Data Processing Agreement

Classification: Public

Version 1.0
February 2026

Agentys Inc.
Montréal, Québec, Canada

This agreement forms an integral part of the
Agentys Service Agreement
Agentys — Data Processing Agreement
Classification: Public • Version 1.0 • February 2026

Preamble

This Data Processing Agreement ("DPA") is entered into by and between the entity identified as the customer in the applicable Agentys Service Agreement ("Controller" or "Customer") and Agentys Inc., a corporation incorporated under the laws of the Province of Québec, Canada, with its registered office in Montréal, Québec ("Processor" or "Agentys").

This DPA supplements and forms an integral part of the Agentys Service Agreement (the "Service Agreement") executed between the Controller and the Processor, under which Agentys provides AI-powered email management services (the "Services") to the Controller.

This DPA reflects the parties' commitment to abide by applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), Québec's Act Respecting the Protection of Personal Information in the Private Sector ("Loi 25"), and any other applicable data protection legislation (collectively, "Data Protection Laws").

In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to the processing and protection of Personal Data.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meanings ascribed to them in the Service Agreement or the applicable Data Protection Laws.

1.1 “Controller”

means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Controller is the Customer.

1.2 “Processor”

means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, the Processor is Agentys Inc.

1.3 “Sub-processor”

means any third party engaged by the Processor (or by any other Sub-processor of the Processor) to Process Personal Data on behalf of the Controller in connection with the Services.

1.4 “Personal Data”

means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR, that is Processed by the Processor on behalf of the Controller in the performance of the Services.

1.5 “Processing” (and “Process”)

means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR.

1.6 “Data Subject”

means the identified or identifiable natural person to whom the Personal Data relates.

1.7 “Personal Data Breach”

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed, as defined in Article 4(12) of the GDPR.

1.8 “Standard Contractual Clauses” (“SCCs”)

means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, replaced, or superseded from time to time.

1.9 “Supervisory Authority”

means an independent public authority established by an EU or EEA Member State pursuant to Article 51 of the GDPR, or any equivalent regulatory authority under applicable Data Protection Laws.

1.10 “Technical and Organizational Measures”

means the technical and organizational security measures described in Annex II to this DPA, as updated from time to time in accordance with Section 10 of this DPA.

2. Scope and Purpose

2.1 Scope

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services under the Service Agreement. This DPA governs the rights and obligations of each party with respect to the Processing and security of Personal Data.

2.2 Purpose of Processing

The Processor shall Process Personal Data solely for the following purposes:

  1. Providing the AI email management Services as described in the Service Agreement, including email analysis, categorization, draft generation, priority scoring, and calendar integration;
  2. Performing technical operations necessary for the delivery, maintenance, and improvement of the Services;
  3. Complying with applicable laws, regulations, and lawful requests from competent authorities; and
  4. Any other purpose expressly authorized in writing by the Controller.

2.3 Types of Data Processed

The Personal Data Processed under this DPA includes, but is not limited to:

A detailed description of the Processing activities is set forth in Annex I to this DPA.

2.4 Lawful Basis

The Controller warrants that it has a valid legal basis under applicable Data Protection Laws for the Processing of Personal Data as described in this DPA, and that it has provided all necessary notices and obtained all necessary consents or authorizations from Data Subjects, as required by applicable law.

3. Duration of Processing

3.1 Term

The Processor shall Process Personal Data for the duration of the Service Agreement, unless otherwise agreed in writing by the parties or required by applicable law.

3.2 Post-Termination

Upon termination or expiration of the Service Agreement, the Processor shall, at the Controller's election:

  1. Return all Personal Data to the Controller in a commonly used, machine-readable format within thirty (30) calendar days of receiving a written request; or
  2. Delete all Personal Data, including all existing copies, within thirty (30) calendar days of termination, unless applicable law requires continued storage.

If the Controller does not provide instructions within fifteen (15) calendar days of termination, the Processor shall securely delete all Personal Data in accordance with paragraph (b) above.

3.3 Certification of Deletion

Upon request by the Controller, the Processor shall provide a written certification confirming the deletion of all Personal Data, signed by an authorized representative of the Processor.

4. Nature and Purpose of Processing

4.1 Processing Activities

The Processor performs the following Processing activities in the course of providing the Services:

4.1.1 Email Analysis and Categorization

The Processor employs artificial intelligence and natural language processing techniques to analyze incoming and outgoing email communications. This includes automatic classification of emails by topic, urgency, sender relationship, and actionability. The Processing is conducted through automated means with the objective of organizing the Controller's email communications.

4.1.2 AI-Powered Draft Generation

The Processor utilizes large language models to generate suggested email responses and draft compositions based on the content, context, and historical patterns of the Controller's email correspondence. Draft suggestions are presented to the end user for review and approval prior to sending.

4.1.3 Priority Scoring and Sorting

The Processor assigns priority scores to incoming emails based on configurable criteria including sender importance, content urgency, deadline proximity, and historical interaction patterns. This Processing enables intelligent sorting and notification prioritization.

4.1.4 Calendar Integration

The Processor extracts scheduling-related information from email content, including proposed meeting times, deadlines, and event details, to facilitate integration with the Controller's calendar systems. This Processing involves parsing temporal references and coordinating availability data.

4.2 No Autonomous Decision-Making

The Processor shall not use Personal Data for automated decision-making that produces legal effects or similarly significant effects on Data Subjects within the meaning of Article 22 of the GDPR, unless expressly instructed by the Controller and where appropriate safeguards are in place.

5. Types of Personal Data Processed

The following categories of Personal Data are Processed by the Processor in the performance of the Services:

Category Description Retention Basis
Email Content Message body text, subject lines, inline images, and file attachments Duration of Service Agreement
Email Metadata Sender and recipient email addresses, display names, timestamps (sent, received, read), message-IDs, threading references, and mail headers Duration of Service Agreement
Contact Information Names, email addresses, phone numbers, job titles, and organizational affiliations as derived from email correspondence Duration of Service Agreement
User Preferences & Settings Account configuration, notification preferences, filter rules, priority settings, language and timezone preferences Duration of Service Agreement
Usage Analytics Aggregated and pseudonymized metrics including feature usage frequency, response time patterns, and service interaction logs Up to 24 months in aggregated form
Note: The Processor does not intentionally collect or Process special categories of Personal Data (Article 9 of the GDPR) or Personal Data relating to criminal convictions and offences (Article 10 of the GDPR). Should such data be incidentally contained within email content, the Controller acknowledges that the Processor's standard security measures shall apply.

6. Categories of Data Subjects

The Personal Data Processed under this DPA relates to the following categories of Data Subjects:

6.1 Customer’s Employees and Team Members

Individuals employed by or otherwise engaged by the Controller who are authorized users of the Services, including their email communications, account settings, and usage data.

6.2 Customer’s Email Correspondents

Natural persons who send emails to, or receive emails from, the Controller's authorized users, whose Personal Data is incidentally Processed as part of the email content and metadata.

6.3 Customer’s Clients and Business Contacts

Natural persons who are clients, suppliers, partners, or other business contacts of the Controller, whose contact information and communication data is Processed in the course of the Services.

6.4 Other Data Subjects

Any other natural person whose Personal Data is contained within the email communications Processed by the Services, including but not limited to third-party individuals referenced or copied in email correspondence.

7. Obligations of the Processor

7.1 Processing on Documented Instructions

The Processor shall Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR).

7.2 Confidentiality

The Processor shall ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR). The Processor shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Services.

7.3 Security of Processing

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Such measures are described in Annex II to this DPA and include, inter alia:

  1. The pseudonymization and encryption of Personal Data;
  2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
  3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

7.4 Assistance with Data Subject Rights

The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR (Article 28(3)(e) GDPR). This includes, but is not limited to, the rights of access, rectification, erasure, restriction, data portability, and objection.

7.5 Assistance with Security and Compliance Obligations

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor (Article 28(3)(f) GDPR). This includes assistance with:

  1. Implementing appropriate security measures;
  2. Notifying Personal Data Breaches to the Supervisory Authority and affected Data Subjects;
  3. Conducting data protection impact assessments; and
  4. Prior consultation with Supervisory Authorities where required.

7.6 Deletion or Return of Data

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services, and shall delete existing copies unless applicable law requires storage of the Personal Data (Article 28(3)(g) GDPR). The specific terms for deletion and return are set forth in Section 3.2 of this DPA.

7.7 Audit and Compliance Information

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR). The specific terms governing audits are set forth in Section 13 of this DPA.

7.8 Notification of Infringement

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable Data Protection Laws (Article 28(3), second subparagraph, GDPR).

8. Sub-processing

8.1 General Authorization

The Controller provides a general written authorization to the Processor to engage Sub-processors for the Processing of Personal Data in connection with the Services, subject to the conditions set forth in this Section 8 (Article 28(2) GDPR).

8.2 Notice of Changes

The Processor shall inform the Controller in writing of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) calendar days in advance, thereby giving the Controller the opportunity to object to such changes (Article 28(2) GDPR). Notifications shall be sent to the email address designated by the Controller in the Service Agreement.

8.3 Right to Object

If the Controller objects to the appointment of a new Sub-processor on reasonable grounds relating to the protection of Personal Data, the parties shall discuss the Controller's concerns in good faith with a view to achieving a resolution. If no resolution can be reached within fifteen (15) calendar days, the Controller may terminate the affected Services without penalty by providing written notice.

8.4 Obligations Imposed on Sub-processors

Where the Processor engages a Sub-processor, the Processor shall:

  1. Impose on the Sub-processor, by way of a written contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures (Article 28(4) GDPR);
  2. Remain fully liable to the Controller for the performance of the Sub-processor's obligations; and
  3. Conduct appropriate due diligence to ensure the Sub-processor is capable of providing the level of protection for Personal Data required by this DPA.

8.5 Current Sub-processors

The current list of authorized Sub-processors is set forth in Annex III to this DPA and is also available at agentys.io/docs/sub-processor-list.html. The Controller acknowledges and approves the Sub-processors listed therein as of the effective date of this DPA.

9. Data Subject Rights

9.1 Assistance to the Controller

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including but not limited to:

  1. Right of access (Article 15 GDPR) — providing copies of Personal Data being Processed;
  2. Right to rectification (Article 16 GDPR) — correcting inaccurate Personal Data;
  3. Right to erasure (Article 17 GDPR) — deleting Personal Data where applicable;
  4. Right to restriction of Processing (Article 18 GDPR) — restricting Processing activities;
  5. Right to data portability (Article 20 GDPR) — providing Personal Data in a structured, commonly used, machine-readable format; and
  6. Right to object (Article 21 GDPR) — ceasing Processing where the Data Subject objects.

9.2 Notification of Direct Requests

If the Processor receives a request directly from a Data Subject regarding the Processing of their Personal Data, the Processor shall promptly, and in any event within forty-eight (48) hours, notify the Controller and shall not respond to such request without the Controller's prior written instructions, unless required by applicable law.

9.3 Technical Measures

The Processor shall implement appropriate technical measures to enable the Controller to fulfil Data Subject requests, including:

  1. Search and retrieval capabilities across all data stores containing Personal Data;
  2. Secure data export functionality in commonly used formats (CSV, JSON);
  3. Granular deletion capabilities allowing targeted removal of specific Personal Data; and
  4. Audit logging of all Data Subject request actions for accountability purposes.

10. Security Measures

10.1 General Obligation

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, or disclosure. Such measures shall ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons (Article 32 GDPR).

10.2 Specific Measures

Without limiting the generality of Section 10.1, the Processor shall implement at minimum the security measures described in Annex II to this DPA, including:

10.2.1 Encryption

10.2.2 Access Control

10.2.3 Network Security

10.2.4 Incident Response

10.3 Updates to Security Measures

The Processor may update the Technical and Organizational Measures from time to time, provided that such updates do not materially decrease the overall level of security of the Services. The Processor shall inform the Controller of any material changes to the security measures.

11. Data Breach Notification

11.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Controller (Article 33(2) GDPR).

11.2 Content of Notification

The notification shall include, to the extent known or reasonably ascertainable:

  1. A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  2. The name and contact details of the Processor's data protection officer or other contact point where more information can be obtained;
  3. A description of the likely consequences of the Personal Data Breach;
  4. A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
  5. A timeline of events, including the date on which the breach was discovered and the date on which the Processor became aware of it.

11.3 Ongoing Cooperation

Where, and insofar as, it is not possible to provide all information at the time of the initial notification, the Processor shall provide the information in phases without further undue delay as additional information becomes available. The Processor shall cooperate with the Controller and take reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

11.4 Record Keeping

The Processor shall document all Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects, and the remedial action taken, and shall make such documentation available to the Controller upon request (Article 33(5) GDPR).

11.5 No Public Notification

The Processor shall not inform any third party, including any Supervisory Authority, of a Personal Data Breach without the prior written authorization of the Controller, unless required by applicable law.

12. International Data Transfers

12.1 General Principle

The Processor shall not transfer Personal Data to a country outside the European Economic Area ("EEA") or to an international organization unless appropriate safeguards are in place in accordance with Chapter V of the GDPR.

12.2 Transfer Mechanisms

Where international transfers of Personal Data are necessary for the provision of the Services, the Processor shall ensure that such transfers are subject to appropriate safeguards, including:

  1. Adequacy Decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection pursuant to Article 45 of the GDPR (including, as applicable, Canada under the PIPEDA adequacy decision);
  2. Standard Contractual Clauses: The Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission, which are incorporated by reference into this DPA and shall apply to any transfer of Personal Data to a third country not covered by an adequacy decision; or
  3. Other Safeguards: Any other transfer mechanism approved under applicable Data Protection Laws, including binding corporate rules, codes of conduct, or certification mechanisms.

12.3 Data Residency

The primary processing location for Personal Data is Canada. The Processor also maintains infrastructure in the United States and the European Union. The Controller may specify a preferred data residency region, subject to availability and the terms of the Service Agreement.

Region Primary Location Transfer Mechanism
Canada (Default) Montréal, QC EU Adequacy Decision (PIPEDA)
United States Virginia, US Standard Contractual Clauses (Module 2)
European Union Frankfurt, DE No transfer mechanism required

12.4 Transfer Impact Assessment

Where required, the Processor shall cooperate with the Controller in conducting a transfer impact assessment to evaluate whether the laws of the destination country ensure an essentially equivalent level of protection for Personal Data, and to identify and implement supplementary measures where necessary.

13. Audit Rights

13.1 Right to Audit

The Controller, or an independent third-party auditor appointed by the Controller, shall have the right to audit the Processor's compliance with this DPA, including by conducting inspections of the Processor's facilities, systems, and records, subject to the conditions set forth in this Section 13.

13.2 Frequency

The Controller may exercise its audit rights under this Section once per calendar year, unless a Personal Data Breach has occurred or the Controller has reasonable grounds to believe that the Processor is in material breach of this DPA, in which case additional audits may be conducted.

13.3 Notice

The Controller shall provide the Processor with at least thirty (30) calendar days' prior written notice of any audit. The notice shall specify the scope, duration, and start date of the audit.

13.4 Conduct of Audits

Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations. The Controller's auditor shall comply with the Processor's reasonable security and confidentiality requirements.

13.5 SOC 2 Reports

The Processor may satisfy the Controller's audit request by providing a current SOC 2 Type II audit report (or equivalent certification) conducted by an independent, qualified third-party auditor, provided that:

  1. The report is not more than twelve (12) months old;
  2. The report covers the systems and processes relevant to the Processing of Personal Data under this DPA; and
  3. There are no material findings that have not been remediated.

The Controller may nevertheless require an on-site audit if it reasonably determines that the SOC 2 report is insufficient to verify compliance.

13.6 Costs

Each party shall bear its own costs in connection with any audit. If an audit reveals a material breach of this DPA by the Processor, the Processor shall bear the reasonable costs of the audit.

14. Term and Termination

14.1 Term

This DPA shall become effective on the date of the last signature below (or, if incorporated by reference into the Service Agreement, on the effective date of the Service Agreement) and shall remain in force for the duration of the Service Agreement, and thereafter until all Personal Data has been deleted or returned in accordance with Section 3 of this DPA.

14.2 Termination for Breach

Either party may terminate this DPA upon written notice if the other party is in material breach of this DPA and fails to cure such breach within thirty (30) calendar days of receiving written notice specifying the breach.

14.3 Effect of Termination

Upon termination of this DPA:

  1. The Processor shall cease all Processing of Personal Data, except as necessary for the deletion or return of data in accordance with Section 3;
  2. The Processor shall comply with the data deletion or return obligations set forth in Section 3.2;
  3. Sections 7.2 (Confidentiality), 11 (Data Breach Notification), 13 (Audit Rights), and 14.3 (Effect of Termination) shall survive termination of this DPA; and
  4. The Processor shall provide the certification of deletion referenced in Section 3.3, upon the Controller's request.

14.4 Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set forth in the Service Agreement, to the extent permitted by applicable law. Nothing in this DPA shall limit the liability of either party for breaches of applicable Data Protection Laws.

15. General Provisions

15.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Province of Québec and the federal laws of Canada applicable therein, without regard to conflict of laws principles. For Data Subjects located in the European Economic Area, the applicable provisions of the GDPR shall take precedence.

15.2 Amendments

This DPA may not be amended except by a written instrument signed by authorized representatives of both parties. Notwithstanding the foregoing, the Processor may update the Annexes to this DPA from time to time to reflect changes in Sub-processors (subject to Section 8) or improvements to Technical and Organizational Measures (subject to Section 10.3).

15.3 Entire Agreement

This DPA, together with the Service Agreement and any Annexes hereto, constitutes the entire agreement between the parties with respect to the Processing and protection of Personal Data, and supersedes all prior or contemporaneous understandings, agreements, negotiations, and discussions, whether oral or written.

15.4 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired thereby, and such provision shall be reformed to the minimum extent necessary to render it valid and enforceable.

15.5 No Waiver

The failure of either party to enforce any provision of this DPA shall not constitute a waiver of such party's right to enforce that provision or any other provision of this DPA at a later time.

15.6 Notices

All notices under this DPA shall be in writing and shall be deemed given when delivered personally, sent by confirmed email, or sent by recognized overnight courier to the addresses specified in the Service Agreement.

Execution

IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the date last signed below.

CONTROLLER (Customer)

Signature
Name
Title
Date

PROCESSOR (Agentys Inc.)

Signature
Name
Title
Date
Annex I — Details of Processing

This Annex forms part of the DPA and describes the details of the Processing of Personal Data carried out by the Processor on behalf of the Controller.

A. List of Parties

Role Details
Data Exporter (Controller) The entity identified as the Customer in the Service Agreement. The Controller determines the purposes and means of Processing Personal Data through the Services.
Data Importer (Processor) Agentys Inc., a Québec corporation. The Processor provides AI-powered email management services and Processes Personal Data on behalf of the Controller as described in this DPA.

B. Description of Processing

Element Description
Subject Matter Processing of Personal Data in connection with the Processor's provision of AI-powered email management services to the Controller under the Service Agreement.
Duration For the term of the Service Agreement, plus the post-termination period required for data deletion or return (up to 30 calendar days).
Nature of Processing Collection, storage, organization, retrieval, consultation, use (including AI analysis), alignment, combination, restriction, erasure, and destruction of Personal Data.
Purpose of Processing Email analysis and categorization; AI-powered draft generation; priority scoring and sorting; calendar integration; service delivery and maintenance; compliance with applicable laws.
Categories of Data Subjects Controller's employees and team members; email correspondents; clients and business contacts; other individuals referenced in email communications.
Types of Personal Data Email content (body, subject, attachments); email metadata (sender, recipient, timestamps); contact information (names, email addresses, phone numbers); user preferences and settings; aggregated usage analytics.
Sensitive Data Not intentionally Processed. If incidentally contained in email content, standard security measures apply. No special category data is targeted for Processing.
Frequency of Transfer Continuous, real-time Processing in connection with the ongoing provision of the Services.
Retention Period Duration of the Service Agreement. Personal Data is deleted within 30 calendar days of termination. Aggregated analytics may be retained for up to 24 months.

C. Competent Supervisory Authority

The competent Supervisory Authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. For Controllers established in the EU/EEA, the Supervisory Authority of the Member State in which the Controller is established shall serve as the competent authority. For Controllers outside the EU/EEA, the Commission nationale de l'informatique et des libertés (CNIL) of France shall serve as the competent Supervisory Authority, unless otherwise specified.

Annex II — Technical and Organizational Security Measures

This Annex describes the technical and organizational security measures implemented by the Processor to protect Personal Data in accordance with Article 32 of the GDPR and Section 10 of this DPA.

1. Encryption

Measure Implementation
Encryption at Rest All Personal Data stored in databases, file systems, and backups is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic key rotation every 90 days.
Encryption in Transit All data transmitted between the Controller and the Processor's systems, and between internal services, is encrypted using TLS 1.3. Older TLS versions (1.0 and 1.1) are disabled. Certificate pinning is implemented for critical API endpoints.
Key Management Encryption keys are stored in a hardware security module (HSM) certified to FIPS 140-2 Level 3. Key access is restricted to authorized security personnel and automated processes only.

2. Access Control and Authentication

Measure Implementation
Role-Based Access Control Access to Personal Data is governed by RBAC policies enforcing the principle of least privilege. Access permissions are reviewed quarterly and adjusted based on role changes.
Multi-Factor Authentication MFA is mandatory for all employee access to production systems, administrative consoles, and customer data. FIDO2/WebAuthn hardware keys are required for privileged access.
Identity Management Centralized identity management with single sign-on (SSO). Accounts are provisioned and deprovisioned through automated workflows tied to HR systems. Dormant accounts are disabled after 30 days of inactivity.
Privileged Access Management Administrative access to production systems requires just-in-time (JIT) access provisioning with mandatory approval workflows and time-limited sessions. All privileged actions are logged and audited.

3. Network Security and Monitoring

Measure Implementation
Network Segmentation Production environments are logically isolated from development and staging environments. Customer data is further segmented using virtual private clouds (VPCs) with strict ingress and egress controls.
Firewall Protection Web application firewalls (WAF) and network firewalls are deployed at all network boundaries. Firewall rules are reviewed monthly and follow a default-deny policy.
Intrusion Detection IDS/IPS systems monitor network traffic for anomalous activity. Alerts are escalated to the security operations center (SOC) for investigation within defined SLAs.
Logging and Monitoring Comprehensive logging of all access to Personal Data, administrative actions, and security events. Logs are retained for a minimum of 12 months and are tamper-protected. Security information and event management (SIEM) provides real-time correlation and alerting.

4. Incident Detection and Response

Measure Implementation
Incident Response Plan A documented incident response plan defines roles, responsibilities, communication protocols, and escalation procedures. The plan is reviewed and updated at least annually.
24/7 SOC A dedicated security operations center provides continuous monitoring and first-line incident response. Critical security alerts are triaged within 15 minutes.
Tabletop Exercises Incident response tabletop exercises are conducted at least twice per year, simulating various breach scenarios including data exfiltration, ransomware, and insider threats.
Vulnerability Management Automated vulnerability scanning of all production systems is performed weekly. Critical vulnerabilities are remediated within 72 hours. Annual penetration testing is conducted by qualified third-party assessors.

5. Business Continuity and Disaster Recovery

Measure Implementation
Backup and Recovery Personal Data is backed up daily with encrypted backups stored in a geographically separate location. Recovery point objective (RPO): 24 hours. Recovery time objective (RTO): 4 hours.
Redundancy Production systems are deployed across multiple availability zones with automatic failover. Database replication ensures high availability with synchronous replication.
Disaster Recovery Testing Full disaster recovery drills are conducted at least annually. Backup restoration is tested quarterly to verify data integrity and recovery procedures.

6. Employee Training and Awareness

Measure Implementation
Security Training All employees complete mandatory security awareness training upon hire and annually thereafter. Training covers data protection principles, phishing recognition, secure coding practices, and incident reporting.
Confidentiality Agreements All employees and contractors are required to execute confidentiality and non-disclosure agreements prior to accessing any Personal Data or production systems.
Background Checks Background verification checks are conducted for all employees with access to Personal Data, in accordance with applicable laws and proportionality principles.
Phishing Simulations Regular phishing simulation exercises are conducted to assess and reinforce employee awareness. Results are tracked and additional training is provided where necessary.

7. Physical Security

Measure Implementation
Data Center Security All data centers used by the Processor are SOC 2 Type II and ISO 27001 certified. Physical access is controlled by biometric authentication, CCTV surveillance, and 24/7 security personnel.
Environmental Controls Data centers are equipped with redundant power supplies (UPS and generators), climate control systems, fire detection and suppression systems, and water leak detection.
Media Handling Decommissioned storage media is securely destroyed using NIST 800-88 compliant methods. Certificates of destruction are retained for audit purposes.
Annex III — List of Sub-processors

This Annex lists the Sub-processors authorized by the Controller as of the effective date of this DPA. The Processor shall maintain a current version of this list at agentys.io/docs/sub-processor-list.html.

Sub-processor Purpose of Processing Location Transfer Mechanism Security Certifications
Amazon Web Services (AWS) Cloud infrastructure hosting, compute, storage, and database services Canada (ca-central-1), US, EU EU Adequacy Decision (Canada); SCCs (US) SOC 2, ISO 27001, ISO 27017, ISO 27018
OpenAI Large language model inference for email analysis, categorization, and draft generation United States Standard Contractual Clauses (Module 2) SOC 2 Type II
Supabase Database management, authentication, and real-time data synchronization United States Standard Contractual Clauses (Module 2) SOC 2 Type II
Stripe Payment processing and billing management (no email content data shared) United States, Ireland SCCs; EU Adequacy Decision (Ireland) PCI DSS Level 1, SOC 2
Postmark (ActiveCampaign) Transactional email delivery for service notifications United States Standard Contractual Clauses (Module 2) SOC 2 Type II
Note: The Controller has been informed of and has approved the engagement of the Sub-processors listed above as of the effective date of this DPA. Changes to this list are subject to the notification and objection procedures described in Section 8 of this DPA.

— End of Data Processing Agreement —