Book a Demo

Data Processing Agreement

Last updated: February 2026

1. Definitions

In this Data Processing Agreement (“DPA”), the following terms shall have the meanings set out below:

  • “Controller” means the entity that determines the purposes and means of Processing Personal Data.
  • “Processor” means the entity that Processes Personal Data on behalf of the Controller.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • “Sub-processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
  • “Data Breach” means any unauthorised access to, or loss, destruction, or alteration of, Personal Data.
  • “Data Subject” means the individual to whom Personal Data relates.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the services provided under the principal agreement between the parties. The Processor shall Process Personal Data only to the extent necessary to perform the services and in accordance with the Controller’s documented instructions.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorised to Process Personal Data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  • Assist the Controller in responding to Data Subject requests to exercise their rights
  • Assist the Controller in ensuring compliance with obligations relating to security, breach notification, and data protection impact assessments
  • At the Controller’s choice, delete or return all Personal Data upon termination of the services
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

4. Obligations of the Controller

The Controller shall ensure that it has a lawful basis for Processing Personal Data and that all necessary consents have been obtained or notices provided to Data Subjects. The Controller is responsible for ensuring the accuracy and legality of the Personal Data provided to the Processor and for complying with all applicable data protection laws.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object. The Processor shall ensure that Sub-processors are bound by data protection obligations no less protective than those set out in this DPA.

6. International Data Transfers

Where Personal Data is transferred to a country outside the European Economic Area that has not been deemed to provide an adequate level of data protection, the Processor shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or other legally recognised transfer mechanisms.

7. Security Measures

The Processor shall implement and maintain appropriate technical and organisational security measures, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security testing and vulnerability assessments
  • Incident detection and response procedures
  • Business continuity and disaster recovery measures
  • Staff training on data protection and security

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Data Breach involving Personal Data. The notification shall include the nature of the breach, categories of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including requests for access, rectification, erasure, restriction of Processing, data portability, and objection. The Processor shall promptly notify the Controller if it receives any request directly from a Data Subject.

10. Return and Deletion of Data

Upon termination of the services, the Processor shall, at the Controller’s choice, return all Personal Data in a commonly used format or securely delete all Personal Data within 30 days, unless retention is required by applicable law. The Processor shall provide written certification of deletion upon request.

11. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable notice and during normal business hours.

12. Liability

Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the principal agreement between the parties. Nothing in this DPA limits either party’s liability for breaches of data protection law to the extent that such liability cannot be limited under applicable law.

13. Term and Termination

This DPA shall remain in effect for the duration of the principal agreement and shall automatically terminate upon the expiration or termination of that agreement, subject to the Processor’s obligations regarding the return or deletion of Personal Data. Provisions that by their nature should survive termination shall remain in effect.

14. Contact

For any questions or requests relating to this Data Processing Agreement, please contact us at hello@agrexai.com.