Agenta Data Processing Agreement (Website Version)

Last updated: February 4, 2026

note

This page is provided for informational purposes. If you have a signed DPA with Agenta, the signed version governs.

This Data Processing Agreement ("DPA") forms part of the agreement between Agentatech UG (haftungsbeschraenkt) ("Agenta") and the customer entity that uses the Services ("Customer") (the "Agreement").

This DPA applies to the extent Agenta processes Personal Data on behalf of Customer in the course of providing the Services.

1. Definitions

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection.

"Customer Personal Data" means Personal Data processed by Agenta on behalf of Customer in connection with the Services.

"EEA" means the European Economic Area.

"GDPR" means Regulation (EU) 2016/679.

"Personal Data" has the meaning given under Applicable Data Protection Law.

"Personal Data Breach" has the meaning given under the GDPR.

"Restricted Transfer" means a transfer of Customer Personal Data from the EEA, the UK, or Switzerland to a country that is not subject to an adequacy decision or other legal basis permitting such transfer under Applicable Data Protection Law.

"Services" means the services provided by Agenta under the Agreement.

"Sub-processor" means any processor engaged by Agenta to process Customer Personal Data.

"UK Addendum" means the UK ICO International Data Transfer Addendum to the EU Standard Contractual Clauses.

"UK GDPR" means the GDPR as incorporated into UK law.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Commission Implementing Decision (EU) 2021/914.

2. Roles and Scope

2.1 Customer role. Customer is the controller of Customer Personal Data, or the processor acting on behalf of a controller.

2.2 Agenta role. Agenta is a processor of Customer Personal Data, or a sub-processor where Customer acts as a processor.

2.3 Details of processing. The subject matter, duration, nature, and purpose of the processing, as well as the types of Personal Data and categories of data subjects, are described in Annex 1.

3. Customer Instructions

3.1 Agenta will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country, unless required to do so by applicable law. Where permitted by law, Agenta will inform Customer of any such legal requirement.

3.2 Customer warrants that its instructions comply with Applicable Data Protection Law. If Agenta believes an instruction infringes Applicable Data Protection Law, Agenta will inform Customer.

4. Confidentiality

Agenta will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

5. Security

5.1 Agenta will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

5.2 Agenta's current technical and organizational measures are described in Annex 2.

6. Sub-processing

6.1 General authorization. Customer provides a general authorization for Agenta to engage Sub-processors.

6.2 Sub-processor list. Agenta maintains a list of Sub-processors in Annex 3 and/or at a published sub-processor page.

6.3 Notice of changes. Agenta will provide at least thirty (30) days' prior notice of any intended addition or replacement of Sub-processors by updating the published list or otherwise notifying Customer.

6.4 Objection right. Customer may object to a new or replacement Sub-processor on reasonable grounds relating to data protection by providing written notice to Agenta within the notice period. The parties will work in good faith to address Customer's objection.

6.5 Remedy. If the parties cannot resolve the objection, Customer may terminate the affected Services without penalty by providing written notice to Agenta. This Section 6.5 is Customer's sole and exclusive remedy for objections under Section 6.4.

6.6 Flow-down. Agenta will enter into a written agreement with each Sub-processor imposing data protection obligations that are no less protective than those in this DPA.

7. Assistance

7.1 Data subject requests. Taking into account the nature of the processing, Agenta will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to requests for exercising data subject rights.

7.2 Compliance assistance. Agenta will provide reasonable assistance to Customer in meeting Customer's obligations under Applicable Data Protection Law relating to security, breach notification, impact assessments, and consultations with supervisory authorities.

7.3 Costs. Customer will reimburse Agenta for commercially reasonable costs arising from assistance requests that are excessive, repetitive, or go beyond what is required under Applicable Data Protection Law.

8. Personal Data Breach

Agenta will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Agenta will provide information reasonably required by Customer to comply with its breach-notification obligations.

9. Audits

9.1 Documentation. Upon request and subject to confidentiality obligations, Agenta will make available relevant information reasonably necessary to demonstrate compliance with this DPA, including, where available, a SOC 2 report and/or other third-party audit reports.

9.2 Customer audits. Customer may conduct (or appoint an independent auditor to conduct) one (1) audit per calendar year, on at least thirty (30) days' prior written notice, during regular business hours, and subject to reasonable scope, confidentiality, and security requirements. Customer will bear the costs of any such audit.

9.3 Agenta may satisfy audit requests by providing a recent SOC 2 report or similar third-party audit report, unless Customer reasonably demonstrates that a report is insufficient for its compliance obligations.

10. Return and Deletion

10.1 Return or deletion on termination. During the term of the Agreement, Customer may retrieve or export Customer Personal Data from the Services using available features. Following termination or expiration of the Agreement, Agenta will delete Customer Personal Data from production systems within thirty (30) days, unless retention is required by applicable law.

10.2 Backups. Customer Personal Data may remain in backups for up to one hundred eighty (180) days, during which time it will be protected by appropriate safeguards and not processed except as necessary to maintain or restore backups.

11. International Transfers

For Restricted Transfers, the parties agree that the transfer mechanisms in Annex 4 will apply.

12. Liability and Order of Precedence

12.1 Liability. Liability arising out of or related to this DPA (including the SCCs, where applicable) will be subject to the limitations of liability set forth in the Agreement, except to the extent such limitations are not permitted under Applicable Data Protection Law or the SCCs.

12.2 Order of precedence. In the event of conflict between this DPA and the Agreement, this DPA will control with respect to the processing of Customer Personal Data. In the event of conflict between this DPA and the SCCs (where applicable), the SCCs will prevail.

Annex 1: Details of Processing

Subject matter: Provision of the Services to Customer.

Duration: For the term of the Agreement, plus the deletion/backup periods described in Section 10.

Nature and purpose: Hosting and operation of the Services, including authentication, usage analytics, monitoring, customer support, email communications, and billing.

Categories of data subjects: Customer users (e.g., employees, contractors) and, where applicable, Customer's end users whose Personal Data is included in Customer inputs to the Services.

Types of Personal Data: May include identifiers (name, email), account and access data (roles, permissions), usage and device data (e.g., IP address, logs), and any Personal Data included by Customer in content uploaded or submitted to the Services.

Special categories of data: Customer will not provide special categories of data unless agreed in writing.

Annex 2: Technical and Organizational Measures (TOMs)

Agenta maintains a security program designed to protect Customer Personal Data, which may include:

Access controls and least-privilege access for personnel
Authentication controls (including MFA for internal systems where applicable)
Encryption in transit (e.g., TLS) and encryption at rest where applicable
Logging and monitoring of systems and access
Secure software development practices
Vulnerability management and patching
Incident response procedures
Backups and disaster recovery practices

Agenta may update TOMs from time to time provided such updates do not materially diminish security.

Annex 3: Sub-processors

Agenta publishes and maintains its current sub-processor list at:

/administration/security/sub-processors

Annex 4: International Transfer Mechanisms

A. EU SCCs (EEA)

The SCCs are incorporated by reference and apply to Restricted Transfers of Customer Personal Data.

Reference: Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses), https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj/eng

Modules. The parties agree that:

Module 2 (Controller to Processor) applies where Customer is a controller and Agenta is a processor.
Module 3 (Processor to Processor) applies where Customer is a processor and Agenta is a sub-processor.

Docking clause. Clause 7 (Docking clause) applies.
Use of sub-processors (Clause 9). Option 2 applies. The time period for prior notice of sub-processor changes is thirty (30) days.
Supervisory authority (Clause 13). The competent supervisory authority is as set out in Annex I.C, which will be the supervisory authority of the EEA exporter.
Governing law and forum (Clauses 17 and 18). The parties select Germany for Clause 17 and the courts of Germany for Clause 18.
Appendices / Annexes. The Appendices to the SCCs are completed using Annex 1, Annex 2, and Annex 3 of this DPA.

B. UK Addendum

For Restricted Transfers subject to UK GDPR, the UK Addendum is incorporated by reference and will be deemed completed by reference to the SCC selections and Annexes in this DPA.

Reference: UK ICO International Data Transfer Addendum, https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf

C. Switzerland

For Restricted Transfers subject to Swiss data protection law, the SCCs apply with the adjustments required by Swiss law and guidance from the Swiss Federal Data Protection and Information Commissioner.

Reference: FDPIC guidance on SCCs, https://www.edoeb.admin.ch/en/27082021-the-transfer-of-personal-data-to-a-country-with-an-inadequate-level-of-data-protection-based-on-recognised-standard-contractual-clauses-and-model-contracts

1. Definitions​

2. Roles and Scope​

3. Customer Instructions​

4. Confidentiality​

5. Security​

6. Sub-processing​

7. Assistance​

8. Personal Data Breach​

9. Audits​

10. Return and Deletion​

11. International Transfers​

12. Liability and Order of Precedence​

Annex 1: Details of Processing​

Annex 2: Technical and Organizational Measures (TOMs)​

Annex 3: Sub-processors​

Annex 4: International Transfer Mechanisms​

A. EU SCCs (EEA)​

B. UK Addendum​

C. Switzerland​