Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between you ("Customer", "Controller") and NextLab Ventures ApS, CVR 44747737, Aarhus, Denmark ("AgentTask", "Processor").

1. Scope and Applicability

This DPA applies where and only to the extent that AgentTask processes Personal Data on behalf of the Customer in the course of providing the AgentTask platform ("Services") and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom ("Applicable Data Protection Law").

This DPA is incorporated into and forms part of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

2. Definitions

Capitalized terms not defined herein shall have the meaning given to them in the Agreement or Applicable Data Protection Law. For purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by AgentTask on behalf of Customer in connection with the Services.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data (the Customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (AgentTask).
• "Subprocessor" means any third party appointed by AgentTask to process Personal Data on behalf of the Customer.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

3. Roles and Responsibilities

The parties acknowledge and agree that with regard to the Processing of Personal Data:

• Customer is the Controller and AgentTask is the Processor.
• AgentTask will process Personal Data only in accordance with Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required by applicable law. AgentTask will inform Customer of any such legal requirement before Processing, unless prohibited by law.
• Customer warrants that it has all necessary rights and consents to provide the Personal Data to AgentTask for Processing in accordance with this DPA.

4. Processing Details

4.1 Categories of Data Subjects

Customer's employees, contractors, agents, and end users who interact with the Services.

4.2 Types of Personal Data

• Account information: name, email address, profile picture
• Authentication data: hashed passwords, OAuth tokens
• Usage data: task content, project data, session information, agent actions
• Technical data: IP addresses, browser information, access logs
• Billing data: processed by Stripe (see Subprocessors)

4.3 Purpose of Processing

Personal Data is processed solely for the purpose of providing, maintaining, and improving the Services as described in the Agreement.

4.4 Duration

Processing continues for the duration of the Agreement, plus any period required for data deletion as described in Section 10.

5. Subprocessors

Customer agrees that AgentTask may engage Subprocessors to process Personal Data on Customer's behalf. AgentTask currently utilizes the following Subprocessors:

AgentTask shall notify Customer of any intended changes to its Subprocessors at least 14 days before the change, giving Customer the opportunity to object. If Customer objects and AgentTask cannot reasonably accommodate the objection, either party may terminate the Agreement.

6. Security Measures

AgentTask implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption in transit: All data transmitted between users and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Database volumes are encrypted using AES-256.
• Access control: Role-based access, multi-factor authentication for infrastructure access, principle of least privilege.
• Authentication: Passwords are hashed using bcrypt. API tokens are stored as SHA-256 hashes.
• Network security: Firewalls, private networking between services, no public database access.
• Monitoring: Automated alerting for suspicious activity, access logging, error tracking.
• Backups: Automated daily database backups with 30-day retention, stored in EU region.
• Employee access: Limited to authorized personnel with a business need. All team members are bound by confidentiality obligations.

7. Data Breach Notification

AgentTask shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer's data. The notification shall include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects affected.
• The name and contact details of the data protection contact.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

8. Data Subject Rights

AgentTask shall assist Customer in fulfilling its obligations to respond to Data Subject requests exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection). AgentTask shall:

• Promptly notify Customer if it receives a request from a Data Subject directly.
• Not respond to such requests without Customer's prior authorization, unless required by law.
• Provide Customer with the technical ability to access, export, and delete their data through the Services.

9. International Data Transfers

AgentTask stores primary data in the European Union (DigitalOcean Frankfurt). Where data is transferred outside the EEA (e.g., to US-based Subprocessors), AgentTask ensures adequate safeguards through:

• EU Standard Contractual Clauses (SCCs) executed with each Subprocessor.
• Assessment of the legal framework of the recipient country.
• Supplementary technical measures (encryption, pseudonymization) where appropriate.

10. Data Retention and Deletion

Upon termination of the Agreement, AgentTask shall, at Customer's election, delete or return all Personal Data within 30 days, unless retention is required by applicable law. Customer may export their data at any time through the Services or by contacting support.

After the 30-day period, AgentTask shall delete all remaining copies of Personal Data, including from backups, within 90 days, except where retention is required by law.

11. Audit Rights

AgentTask shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct audits, including inspections, no more than once per year with at least 30 days' written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with AgentTask's operations.

AgentTask may satisfy audit requests by providing relevant certifications, audit reports, or other documentation demonstrating compliance.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability with respect to any Data Subject's rights under Applicable Data Protection Law.

13. Term and Termination

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate when the Agreement terminates, subject to the data deletion obligations in Section 10. Provisions that by their nature should survive termination shall continue to apply.

14. Contact

For any questions regarding this DPA, data processing, or to exercise rights under this agreement, please contact:

NextLab Ventures ApS
Aarhus, Denmark
Email: legal@agenttask.io
CVR: 44747737