Data Processing Agreement (DPA)

Effective Date: January 1, 2025

Last Updated: January 1, 2025

About This DPA: This Data Processing Agreement governs how SuprAgent AI processes personal data on behalf of our customers in compliance with GDPR, CCPA, and other data protection regulations.

1. Definitions

"Controller" means the Customer who determines the purposes and means of processing Personal Data.

"Processor" means SuprAgent AI, which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Sub-processor" means any third-party processor engaged by SuprAgent to process Personal Data.

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and similar regulations.

2. Scope and Application

This DPA applies to all processing of Personal Data by SuprAgent AI on behalf of the Customer in connection with the Services. This DPA forms part of the Terms of Service and takes precedence over any conflicting terms regarding data processing.

By using our Services, the Customer (as Controller) appoints SuprAgent (as Processor) to process Personal Data in accordance with this DPA and applicable Data Protection Laws.

3. Roles and Responsibilities

3.1 Customer (Controller) Responsibilities

The Customer, as Controller, is responsible for:

  • Determining the purposes and means of processing Personal Data
  • Ensuring lawful basis for processing under applicable Data Protection Laws
  • Obtaining necessary consents and providing required notices to data subjects
  • Ensuring the accuracy and legality of Personal Data provided to SuprAgent
  • Responding to data subject requests and exercising their rights
  • Instructing SuprAgent on data processing activities

3.2 SuprAgent (Processor) Responsibilities

SuprAgent, as Processor, agrees to:

  • Process Personal Data only on documented instructions from the Customer
  • Ensure personnel authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Customer in responding to data subject requests
  • Assist the Customer with data protection impact assessments when required
  • Notify the Customer of any Personal Data breaches without undue delay
  • Delete or return Personal Data upon termination or request
  • Make available information necessary to demonstrate compliance

4. Details of Processing

Processing Activities

Subject Matter:

Provision of AI agent orchestration and conversation services

Duration:

For the term of the Services agreement

Nature and Purpose:

Processing customer and end-user data to provide conversational AI agents, including text and voice interactions, dynamic UI generation, analytics, and related services

Categories of Data Subjects:

  • Customer's employees and authorized users
  • End-users interacting with Customer's AI agents
  • Customer's customers and prospects

Types of Personal Data:

  • Identification data (names, email addresses, usernames)
  • Conversation data (text transcripts, voice recordings)
  • Technical data (IP addresses, device information, browser data)
  • Usage data (interaction logs, timestamps, feature usage)
  • Contact information and communication preferences
  • Any other data Customer chooses to process through the Services

5. Security Measures

SuprAgent implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

5.1 Technical Measures

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Monitoring: 24/7 security monitoring and logging
  • Vulnerability Management: Regular security scanning and penetration testing
  • Data Isolation: Logical separation of customer data

5.2 Organizational Measures

  • Employee Training: Regular security and privacy training for all personnel
  • Background Checks: Screening of personnel with access to Personal Data
  • Confidentiality: Binding confidentiality obligations for all personnel
  • Incident Response: Documented procedures for security incident response
  • Business Continuity: Backup and disaster recovery procedures
  • Compliance: SOC 2 Type II certification (in progress)

6. Sub-processors

6.1 Authorization

The Customer provides general authorization for SuprAgent to engage Sub-processors to process Personal Data. SuprAgent will maintain an up-to-date list of Sub-processors on our website.

6.2 Current Sub-processors

Amazon Web Services (AWS)

Service: Cloud infrastructure and hosting

Location: USA, EU (region-specific)

Google Cloud Platform (GCP)

Service: Cloud infrastructure and analytics

Location: USA, EU (region-specific)

Stripe

Service: Payment processing

Location: USA

AI Model Providers (Customer-Selected)

Service: AI inference (OpenAI, Anthropic, etc.)

Location: Varies by provider chosen by Customer

6.3 Sub-processor Obligations

SuprAgent ensures that:

  • Sub-processors are bound by data protection obligations equivalent to this DPA
  • Appropriate contracts are in place with all Sub-processors
  • SuprAgent remains fully liable for Sub-processor performance

6.4 Changes to Sub-processors

SuprAgent will notify the Customer of any intended changes to Sub-processors at least 30 days in advance. If the Customer objects on reasonable data protection grounds, the parties will work together to find a resolution or the Customer may terminate the affected Services.

7. Data Subject Rights

SuprAgent will assist the Customer in fulfilling data subject requests, including:

  • Access: Providing copies of Personal Data
  • Rectification: Correcting inaccurate data
  • Erasure: Deleting Personal Data (right to be forgotten)
  • Restriction: Restricting processing in certain circumstances
  • Portability: Exporting data in machine-readable format
  • Objection: Objecting to certain processing activities

If SuprAgent receives a data subject request directly, we will promptly forward it to the Customer. The Customer is responsible for responding to data subject requests within the legally required timeframes.

8. Data Breach Notification

SuprAgent will:

  • Notify the Customer without undue delay upon becoming aware of a Personal Data breach
  • Provide sufficient information to enable the Customer to meet any obligations to report or notify the breach
  • Include details about the nature of the breach, categories and numbers of data subjects affected, and measures taken
  • Cooperate with the Customer and regulatory authorities in investigating and resolving the breach

Notification will be made to the Customer's designated contact email within 72 hours of SuprAgent becoming aware of the breach.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the EEA. SuprAgent ensures appropriate safeguards are in place:

  • Standard Contractual Clauses: We use EU-approved Standard Contractual Clauses for transfers outside the EEA
  • Adequacy Decisions: We rely on EU adequacy decisions where applicable
  • Data Residency: Enterprise customers can choose data storage locations
  • Self-Hosting: Option to host entirely within Customer's jurisdiction

10. Data Retention and Deletion

10.1 Retention

SuprAgent retains Personal Data only for as long as necessary to provide the Services or as instructed by the Customer. Default retention periods:

  • Conversation data: 30 days (configurable up to 2 years)
  • Account data: Duration of Services plus 90 days
  • Backup data: 30 days

10.2 Deletion

Upon termination or expiration of Services, or upon Customer request, SuprAgent will:

  • Provide Customer 30 days to export their data
  • Delete or return all Personal Data as instructed by Customer
  • Certify deletion upon request
  • Delete data from backups within standard backup retention period (30 days)

SuprAgent may retain data if required by applicable law, provided such data is kept confidential and processed only for legal compliance purposes.

11. Audits and Compliance

SuprAgent will:

  • Make available information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits by the Customer or appointed auditor
  • Provide audit reports (e.g., SOC 2) upon request
  • Respond to Customer's reasonable information requests within 30 days

Audit rights may be exercised upon reasonable notice and during regular business hours, subject to confidentiality obligations and reasonable restrictions to protect SuprAgent's infrastructure and other customers' data.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. SuprAgent is liable to the Customer for damages caused by failure to comply with this DPA, subject to such limitations.

SuprAgent will indemnify the Customer against fines imposed by supervisory authorities to the extent such fines result from SuprAgent's breach of its obligations under this DPA.

13. Term and Termination

This DPA remains in effect for as long as SuprAgent processes Personal Data on behalf of the Customer. Upon termination of the Services, the data deletion provisions in Section 10 apply.

14. Governing Law and Jurisdiction

This DPA is governed by the same laws as the Terms of Service. For EEA customers, this DPA is also governed by the data protection laws of the EEA, including GDPR.

15. Contact Information

For DPA-related questions or requests:

Data Protection Officer: support@supragent.ai

Privacy Team: support@supragent.ai

Legal Team: support@supragent.ai

Mailing Address: SuprAgent AI, [Address TBD]

This Data Processing Agreement is effective as of the date you accept the Terms of Service or begin using our Services.