Data Processing Agreement

Between:

[COMPANY NAME], a Delaware corporation ("Processor" or "Execlave")

and

[CUSTOMER] ("Controller" or "Customer")

Effective Date: [EFFECTIVE DATE]

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between Execlave and Customer for the provision of the Execlave AI agent governance platform ("Service"), and reflects the parties' agreement on the processing of Personal Data in accordance with the requirements of applicable Data Protection Laws.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the Terms of Service or in the GDPR (Regulation (EU) 2016/679).

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including (a) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the UK Data Protection Act 2018 and UK GDPR; (c) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (d) any other applicable data protection legislation.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Execlave as part of providing the Service, as described in Annex 1.

"Processing" means any operation or set of operations performed on Personal Data, as defined in GDPR Article 4(2), including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Sub-Processor" means any third party engaged by Execlave to process Personal Data on behalf of Customer.

"Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).

2. Scope and Purpose of Processing

2.1 Role of the Parties

Customer is the Controller of Personal Data submitted to the Service. Execlave is the Processor, processing Personal Data solely on behalf of and under the documented instructions of Customer.

2.2 Subject Matter

The processing concerns the provision of the Execlave AI agent governance platform, which enables Customer to register AI agents, enforce governance policies on agent actions, capture execution traces, maintain audit logs, generate compliance evidence, and detect anomalies in agent behavior.

2.3 Duration

This DPA is effective for the duration of the Terms of Service between the parties, and continues until all Personal Data has been deleted or returned in accordance with Section 10.

2.4 Purpose of Processing

Execlave processes Personal Data for the following purposes, as instructed by Customer:

1. Policy enforcement — Evaluating agent inputs and outputs against Customer-configured governance policies, including deterministic rule evaluation and, where enabled by Customer, LLM-based semantic classification via locally deployed LLM models.
2. Trace storage and retrieval — Ingesting, storing, and serving execution traces for monitoring, debugging, and audit purposes.
3. Compliance evidence generation — Compiling enforcement statistics, policy inventories, approval records, and audit log extracts into compliance reports mapped to SOC 2, EU AI Act, ISO 27001, and custom frameworks.
4. Anomaly detection — Computing statistical baselines from trace patterns and identifying deviations using EWMA (Exponentially Weighted Moving Average) with seasonal decomposition.
5. Audit logging — Recording all governance-relevant actions in a tamper-evident, cryptographically chained audit log.
6. Authentication and access control — Managing user sessions, role-based access, and API key validation.
7. Billing and metering — Tracking usage against plan limits and processing subscription payments.

3. Categories of Data Processed

The following categories of Personal Data may be processed under this DPA:

3.1 Authorized User Data

• Names and email addresses of individuals with accounts in Customer's Organization
• Authentication identifiers and session tokens (managed by Clerk)
• Role assignments (Owner, Admin, Developer, Viewer)
• IP addresses (for API key allowlist validation and security logging)

3.2 Agent Execution Traces

Traces may contain Personal Data if Customer's AI agents process personal data in their inputs or outputs:

• Agent inputs (prompts, queries, user messages, tool call parameters)
• Agent outputs (responses, generated content, action results)
• Session identifiers and conversation context
• Execution metadata (timestamps, durations, token counts, model identifiers)

3.3 Audit Log Data

• User identifiers associated with governance actions
• Timestamps, action descriptions, and affected resource identifiers
• IP addresses and authentication method used
• Cryptographic hash chain values

3.4 Policy and Configuration Data

• Policy definitions, which may reference data categories or sensitivity levels
• Agent registration metadata
• Prompt version text and approval records

3.5 Billing Data

• Organization billing contact name and email
• Subscription plan and usage metrics
• Payment transaction identifiers (card details are held by Stripe, not Execlave)

4. Categories of Data Subjects

Personal Data processed under this DPA may relate to the following categories of Data Subjects:

• Customer's employees and contractors who are Authorized Users of the Service
• End users of Customer's AI agents whose personal data may appear in agent execution traces
• Third parties whose personal data may incidentally appear in agent inputs or outputs processed through the Service

5. Customer's Instructions

5.1 Documented Instructions

Execlave will process Personal Data only on Customer's documented instructions, which include:

• The Terms of Service and this DPA
• Customer's configuration of the Service (policies, retention settings, semantic evaluation toggles)
• Any additional written instructions agreed between the parties

5.2 Additional Instructions

If Customer provides instructions that Execlave reasonably believes infringe Data Protection Laws, Execlave will promptly inform Customer and may suspend the relevant processing until Customer issues lawful instructions.

5.3 Compliance

Execlave will comply with all applicable Data Protection Laws in performing its obligations under this DPA.

6. Sub-Processors

6.1 Authorized Sub-Processors

Customer authorizes Execlave to engage the following Sub-Processors:

6.2 Sub-Processor Changes

Execlave will notify Customer at least 30 days before engaging a new Sub-Processor or making a material change to an existing Sub-Processor's scope of processing. Notification will be sent via email to the Organization Owner and posted in the Execlave dashboard.

6.3 Objection Right

Customer may object to a new Sub-Processor within 15 days of notification by providing written notice with reasonable grounds. The parties will negotiate in good faith to address Customer's concerns. If the parties cannot reach a resolution within 30 days, Customer may terminate the affected Service component without penalty.

6.4 Sub-Processor Obligations

Execlave will enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those in this DPA. Execlave remains liable to Customer for the acts and omissions of its Sub-Processors.

7. Technical and Organizational Security Measures

Execlave implements and maintains the following security measures to protect Personal Data:

7.1 Tenant Isolation

• Row-Level Security (RLS): All database queries are scoped to the authenticated organization using PostgreSQL RLS policies. Every transaction executes SET LOCAL app.current_org_id to enforce tenant boundaries at the database level.
• Organization-scoped sessions: Real-time WebSocket connections are isolated to organization-specific rooms.

7.2 Encryption

• In transit: All communications are encrypted using TLS 1.2 or higher.
• At rest: Database storage uses AES-256 encryption provided by the underlying AWS infrastructure.
• API key storage: API keys are stored as bcrypt hashes; plaintext values are not retained after initial issuance.

7.3 Access Control

• Role-based access control (RBAC): Four-tier role hierarchy (Owner > Admin > Developer > Viewer) governing access to all Service functions.
• API key scoping: Keys are prefixed by environment (ag_ production, ag_test_ test) with optional IP allowlist restrictions.
• Authentication: JWT-based authentication via Clerk with API key fallback for programmatic access.

7.4 Audit Logging and Tamper Evidence

• Append-only audit log: Database-level constraints prevent UPDATE and DELETE operations on audit log records.
• Cryptographic hash chaining: Each audit log entry includes a SHA-256 hash of the previous entry, creating a verifiable chain. Any tampering breaks the chain and is detectable.
• Comprehensive coverage: All governance-relevant actions are logged, including agent lifecycle events, policy changes, enforcement decisions, API key operations, and user actions.

7.5 Input Validation and Sanitization

• Input sanitization middleware strips potentially dangerous content from all incoming requests.
• Rate limiting is applied per route group (100 req/min for control plane, 1,000 req/min for trace ingestion).
• Parameterized SQL queries prevent SQL injection; no string interpolation is used in database queries.

7.6 Infrastructure Security

• PostgreSQL connection pooling with a 30-second statement timeout to prevent resource exhaustion.
• Redis-based caching with configurable TTLs for semantic classification results.
• Containerized deployment with separate services for API, frontend, processing, database, and cache.

7.7 Personnel

• Access to production systems is restricted to authorized personnel on a need-to-know basis.
• Execlave personnel with access to Customer Data are bound by confidentiality obligations.

8. Data Subject Rights

8.1 Assistance

Execlave will assist Customer in fulfilling its obligations to respond to Data Subject requests under Data Protection Laws, including requests for access, rectification, erasure, portability, restriction, and objection.

8.2 Process

Upon receiving a Data Subject request directly, Execlave will promptly redirect the Data Subject to Customer (unless otherwise instructed) and notify Customer within 5 business days.

8.3 Technical Support

Execlave provides the following capabilities to support Data Subject rights:

• Access and portability: Data export in JSON and CSV formats via API and dashboard.
• Rectification: Ability to update user profile data and agent metadata via API.
• Erasure: Organization-level data deletion upon account termination. For audit log entries, Execlave will anonymize personal identifiers rather than delete records, to preserve the integrity of the cryptographic hash chain required for compliance evidence.
• Restriction: Ability to disable specific agents, revoke API keys, and suspend user access.

8.4 Costs

Execlave will provide reasonable assistance at no additional charge. If Data Subject requests require extraordinary effort (e.g., retrieving data from backups or processing bulk requests), Execlave may charge reasonable fees agreed in advance.

9. Data Retention and Deletion

9.1 Retention Periods

Execlave retains Personal Data in accordance with the following schedule:

9.2 Deletion Upon Termination

Upon termination of the Terms of Service:

1. Customer has 30 days to export Personal Data via the API or dashboard.
2. Execlave will permanently delete all Personal Data within 60 days of the effective termination date.
3. Execlave will provide written confirmation of deletion upon Customer's request.

9.3 Exceptions

Execlave may retain Personal Data beyond the periods above where required by applicable law, provided that such retention is limited to the minimum data necessary and is protected with appropriate security measures.

10. Security Incident Notification

10.1 Notification

Execlave will notify Customer of a confirmed Security Incident without undue delay and in any event within 72 hours of becoming aware of the incident, in accordance with GDPR Article 33(2).

10.2 Content of Notification

The notification will include, to the extent available:

1. A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected.
2. The name and contact details of Execlave's point of contact.
3. A description of the likely consequences of the Security Incident.
4. A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its adverse effects.

10.3 Ongoing Communication

Execlave will provide Customer with timely updates as additional information becomes available and will cooperate with Customer's investigation and remediation efforts.

10.4 Notification Method

Initial notification will be sent via email to the Organization Owner and, where applicable, to a designated security contact. Execlave will follow up with a detailed written incident report.

10.5 No Admission

Notification of a Security Incident does not constitute an admission of fault or liability by Execlave.

11. Audit Rights

11.1 Audit Information

Execlave will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws.

11.2 Audits

Customer (or a qualified independent auditor appointed by Customer) may conduct an audit of Execlave's processing activities under this DPA, subject to the following conditions:

1. Customer provides at least 30 days' written notice of an audit request.
2. Audits are conducted during normal business hours with minimal disruption to Execlave's operations.
3. The auditor is bound by confidentiality obligations.
4. Customer bears the cost of the audit, except where the audit reveals a material breach by Execlave.
5. Audits are limited to one per 12-month period, unless a Security Incident or regulatory requirement necessitates an additional audit.

11.3 Certifications

In lieu of an on-site audit, Execlave may provide Customer with:

• Results of independent third-party security audits or assessments (e.g., SOC 2 Type II report).
• Relevant compliance certifications.
• Responses to Customer's written security questionnaire.

Customer agrees to accept these materials as fulfilling its audit rights, where the materials adequately address Customer's concerns.

12. International Data Transfers

12.1 Transfer Mechanisms

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the European Commission, Execlave will ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): The parties agree to the SCCs (Commission Implementing Decision (EU) 2021/914) as incorporated in Annex 2 of this DPA. For UK transfers, the UK Addendum to the SCCs applies.
• Supplementary measures: Encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, pseudonymization where feasible, and regular security assessments.

12.2 Transfer Impact Assessment

Execlave has conducted a transfer impact assessment for each Sub-Processor located in the United States and has implemented supplementary measures where necessary. Execlave will provide the results of such assessments to Customer upon request.

12.3 Data Residency

Enterprise customers may select specific AWS regions for data storage. Self-hosted deployments allow Customer to maintain all data within their own infrastructure and jurisdiction.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that:

• Neither party's liability for breaches of this DPA that result from willful misconduct or gross negligence shall be limited.
• Liability for regulatory fines imposed on either party shall be borne by the party whose action or inaction caused the fine.

14. Term and Termination

14.1 Term

This DPA takes effect on the Effective Date and remains in effect for the duration of the Terms of Service.

14.2 Survival

Sections 9 (Data Retention and Deletion), 10 (Security Incident Notification), 11 (Audit Rights), and 13 (Liability) survive termination of this DPA until all Personal Data has been deleted or returned.

14.3 Effect of Termination

Upon termination of this DPA, Execlave will cease processing Personal Data and comply with the deletion obligations in Section 9.

Annex 1: Details of Processing

Annex 2: Standard Contractual Clauses

The Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference. The parties agree to Module Two (Controller to Processor) with the following selections:

• Clause 7 (Docking clause): Included
• Clause 9(a) (Sub-processor authorization): Option 2 (General written authorization) with 30-day notice period
• Clause 11 (Redress): Optional language not included
• Clause 13 (Supervision): The supervisory authority of the EEA Member State where Customer is established, or where Data Subjects are located
• Clause 17 (Governing law): Laws of [CUSTOMER'S EEA MEMBER STATE] (or Ireland, if Customer is not established in the EEA)
• Clause 18 (Jurisdiction): Courts of [CUSTOMER'S EEA MEMBER STATE] (or Ireland, if Customer is not established in the EEA)

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) is incorporated by reference.

Annex 3: Technical and Organizational Measures

See Section 7 of this DPA for the complete description of technical and organizational security measures.

Signatures

[COMPANY NAME] (Processor)

Name: ___________________________

Title: ___________________________

Date: ___________________________

Signature: ___________________________

[CUSTOMER] (Controller)

Name: ___________________________

Title: ___________________________

Date: ___________________________

Signature: ___________________________

This Data Processing Agreement is effective as of [EFFECTIVE DATE].