Data Processing Addendum (DPA)
If you're using Agentkit for personal, non-business purposes only, this DPA doesn't apply. For business use that involves Personal Data, this DPA takes effect automatically when you accept our Terms.
1. Definitions
Terms not defined here have the meaning given in the GDPR or equivalent applicable data protection law.
Personal Data. Any information relating to an identified or identifiable natural person, processed by the Processor on behalf of the Controller in connection with Agentkit.
Customer Data. Data the Controller submits to Agentkit, including Personal Data.
Processing. Any operation performed on Personal Data, automated or not.
Subprocessor. A third party engaged by the Processor to process Personal Data.
Data Subject. The natural person to whom the Personal Data relates.
Applicable Law. Data protection laws applicable to the Processing, including the GDPR, UK GDPR, Swiss FADP, and US state privacy laws.
2. Roles
The Controller determines the purposes and means of Processing. The Processor processes Personal Data only on the Controller's documented instructions, which include the Terms, this DPA, and configurations the Controller makes in Agentkit.
3. Scope and Purpose
The Processor will process Personal Data only to provide Agentkit and as set out in Appendix A.
4. Controller Obligations
The Controller warrants that:
It has a valid legal basis under Applicable Law to process the Personal Data submitted to Agentkit
It has provided required notices to and obtained any required consents from Data Subjects
Its instructions to the Processor comply with Applicable Law
5. Processor Obligations
The Processor will:
Process Personal Data only on the Controller's documented instructions
Ensure personnel processing Personal Data are bound by confidentiality
Implement the security measures in Appendix B
Assist the Controller with Data Subject requests (Section 8) and data protection impact assessments where required
Notify the Controller if it believes an instruction violates Applicable Law
6. Subprocessors
The Controller authorizes the Processor to engage Subprocessors. A current list is at agentkit.dev/subprocessors.
The Processor will:
Impose data protection obligations on Subprocessors at least as protective as this DPA
Remain liable for Subprocessor acts and omissions
Notify the Controller 30 days before adding or replacing a Subprocessor
The Controller may object to a new Subprocessor on reasonable data protection grounds. If the parties can't resolve the objection, the Controller may terminate the affected portion of Agentkit without penalty for the unused term.
7. International Transfers
If the Processor transfers Personal Data outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on the Standard Contractual Clauses (Module Two: Controller-to-Processor) approved by the European Commission, incorporated by reference. The UK Addendum and Swiss equivalents apply where relevant.
8. Data Subject Rights
The Processor will assist the Controller in responding to Data Subject requests by providing tools in Agentkit for access, correction, deletion, and export. If a Data Subject contacts the Processor directly, the Processor will forward the request to the Controller without responding to the substance.
9. Personal Data Breaches
The Processor will notify the Controller without undue delay, and within 72 hours of confirmation, of any Personal Data Breach affecting Customer Data. The notification will include:
Nature of the breach and categories of Personal Data affected
Likely consequences
Measures taken or proposed
Contact information for follow-up
10. Audits
The Controller may audit the Processor's compliance once per year on reasonable notice. The Processor will respond to reasonable security questionnaires and provide its current SOC 2 Type II report (under NDA) in lieu of on-site audits where possible.
11. Return and Deletion
On termination of Agentkit or on the Controller's request, the Processor will delete or return all Personal Data within 90 days, subject to backup retention schedules and any legal hold. Backups are deleted on the standard rotation cycle, with a maximum of 90 days.
12. Liability
Each party's liability under this DPA is subject to the limitations in the Terms.
13. Changes
The Processor may update this DPA to reflect changes in law or in Agentkit. Material changes will be announced 30 days before they take effect.
14. Conflict
If this DPA conflicts with the Terms, this DPA prevails for matters relating to Personal Data.
15. Governing Law
The DPA is governed by the laws of Germany, except where mandatory data protection law requires otherwise.
Appendix A — Processing Details
Subject matter. Provision of Agentkit.
Duration. For the term of the agreement plus retention periods set out in the Terms and the Privacy Policy.
Nature and purpose of processing. Hosting, transmission, analysis, and orchestration of agent runs; tool calls; logging; debugging; billing.
Categories of Data Subjects. Controller's employees, users, customers, and any individuals whose data the Controller submits to Agentkit.
Categories of Personal Data. Identifiers (name, email), authentication data, IP addresses, content of prompts and outputs as submitted by the Controller, usage metadata.
Special categories. The Controller agrees not to submit special category data (health, biometric, etc.) unless covered by an Enterprise agreement with additional safeguards.
Appendix B — Security Measures
See the Security page for current technical and organizational measures. Summary:
TLS 1.2+ in transit, AES-256 at rest
Hardware-backed secret management
Role-based access control with MFA enforced for production access
Logical workspace isolation
24/7 monitoring and incident response
SOC 2 Type II certified
Appendix C — Subprocessors
Maintained at agentkit.dev/subprocessors. Notice of changes goes to the email associated with the Controller's billing account.
Contact
privacy@agentkit.dev for DPA matters.