Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Terms of Service and applies to any processing of Personal Data carried out by AgentGate on behalf of the Customer in connection with the Service. Under GDPR, the Customer acts as the controller and AgentGate acts as the processor for the processing activities covered by this DPA.

1. Scope and subject matter

This DPA governs AgentGate's processing of Personal Data submitted to the Service by the Customer, its authorized users, autonomous agents, or connected systems. AgentGate processes such Personal Data only to provide, operate, secure, maintain, and support the Service, and only on the Customer's documented instructions unless otherwise required by applicable law.

This DPA applies only where AgentGate acts as a processor. Processing activities for which AgentGate acts as a controller, including processing relating to its own users, prospects, commercial contacts, or legal obligations, are described in the Privacy Policy.

2. Duration

AgentGate processes Personal Data for the duration of the Service and thereafter for any retention period required by the subscribed plan, the Customer's documented instructions, or applicable law. After termination of the Service, data may be retained for a limited transitional period to enable export, return, or secure deletion.

Unless otherwise agreed in writing, the Customer may export its data for thirty (30) days following termination. After that period, AgentGate will delete or return Personal Data in accordance with Section 14 of this DPA, subject to legal retention obligations and residual encrypted backups.

3. Nature and purpose of the processing

Processing activities may include:

• receiving and hosting data submitted to the Service;
• evaluating, logging, conditionally validating, or holding payment intents for review;
• managing accounts, access, authentication, and permissions;
• technical logging, auditability, security, incident detection, and abuse prevention;
• sending transactional notifications related to the operation of the Service.

AgentGate does not use Personal Data submitted by the Customer to train artificial intelligence models.

4. Categories of data subjects

Depending on the Customer's configuration and use of the Service, data subjects may include:

• the Customer's authorized users, including administrators, approvers, operators, and viewers;
• technical accounts or autonomous agents used by the Customer;
• beneficiaries or counterparties identified in payment intents;
• any other individual whose data is submitted to the Service by the Customer under the Customer's sole responsibility.

5. Categories of Personal Data

Depending on the Customer's use of the Service, AgentGate may process:

• identification data, such as name, email address, user ID, agent ID, and beneficiary identifier;
• authentication and security data, such as password hashes, encrypted 2FA secrets, recovery code hashes, sign-in logs, IP addresses, and user-agent information;
• operational and financial metadata, such as amounts, currencies, beneficiary names, account or counterparty identifiers, categories, memos, and approval or rejection decisions;
• audit and traceability data, such as timestamps, logs, event identifiers, webhook metadata, decisions, technical proofs, and hashes.

The Customer agrees not to submit special categories of personal data under GDPR unless specifically agreed in writing in advance and subject to appropriate safeguards.

6. Customer instructions

AgentGate processes Personal Data only in accordance with:

• the Terms of Service and this DPA;
• the configuration established by the Customer within the Service;
• the Customer's additional written instructions, to the extent they are compatible with the Service and applicable law.

If AgentGate considers that an instruction infringes GDPR or other applicable data protection law, AgentGate will inform the Customer to the extent permitted by law.

7. Confidentiality and authorized personnel

AgentGate ensures that persons authorized to process Personal Data:

• are subject to appropriate contractual or statutory confidentiality obligations;
• access data only on a need-to-know basis;
• receive appropriate security and data protection awareness or training.

Production access is limited, logged, and regularly reviewed.

8. Security measures

AgentGate implements appropriate technical and organizational measures taking into account the state of the art, implementation costs, the nature of the data, and the risks to data subjects. These measures may include:

• encryption in transit;
• encryption at rest where relevant;
• role-based access control;
• multi-factor authentication for sensitive access;
• least privilege principles;
• append-only or equivalent audit logging for security events;
• monitoring, incident detection, vulnerability scanning, and patch management;
• regular backups and recovery procedures;
• logical environment segmentation.

9. Subprocessors

The Customer generally authorizes AgentGate to engage subprocessors to provide the Service, provided that AgentGate:

• selects providers offering sufficient guarantees;
• imposes data protection obligations on them that are at least equivalent to those set out in this DPA;
• remains responsible to the Customer for the performance of those subprocessors to the extent required by GDPR.

Current categories of subprocessors may include:

• cloud hosting and databases;
• transactional email providers;
• monitoring, logging, and error tracking providers;
• subscription billing providers.

Where subprocessors are located outside the EEA or may access data from a third country, the transfer safeguards described in Section 10 apply. AgentGate will notify the Customer of any material addition or replacement of a subprocessor at least thirty (30) days in advance, allowing the Customer to raise a reasonable data protection objection.

10. International transfers

Where Personal Data is transferred outside the EEA, AgentGate implements appropriate safeguards required under GDPR, including the European Commission's Standard Contractual Clauses or another lawful transfer mechanism.

If there is a conflict between this DPA and applicable Standard Contractual Clauses, the SCCs prevail for matters relating to international transfers.

11. Assistance

Taking into account the nature of the processing and the information available, AgentGate provides reasonable assistance to the Customer for:

• responding to data subject rights requests;
• carrying out data protection impact assessments where necessary;
• cooperating with supervisory authorities;
• demonstrating compliance with obligations under Articles 32 to 36 GDPR.

12. Personal data breach notification

AgentGate will notify the Customer of any personal data breach affecting Customer Personal Data without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of it. The notification will include, where available:

• a description of the nature of the breach;
• the categories of data and data subjects concerned;
• the approximate number of affected records;
• the likely consequences;
• the measures taken or proposed to address and mitigate the breach.

13. Audits and compliance information

AgentGate will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. The Customer may request, no more than once per year unless triggered by a security incident or specific regulatory requirement, a documentary audit or other reasonable verification, subject to:

• at least thirty (30) days' prior written notice;
• a proportionate scope;
• respect for confidentiality, trade secrets, and the security of other customers;
• AgentGate's right to first provide reports, certifications, policies, or security questionnaires as a reasonable substitute for an on-site audit.

14. Return and deletion

At the end of the Services, and at the Customer's choice, AgentGate will delete or return Personal Data unless retention is required by applicable law. A thirty (30) day export period may be provided after termination.

Data contained in encrypted security backups may remain temporarily for an additional period of up to thirty (30) days solely for continuity, recovery, or security purposes before final deletion in the ordinary course.

15. Order of precedence

If there is any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA prevails. If there is any conflict between this DPA and applicable Standard Contractual Clauses relating to international data transfers, the SCCs prevail for the relevant subject matter.

16. Contact

For any request relating to this DPA, including signature or countersignature, the Customer may contact: legal@agentgate.eu.

17. Current subprocessors

CNIL guidance emphasizes the need to choose only processors offering sufficient guarantees and to frame their role contractually.