How to execute: This DPA is pre-signed by AgentGate. To make it binding, your company must (1) complete the fields in Annex I below, (2) countersign via email to
bakhrom@agengate.com, and (3) retain a copy for your records. For custom negotiations or Enterprise customers, we accept your company's DPA template.
1. Definitions
Capitalized terms have the meanings given in the EU General Data Protection Regulation (GDPR) and the UK GDPR. In particular:
- "Customer" — the entity that signs this DPA as data controller.
- "AgentGate" — means Bakhrom Berdiyev d/b/a AgentGate, acting as data processor.
- "Services" — means the AgentGate compliance validation API available at agengate.com.
- "Customer Data" — any Personal Data that Customer (or its end users) submits to the Services.
- "Subprocessor" — any third party engaged by AgentGate to process Customer Data.
2. Subject Matter & Duration
This DPA governs AgentGate's processing of Customer Data as a Processor on behalf of Customer (the Controller), for the sole purpose of providing the Services. This DPA takes effect when Customer accepts it and remains in force for the duration of Customer's subscription to the Services.
3. Processor Obligations
AgentGate will:
- Process Customer Data only on documented instructions from Customer (typically via the API);
- Ensure that personnel authorized to process Customer Data are bound by confidentiality;
- Implement appropriate technical and organizational measures (see Annex II);
- Not engage any new Subprocessor without notice (see Section 5);
- Assist Customer in responding to data subject rights requests;
- Assist Customer with security, breach notification, and impact assessment obligations;
- Delete or return Customer Data at the end of the Services (see Section 10);
- Make available information necessary to demonstrate compliance with Article 28 GDPR.
4. Security Measures
AgentGate implements and maintains the technical and organizational security measures described in Annex II. These measures include, at minimum:
- Encryption in transit (TLS 1.2+) and at rest (AES-256);
- Access controls including multi-factor authentication for administrative access;
- Role-based access with least-privilege enforcement;
- Regular backup and disaster recovery procedures;
- Security monitoring, logging, and automated uptime checks;
- Secure software development practices including dependency scanning.
Full details are available in the Trust Center and Security Questionnaire.
5. Subprocessors
Customer provides general authorization for AgentGate to engage Subprocessors for the provision of the Services. The current list of Subprocessors is maintained in the Trust Center § 7.
AgentGate will:
- Notify Customer at least 30 days before adding a new Subprocessor that processes Personal Data (by email or Trust Center update);
- Impose contractual obligations on each Subprocessor substantially equivalent to those in this DPA;
- Remain liable to Customer for the acts and omissions of its Subprocessors.
Customer may object to a new Subprocessor in writing within 14 days of notice. If the objection cannot be resolved, Customer may terminate the Services and receive a pro-rata refund for unused time.
6. International Transfers
Customer Data may be processed in the EU, UK, and US (subprocessors). Where data is transferred outside the EEA / UK:
- AgentGate relies on the EU Standard Contractual Clauses (Commission Decision 2021/914) and the UK International Data Transfer Addendum, incorporated by reference into this DPA;
- Where applicable, AgentGate's Subprocessors are certified under the EU-US Data Privacy Framework (e.g., Google, Stripe);
- AgentGate conducts Transfer Impact Assessments (TIAs) where required.
7. Data Subject Rights
Taking into account the nature of the processing, AgentGate will assist Customer in fulfilling its obligations under Articles 12–23 GDPR, including requests to:
- Access, rectify, or erase Personal Data;
- Restrict or object to processing;
- Port Personal Data to another controller;
- Withdraw consent.
Customer may submit such requests to bakhrom@agengate.com. AgentGate will respond within 30 days.
8. Personal Data Breach Notification
AgentGate will notify Customer of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware. Notification will include:
- Nature of the breach, including categories and approximate number of data subjects affected;
- Likely consequences;
- Measures taken or proposed to address the breach and mitigate adverse effects;
- Contact point for further information.
AgentGate will cooperate with Customer's breach response and notification obligations.
9. Audit Rights
Customer may audit AgentGate's compliance with this DPA by:
- Reviewing AgentGate's published documentation (Trust Center, Security Questionnaire, Privacy Policy);
- Requesting and reviewing independent third-party certifications once available (e.g., SOC 2, ISO 27001);
- For Enterprise customers, requesting a remote audit no more than once per 12-month period, upon 30 days' written notice, at Customer's own cost, subject to reasonable confidentiality obligations.
10. Termination & Return of Data
Upon termination of the Services:
- AgentGate will delete or return all Customer Data within 30 days, at Customer's choice;
- Billing records will be retained for 7 years as required by tax law;
- Certified deletion confirmation is available on request;
- Customer may export audit evidence packages as JSON before termination via the API.
Annex I: Processing Details
A. List of Parties
| Role | Controller | Processor |
|---|
| Name |
[Customer Company Name] |
Bakhrom Berdiyev d/b/a AgentGate |
| Contact |
[Customer DPO / Privacy Contact] |
bakhrom@agengate.com |
| Address |
[Customer Address] |
[AgentGate Address on file] |
B. Description of Processing
| Item | Description |
|---|
| Subject matter | Validation of AI agent outputs against compliance gates. |
| Duration | For the duration of Customer's subscription plus retention periods in § 10. |
| Nature & purpose | Automated compliance validation, audit logging, and evidence chain generation. |
| Categories of data subjects | End users of Customer's AI systems whose data may appear in submitted agent output. |
| Categories of personal data | As determined by Customer's usage. May include: names, email addresses, account identifiers, transaction details, or other data contained in agent output. |
| Special categories | None processed by default. Customer must not submit special-category data without appropriate safeguards. |
| Retention | Raw agent output: not persisted (in-memory only). Metadata and hashes: 90 days (Free) / 12 months (Paid). |
C. Transfers
Processing occurs primarily in the EU (VPS hosting, Supabase EU region). Subprocessors in the US are engaged under Standard Contractual Clauses and/or EU-US Data Privacy Framework. See Trust Center § 7.
Annex II: Technical & Organizational Measures
Access Control
- MFA enforced on all administrative access;
- Role-based access control with least-privilege enforcement;
- API keys scoped per customer, hashed at rest, compared with constant-time equality.
Encryption
- TLS 1.2+ in transit (HSTS enabled with 1-year max-age);
- AES-256 at rest for all stored data and backups.
Network Security
- SSRF protection on outbound requests (private IP ranges blocked);
- CSP, X-Frame-Options, X-Content-Type-Options headers;
- Input validation via Zod schemas on all API inputs;
- Parameterized database queries (no SQL injection).
Monitoring & Logging
- Automated uptime checks every 5 minutes;
- Structured JSON logs with correlation IDs;
- 30-day log retention;
- Security event logging (authentication, authorization, configuration).
Backup & Recovery
- Automated daily backups (Supabase native);
- 30-day backup retention;
- RTO < 4 hours, RPO < 24 hours (Pro+ plans).
Personnel
- Confidentiality obligations in employment / contractor agreements;
- Background checks planned before first enterprise hire;
- Security awareness training program planned as team scales.
Incident Response
- Documented incident response process;
- 72-hour breach notification commitment;
- Post-incident reviews for all significant incidents.
Legal note: This DPA is a standard template for general B2B use. It is not legal advice. Consult your legal counsel before execution. AgentGate reserves the right to update this template; material changes will be communicated at least 30 days in advance.