Processor's compliance with this DPA. Audits will be subject to reasonable advance notice (at least 30 days), confidentiality, and conducted in a manner that does not disrupt Processor's operations or compromise the security of other customers' data.

12. Liability

Each party's liability arising under or in connection with this DPA, whether in contract, tort or otherwise, is subject to the limitations and exclusions of liability set out in the Terms of Service, except where prohibited by law.

Annex 1 — Description of processing

A. List of parties

Controller: Customer, as identified in the Order Form.

Processor: [Company Legal Entity], [Registered Address]. Contact: dpo@ai-agents.bar.

B. Subject matter

Provision of the ai-agents.bar platform, enabling Controller to deploy and operate AI agents that process Personal Data ingested from connected applications and end-users.

C. Duration

For the term of the subscription and any post-termination retention period documented in the Services.

D. Nature & purpose of processing

Hosting, transmission, structured storage, retrieval, analysis, agent execution, integration with third-party applications, support, monitoring, security, billing.

E. Categories of Data Subjects

  • Controller's employees, contractors and authorised users.
  • Controller's customers, prospects, leads and end-users whose data is submitted to the Services.
  • Controller's suppliers, partners and other counterparties whose data Controller processes via the Services.
  • Any other Data Subjects whose Personal Data Controller chooses to process via the Services.

F. Categories of Personal Data

  • Identification data: name, username, email, organisation, role, language.
  • Contact data: phone number, postal address.
  • Professional data: job title, employer, business activities.
  • Account & authentication data: hashed credentials, MFA factors, OAuth tokens, IP address, device identifiers.
  • Communication content: emails, chat messages, support tickets, attachments processed by agents.
  • CRM & transactional data: leads, opportunities, invoices, products, support cases.
  • Operational data: pipeline states, project tasks, workflow events.
  • Agent execution data: prompts, intermediate outputs, decisions, approvals, audit-trail entries.
  • Any other Personal Data Controller chooses to submit to the Services.

G. Sensitive data

The Services are not intended for the processing of special categories of personal data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR). If Controller chooses to process such data, it must ensure an appropriate legal basis and inform Processor in advance so additional safeguards can be considered.

H. Frequency of processing

Continuous, on-demand, for the term of the subscription.

I. Retention

For the term of the subscription, plus the periods specified in the Services Documentation and the Privacy Policy. After termination, Personal Data is deleted in accordance with section 9.

Annex 2 — Technical & organisational measures

Processor implements and maintains the following technical and organisational measures, which may be updated from time to time provided that the level of security is not reduced. A more detailed description is available in the Security & Trust Center at /security.html.

A. Encryption

  • TLS 1.3 for data in transit (TLS 1.2 minimum negotiated); HSTS enabled.
  • AES-256-GCM for data at rest, including databases, object storage, backups, ephemeral disks and logs.
  • Mutual TLS for internal service-to-service traffic.
  • Keys managed in a FIPS 140-2 Level 3 KMS, with rotation and tenant-scoped data-encryption keys; BYOK available on enterprise plans.

B. Access control

  • Role-based access control with granular permissions per workspace, agent and integration.
  • SAML 2.0 / OIDC SSO and SCIM 2.0 provisioning.
  • MFA (TOTP, WebAuthn) required for admin roles.
  • Least-privilege internal access; just-in-time, time-bound, peer-approved production access with full session recording.
  • Quarterly access reviews and immediate offboarding tied to HRIS events.

C. Multi-tenant isolation

  • Logical isolation enforced at application, database, queue and storage layers.
  • Cryptographically scoped tenant identifiers on every request.
  • Sandboxed, ephemeral execution per agent run with capability-based permissions.

D. Monitoring & logging

  • Comprehensive audit logs of authentication, configuration changes and agent actions, exportable to customer SIEMs.
  • 24/7 SOC monitoring with automated detection across infrastructure, application and identity layers.
  • Tamper-evident, immutable log retention.

E. Vulnerability & change management

  • SAST, DAST, dependency scanning, container image scanning and IaC policy enforcement integrated in CI/CD.
  • Annual third-party penetration tests; targeted tests for major releases.
  • Defined remediation SLAs by severity; private bug bounty programme.

F. Business continuity & disaster recovery

  • Multi-AZ active-active deployment in primary regions; automated failover.
  • Encrypted, geographically replicated backups; restore drills tested at defined intervals.
  • Documented BCP / DR plans with RTO 4h, RPO 1h for the production database.
  • Multi-region deployment options for data residency on enterprise plans.

G. Incident response

  • 24/7 on-call rotation; documented IR plan covering detection, containment, eradication, recovery and post-incident review.
  • Customer notification of confirmed personal data breaches without undue delay and within 72 hours.

H. Personnel

  • Background checks where permitted by law.
  • Mandatory security and privacy training at onboarding and annually.
  • Confidentiality obligations binding for the duration of employment and beyond.
  • Hardware-backed MFA for all employees with production access.

I. Agent runtime safeguards

  • Runtime guardrails enforced at the execution layer (not via prompts), with deterministic deny-by-default behaviour.
  • Blast-radius controls: quotas on outbound actions per run, hard caps and graceful failure modes.
  • Configurable human-in-the-loop approval gates for high-stakes actions.
  • Prompt-injection defences: input sanitisation, untrusted-content tagging, tool-call allow-lists.
  • Output safety filters and full audit trail of every agent action and approval.

Request a counter-signed DPA.

Tell us a few details about your organisation and we will send you a DPA ready to sign — typically within 1 business day.

Request DPA