This Data Processing Agreement ("DPA") is entered into by and between the entity identified as the customer in the applicable Agentys Service Agreement ("Controller" or "Customer") and Agentys Inc., a corporation incorporated under the laws of the Province of Québec, Canada, with its registered office in Montréal, Québec ("Processor" or "Agentys").
This DPA supplements and forms an integral part of the Agentys Service Agreement (the "Service Agreement") executed between the Controller and the Processor, under which Agentys provides AI-powered email management services (the "Services") to the Controller.
This DPA reflects the parties' commitment to abide by applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), Québec's Act Respecting the Protection of Personal Information in the Private Sector ("Loi 25"), and any other applicable data protection legislation (collectively, "Data Protection Laws").
In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to the processing and protection of Personal Data.
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meanings ascribed to them in the Service Agreement or the applicable Data Protection Laws.
1.1 “Controller”
means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Controller is the Customer.
1.2 “Processor”
means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, the Processor is Agentys Inc.
1.3 “Sub-processor”
means any third party engaged by the Processor (or by any other Sub-processor of the Processor) to Process Personal Data on behalf of the Controller in connection with the Services.
1.4 “Personal Data”
means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR, that is Processed by the Processor on behalf of the Controller in the performance of the Services.
1.5 “Processing” (and “Process”)
means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR.
1.6 “Data Subject”
means the identified or identifiable natural person to whom the Personal Data relates.
1.7 “Personal Data Breach”
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed, as defined in Article 4(12) of the GDPR.
1.8 “Standard Contractual Clauses” (“SCCs”)
means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, replaced, or superseded from time to time.
1.9 “Supervisory Authority”
means an independent public authority established by an EU or EEA Member State pursuant to Article 51 of the GDPR, or any equivalent regulatory authority under applicable Data Protection Laws.
1.10 “Technical and Organizational Measures”
means the technical and organizational security measures described in Annex II to this DPA, as updated from time to time in accordance with Section 10 of this DPA.
This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services under the Service Agreement. This DPA governs the rights and obligations of each party with respect to the Processing and security of Personal Data.
The Processor shall Process Personal Data solely for the following purposes:
The Personal Data Processed under this DPA includes, but is not limited to:
A detailed description of the Processing activities is set forth in Annex I to this DPA.
The Controller warrants that it has a valid legal basis under applicable Data Protection Laws for the Processing of Personal Data as described in this DPA, and that it has provided all necessary notices and obtained all necessary consents or authorizations from Data Subjects, as required by applicable law.
The Processor shall Process Personal Data for the duration of the Service Agreement, unless otherwise agreed in writing by the parties or required by applicable law.
Upon termination or expiration of the Service Agreement, the Processor shall, at the Controller's election:
If the Controller does not provide instructions within fifteen (15) calendar days of termination, the Processor shall securely delete all Personal Data in accordance with paragraph (b) above.
Upon request by the Controller, the Processor shall provide a written certification confirming the deletion of all Personal Data, signed by an authorized representative of the Processor.
The Processor performs the following Processing activities in the course of providing the Services:
The Processor employs artificial intelligence and natural language processing techniques to analyze incoming and outgoing email communications. This includes automatic classification of emails by topic, urgency, sender relationship, and actionability. The Processing is conducted through automated means with the objective of organizing the Controller's email communications.
The Processor utilizes large language models to generate suggested email responses and draft compositions based on the content, context, and historical patterns of the Controller's email correspondence. Draft suggestions are presented to the end user for review and approval prior to sending.
The Processor assigns priority scores to incoming emails based on configurable criteria including sender importance, content urgency, deadline proximity, and historical interaction patterns. This Processing enables intelligent sorting and notification prioritization.
The Processor extracts scheduling-related information from email content, including proposed meeting times, deadlines, and event details, to facilitate integration with the Controller's calendar systems. This Processing involves parsing temporal references and coordinating availability data.
The Processor shall not use Personal Data for automated decision-making that produces legal effects or similarly significant effects on Data Subjects within the meaning of Article 22 of the GDPR, unless expressly instructed by the Controller and where appropriate safeguards are in place.
The following categories of Personal Data are Processed by the Processor in the performance of the Services:
| Category | Description | Retention Basis |
|---|---|---|
| Email Content | Message body text, subject lines, inline images, and file attachments | Duration of Service Agreement |
| Email Metadata | Sender and recipient email addresses, display names, timestamps (sent, received, read), message-IDs, threading references, and mail headers | Duration of Service Agreement |
| Contact Information | Names, email addresses, phone numbers, job titles, and organizational affiliations as derived from email correspondence | Duration of Service Agreement |
| User Preferences & Settings | Account configuration, notification preferences, filter rules, priority settings, language and timezone preferences | Duration of Service Agreement |
| Usage Analytics | Aggregated and pseudonymized metrics including feature usage frequency, response time patterns, and service interaction logs | Up to 24 months in aggregated form |
The Personal Data Processed under this DPA relates to the following categories of Data Subjects:
Individuals employed by or otherwise engaged by the Controller who are authorized users of the Services, including their email communications, account settings, and usage data.
Natural persons who send emails to, or receive emails from, the Controller's authorized users, whose Personal Data is incidentally Processed as part of the email content and metadata.
Natural persons who are clients, suppliers, partners, or other business contacts of the Controller, whose contact information and communication data is Processed in the course of the Services.
Any other natural person whose Personal Data is contained within the email communications Processed by the Services, including but not limited to third-party individuals referenced or copied in email correspondence.
The Processor shall Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR).
The Processor shall ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR). The Processor shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Services.
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Such measures are described in Annex II to this DPA and include, inter alia:
The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR (Article 28(3)(e) GDPR). This includes, but is not limited to, the rights of access, rectification, erasure, restriction, data portability, and objection.
The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor (Article 28(3)(f) GDPR). This includes assistance with:
At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services, and shall delete existing copies unless applicable law requires storage of the Personal Data (Article 28(3)(g) GDPR). The specific terms for deletion and return are set forth in Section 3.2 of this DPA.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR). The specific terms governing audits are set forth in Section 13 of this DPA.
The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable Data Protection Laws (Article 28(3), second subparagraph, GDPR).
The Controller provides a general written authorization to the Processor to engage Sub-processors for the Processing of Personal Data in connection with the Services, subject to the conditions set forth in this Section 8 (Article 28(2) GDPR).
The Processor shall inform the Controller in writing of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) calendar days in advance, thereby giving the Controller the opportunity to object to such changes (Article 28(2) GDPR). Notifications shall be sent to the email address designated by the Controller in the Service Agreement.
If the Controller objects to the appointment of a new Sub-processor on reasonable grounds relating to the protection of Personal Data, the parties shall discuss the Controller's concerns in good faith with a view to achieving a resolution. If no resolution can be reached within fifteen (15) calendar days, the Controller may terminate the affected Services without penalty by providing written notice.
Where the Processor engages a Sub-processor, the Processor shall:
The current list of authorized Sub-processors is set forth in Annex III to this DPA and is also available at agentys.io/docs/sub-processor-list.html. The Controller acknowledges and approves the Sub-processors listed therein as of the effective date of this DPA.
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including but not limited to:
If the Processor receives a request directly from a Data Subject regarding the Processing of their Personal Data, the Processor shall promptly, and in any event within forty-eight (48) hours, notify the Controller and shall not respond to such request without the Controller's prior written instructions, unless required by applicable law.
The Processor shall implement appropriate technical measures to enable the Controller to fulfil Data Subject requests, including:
The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, or disclosure. Such measures shall ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons (Article 32 GDPR).
Without limiting the generality of Section 10.1, the Processor shall implement at minimum the security measures described in Annex II to this DPA, including:
The Processor may update the Technical and Organizational Measures from time to time, provided that such updates do not materially decrease the overall level of security of the Services. The Processor shall inform the Controller of any material changes to the security measures.
The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Controller (Article 33(2) GDPR).
The notification shall include, to the extent known or reasonably ascertainable:
Where, and insofar as, it is not possible to provide all information at the time of the initial notification, the Processor shall provide the information in phases without further undue delay as additional information becomes available. The Processor shall cooperate with the Controller and take reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of the Personal Data Breach.
The Processor shall document all Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects, and the remedial action taken, and shall make such documentation available to the Controller upon request (Article 33(5) GDPR).
The Processor shall not inform any third party, including any Supervisory Authority, of a Personal Data Breach without the prior written authorization of the Controller, unless required by applicable law.
The Processor shall not transfer Personal Data to a country outside the European Economic Area ("EEA") or to an international organization unless appropriate safeguards are in place in accordance with Chapter V of the GDPR.
Where international transfers of Personal Data are necessary for the provision of the Services, the Processor shall ensure that such transfers are subject to appropriate safeguards, including:
The primary processing location for Personal Data is Canada. The Processor also maintains infrastructure in the United States and the European Union. The Controller may specify a preferred data residency region, subject to availability and the terms of the Service Agreement.
| Region | Primary Location | Transfer Mechanism |
|---|---|---|
| Canada (Default) | Montréal, QC | EU Adequacy Decision (PIPEDA) |
| United States | Virginia, US | Standard Contractual Clauses (Module 2) |
| European Union | Frankfurt, DE | No transfer mechanism required |
Where required, the Processor shall cooperate with the Controller in conducting a transfer impact assessment to evaluate whether the laws of the destination country ensure an essentially equivalent level of protection for Personal Data, and to identify and implement supplementary measures where necessary.
The Controller, or an independent third-party auditor appointed by the Controller, shall have the right to audit the Processor's compliance with this DPA, including by conducting inspections of the Processor's facilities, systems, and records, subject to the conditions set forth in this Section 13.
The Controller may exercise its audit rights under this Section once per calendar year, unless a Personal Data Breach has occurred or the Controller has reasonable grounds to believe that the Processor is in material breach of this DPA, in which case additional audits may be conducted.
The Controller shall provide the Processor with at least thirty (30) calendar days' prior written notice of any audit. The notice shall specify the scope, duration, and start date of the audit.
Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations. The Controller's auditor shall comply with the Processor's reasonable security and confidentiality requirements.
The Processor may satisfy the Controller's audit request by providing a current SOC 2 Type II audit report (or equivalent certification) conducted by an independent, qualified third-party auditor, provided that:
The Controller may nevertheless require an on-site audit if it reasonably determines that the SOC 2 report is insufficient to verify compliance.
Each party shall bear its own costs in connection with any audit. If an audit reveals a material breach of this DPA by the Processor, the Processor shall bear the reasonable costs of the audit.
This DPA shall become effective on the date of the last signature below (or, if incorporated by reference into the Service Agreement, on the effective date of the Service Agreement) and shall remain in force for the duration of the Service Agreement, and thereafter until all Personal Data has been deleted or returned in accordance with Section 3 of this DPA.
Either party may terminate this DPA upon written notice if the other party is in material breach of this DPA and fails to cure such breach within thirty (30) calendar days of receiving written notice specifying the breach.
Upon termination of this DPA:
The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set forth in the Service Agreement, to the extent permitted by applicable law. Nothing in this DPA shall limit the liability of either party for breaches of applicable Data Protection Laws.
This DPA shall be governed by and construed in accordance with the laws of the Province of Québec and the federal laws of Canada applicable therein, without regard to conflict of laws principles. For Data Subjects located in the European Economic Area, the applicable provisions of the GDPR shall take precedence.
This DPA may not be amended except by a written instrument signed by authorized representatives of both parties. Notwithstanding the foregoing, the Processor may update the Annexes to this DPA from time to time to reflect changes in Sub-processors (subject to Section 8) or improvements to Technical and Organizational Measures (subject to Section 10.3).
This DPA, together with the Service Agreement and any Annexes hereto, constitutes the entire agreement between the parties with respect to the Processing and protection of Personal Data, and supersedes all prior or contemporaneous understandings, agreements, negotiations, and discussions, whether oral or written.
If any provision of this DPA is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired thereby, and such provision shall be reformed to the minimum extent necessary to render it valid and enforceable.
The failure of either party to enforce any provision of this DPA shall not constitute a waiver of such party's right to enforce that provision or any other provision of this DPA at a later time.
All notices under this DPA shall be in writing and shall be deemed given when delivered personally, sent by confirmed email, or sent by recognized overnight courier to the addresses specified in the Service Agreement.
IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the date last signed below.
This Annex forms part of the DPA and describes the details of the Processing of Personal Data carried out by the Processor on behalf of the Controller.
| Role | Details |
|---|---|
| Data Exporter (Controller) | The entity identified as the Customer in the Service Agreement. The Controller determines the purposes and means of Processing Personal Data through the Services. |
| Data Importer (Processor) | Agentys Inc., a Québec corporation. The Processor provides AI-powered email management services and Processes Personal Data on behalf of the Controller as described in this DPA. |
| Element | Description |
|---|---|
| Subject Matter | Processing of Personal Data in connection with the Processor's provision of AI-powered email management services to the Controller under the Service Agreement. |
| Duration | For the term of the Service Agreement, plus the post-termination period required for data deletion or return (up to 30 calendar days). |
| Nature of Processing | Collection, storage, organization, retrieval, consultation, use (including AI analysis), alignment, combination, restriction, erasure, and destruction of Personal Data. |
| Purpose of Processing | Email analysis and categorization; AI-powered draft generation; priority scoring and sorting; calendar integration; service delivery and maintenance; compliance with applicable laws. |
| Categories of Data Subjects | Controller's employees and team members; email correspondents; clients and business contacts; other individuals referenced in email communications. |
| Types of Personal Data | Email content (body, subject, attachments); email metadata (sender, recipient, timestamps); contact information (names, email addresses, phone numbers); user preferences and settings; aggregated usage analytics. |
| Sensitive Data | Not intentionally Processed. If incidentally contained in email content, standard security measures apply. No special category data is targeted for Processing. |
| Frequency of Transfer | Continuous, real-time Processing in connection with the ongoing provision of the Services. |
| Retention Period | Duration of the Service Agreement. Personal Data is deleted within 30 calendar days of termination. Aggregated analytics may be retained for up to 24 months. |
The competent Supervisory Authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. For Controllers established in the EU/EEA, the Supervisory Authority of the Member State in which the Controller is established shall serve as the competent authority. For Controllers outside the EU/EEA, the Commission nationale de l'informatique et des libertés (CNIL) of France shall serve as the competent Supervisory Authority, unless otherwise specified.
This Annex describes the technical and organizational security measures implemented by the Processor to protect Personal Data in accordance with Article 32 of the GDPR and Section 10 of this DPA.
| Measure | Implementation |
|---|---|
| Encryption at Rest | All Personal Data stored in databases, file systems, and backups is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic key rotation every 90 days. |
| Encryption in Transit | All data transmitted between the Controller and the Processor's systems, and between internal services, is encrypted using TLS 1.3. Older TLS versions (1.0 and 1.1) are disabled. Certificate pinning is implemented for critical API endpoints. |
| Key Management | Encryption keys are stored in a hardware security module (HSM) certified to FIPS 140-2 Level 3. Key access is restricted to authorized security personnel and automated processes only. |
| Measure | Implementation |
|---|---|
| Role-Based Access Control | Access to Personal Data is governed by RBAC policies enforcing the principle of least privilege. Access permissions are reviewed quarterly and adjusted based on role changes. |
| Multi-Factor Authentication | MFA is mandatory for all employee access to production systems, administrative consoles, and customer data. FIDO2/WebAuthn hardware keys are required for privileged access. |
| Identity Management | Centralized identity management with single sign-on (SSO). Accounts are provisioned and deprovisioned through automated workflows tied to HR systems. Dormant accounts are disabled after 30 days of inactivity. |
| Privileged Access Management | Administrative access to production systems requires just-in-time (JIT) access provisioning with mandatory approval workflows and time-limited sessions. All privileged actions are logged and audited. |
| Measure | Implementation |
|---|---|
| Network Segmentation | Production environments are logically isolated from development and staging environments. Customer data is further segmented using virtual private clouds (VPCs) with strict ingress and egress controls. |
| Firewall Protection | Web application firewalls (WAF) and network firewalls are deployed at all network boundaries. Firewall rules are reviewed monthly and follow a default-deny policy. |
| Intrusion Detection | IDS/IPS systems monitor network traffic for anomalous activity. Alerts are escalated to the security operations center (SOC) for investigation within defined SLAs. |
| Logging and Monitoring | Comprehensive logging of all access to Personal Data, administrative actions, and security events. Logs are retained for a minimum of 12 months and are tamper-protected. Security information and event management (SIEM) provides real-time correlation and alerting. |
| Measure | Implementation |
|---|---|
| Incident Response Plan | A documented incident response plan defines roles, responsibilities, communication protocols, and escalation procedures. The plan is reviewed and updated at least annually. |
| 24/7 SOC | A dedicated security operations center provides continuous monitoring and first-line incident response. Critical security alerts are triaged within 15 minutes. |
| Tabletop Exercises | Incident response tabletop exercises are conducted at least twice per year, simulating various breach scenarios including data exfiltration, ransomware, and insider threats. |
| Vulnerability Management | Automated vulnerability scanning of all production systems is performed weekly. Critical vulnerabilities are remediated within 72 hours. Annual penetration testing is conducted by qualified third-party assessors. |
| Measure | Implementation |
|---|---|
| Backup and Recovery | Personal Data is backed up daily with encrypted backups stored in a geographically separate location. Recovery point objective (RPO): 24 hours. Recovery time objective (RTO): 4 hours. |
| Redundancy | Production systems are deployed across multiple availability zones with automatic failover. Database replication ensures high availability with synchronous replication. |
| Disaster Recovery Testing | Full disaster recovery drills are conducted at least annually. Backup restoration is tested quarterly to verify data integrity and recovery procedures. |
| Measure | Implementation |
|---|---|
| Security Training | All employees complete mandatory security awareness training upon hire and annually thereafter. Training covers data protection principles, phishing recognition, secure coding practices, and incident reporting. |
| Confidentiality Agreements | All employees and contractors are required to execute confidentiality and non-disclosure agreements prior to accessing any Personal Data or production systems. |
| Background Checks | Background verification checks are conducted for all employees with access to Personal Data, in accordance with applicable laws and proportionality principles. |
| Phishing Simulations | Regular phishing simulation exercises are conducted to assess and reinforce employee awareness. Results are tracked and additional training is provided where necessary. |
| Measure | Implementation |
|---|---|
| Data Center Security | All data centers used by the Processor are SOC 2 Type II and ISO 27001 certified. Physical access is controlled by biometric authentication, CCTV surveillance, and 24/7 security personnel. |
| Environmental Controls | Data centers are equipped with redundant power supplies (UPS and generators), climate control systems, fire detection and suppression systems, and water leak detection. |
| Media Handling | Decommissioned storage media is securely destroyed using NIST 800-88 compliant methods. Certificates of destruction are retained for audit purposes. |
This Annex lists the Sub-processors authorized by the Controller as of the effective date of this DPA. The Processor shall maintain a current version of this list at agentys.io/docs/sub-processor-list.html.
| Sub-processor | Purpose of Processing | Location | Transfer Mechanism | Security Certifications |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure hosting, compute, storage, and database services | Canada (ca-central-1), US, EU | EU Adequacy Decision (Canada); SCCs (US) | SOC 2, ISO 27001, ISO 27017, ISO 27018 |
| OpenAI | Large language model inference for email analysis, categorization, and draft generation | United States | Standard Contractual Clauses (Module 2) | SOC 2 Type II |
| Supabase | Database management, authentication, and real-time data synchronization | United States | Standard Contractual Clauses (Module 2) | SOC 2 Type II |
| Stripe | Payment processing and billing management (no email content data shared) | United States, Ireland | SCCs; EU Adequacy Decision (Ireland) | PCI DSS Level 1, SOC 2 |
| Postmark (ActiveCampaign) | Transactional email delivery for service notifications | United States | Standard Contractual Clauses (Module 2) | SOC 2 Type II |
— End of Data Processing Agreement —