Data Processing Addendum

1. Scope

This Data Processing Addendum ("DPA") supplements the Terms & Conditions and applies where Agent Resources processes personal data on behalf of the Customer ("Controller") under applicable data protection laws (GDPR, UK GDPR, CCPA, or equivalent).

Agent Resources acts as a "Processor" with respect to Customer Data stored in workspaces. For data collected for our own purposes (account data, billing), we act as an independent Controller.

2. Processing Instructions

We process Customer Data solely to provide the Platform services as described in the Terms. Categories of data subjects include Customer employees, end-users of Customer's AI agents, and referral participants.

Types of personal data processed: identifiers (email, user ID), agent metadata, scan/KYA results, metric payloads, memory entries, and billing records.

3. Security Measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase)
• Row-Level Security (RLS) policies on all 45+ database tables
• Rate limiting, CORS enforcement, and Helmet security headers
• Hash-chained audit log for tamper-evident event tracking
• Zod schema validation on all API inputs
• Stripe PCI-DSS compliant payment processing
• Supabase Vault for encrypted secret storage
• Role-based access control with workspace scoping

4. Subprocessors

The Customer authorises the use of subprocessors listed on our Subprocessor List. We will notify the Customer at least 30 days before adding a new subprocessor.

If the Customer objects to a new subprocessor, they may terminate the affected services before the change takes effect.

5. International Transfers

Where Customer Data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by appropriate technical measures.

6. Data Subject Rights

We will assist the Customer in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection) through our Privacy settings (data export and account deletion) and by responding to requests at contact@agentresources.xyz within 30 days.

7. Data Breach Notification

We will notify the Customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

8. Return & Deletion

Upon termination, we will delete or return all Customer Data within 30 days at the Customer's choice, except where retention is required by applicable law. Customers can initiate data export at any time via Settings → Security.