AI
AI EmployeesLegal
Last updated 2026-05-03

Data Processing Agreement

Last updated: 2026-05-03

This document was generated and reviewed by multiple AI systems for accuracy. It is not a substitute for legal counsel. Customers requiring lawyer-attested legal documents should contact privacy@myemployees.ai for the formally-reviewed version (available on request).

This Data Processing Agreement ("DPA") forms part of the agreement between AI Agency Group ("AI Agency", "Processor") and the customer identified in the order form or otherwise accepting the Terms of Service ("Customer", "Controller") (each a "Party", together the "Parties") and governs the processing of Personal Data carried out by AI Agency on behalf of Customer in connection with the Service. To request a counter-signed copy, email legal@myemployees.ai.

1. Definitions

Capitalized terms used in this DPA but not defined herein have the meanings given in the GDPR, the UK GDPR, or the Terms of Service. In addition:

  • "Applicable Data Protection Law" means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA / CPRA"), and any other privacy or data-protection law applicable to the processing of Personal Data under this DPA.
  • "Customer Personal Data" means Personal Data that AI Agency processes on behalf of Customer in connection with the Service.
  • "Sub-processor" means any third party engaged by AI Agency to process Customer Personal Data on behalf of Customer.
  • "Standard Contractual Clauses" / "SCCs" means the European Commission Standard Contractual Clauses for the transfer of personal data to third countries (Decision 2021/914), and the UK International Data Transfer Addendum to the EU SCCs.

2. Roles and scope

Customer is the Controller and AI Agency is the Processor of Customer Personal Data. AI Agency processes Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case AI Agency will inform Customer of that legal requirement before processing, unless prohibited by law).

The subject-matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are set out in Annex I.

3. AI Agency obligations (GDPR Art. 28(3))

AI Agency will:

  1. Process only on documented instructions. Customer's documented instructions are these Terms of Service, this DPA, the configuration choices Customer makes in the Service (e.g., enabling integrations, configuring agents), and any further written instructions agreed by the Parties. AI Agency will inform Customer if AI Agency believes an instruction infringes Applicable Data Protection Law. AI Agency will not use Customer Personal Data to train general-purpose machine-learning or large-language models, and will not permit any Sub-processor to do so. Sub-processor LLMs are operated under zero-retention API terms confirmed in writing.
  2. Confidentiality. Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
  3. Security. Implement and maintain the technical and organizational measures described in Annex II, designed to ensure a level of security appropriate to the risk.
  4. Sub-processors. Engage Sub-processors only in accordance with Section 4 below.
  5. Assistance with data subject rights. Assist Customer, by appropriate technical and organizational measures, in fulfilling its obligation to respond to data subject requests under Applicable Data Protection Law (Art. 12–22 GDPR). The Service includes self-service export and deletion endpoints (POST /api/v1/account/export, POST /api/v1/account/delete); AI Agency will provide additional assistance on request.
  6. Assistance with security and breach obligations. Assist Customer in ensuring compliance with Art. 32–36 GDPR, taking into account the nature of processing and the information available to AI Agency.
  7. Personal Data Breach notification. Notify Customer without undue delay and no later than 72 hours after AI Agency becomes aware of a Personal Data Breach affecting Customer Personal Data, providing the information required by GDPR Art. 33(3) to the extent reasonably available.
  8. Deletion or return on termination. At Customer's choice, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies — except where retention is required by law. The Service offers a self-service export through the dashboard at any time, and a 30-day post-termination grace period during which Customer may export. After the grace period, AI Agency hard-deletes Customer Personal Data, with backup retention as described in the Privacy Policy.
  9. Audits. Make available all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, in accordance with Section 7 below.

4. Sub-processors (Art. 28(2))

Customer provides general written authorization for AI Agency to engage Sub-processors. The current list of Sub-processors is published at /subprocessors and is incorporated into this DPA by reference.

AI Agency will:

  • give Customer at least 30 days' prior notice before engaging a new Sub-processor (by email to active customer admins or via an in-product banner);
  • impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA;
  • remain liable to Customer for any Sub-processor's failure to perform its data-protection obligations.

If Customer reasonably objects to a new Sub-processor on data-protection grounds within the 30-day notice window, Customer must notify AI Agency in writing of the basis of the objection. The Parties will work in good faith to resolve the objection. If a resolution cannot be reached, Customer may terminate the affected portion of the Service, with a pro-rata refund of any prepaid fees for the unused period.

5. International transfers

Where AI Agency transfers Customer Personal Data of EU/UK/Swiss data subjects outside the EEA / UK / Switzerland, the transfer is governed by:

  1. the EU Standard Contractual Clauses (Module Two) when AI Agency acts as Processor for Customer-as-Controller, and the EU SCCs Module Three where Customer acts as Processor for an upstream Controller;
  2. the UK International Data Transfer Addendum for UK transfers; and
  3. the Swiss FDPIC-approved equivalents for Swiss transfers.

The SCCs are incorporated into this DPA by reference and the operative options are set out in Annex III. To the extent any Sub-processor is self-certified under the EU-US Data Privacy Framework or UK Extension, transfers to that Sub-processor may rely on the DPF as the primary mechanism, with the SCCs as a fallback.

6. Security measures

AI Agency implements the technical and organizational measures listed in Annex II. Customer acknowledges that the measures are subject to technical progress and may be updated, provided that the level of security is not materially decreased.

7. Audits and inspections

AI Agency will respond to reasonable audit and questionnaire requests from Customer, no more than once per year unless required by a regulator or following a Personal Data Breach, on at least 30 days' written notice. Audits will be conducted during business hours, will not unreasonably interfere with AI Agency's operations, and will respect AI Agency's confidentiality obligations to other customers.

In place of an on-site audit, AI Agency may satisfy this obligation by providing:

  • a current security questionnaire and roadmap statement on certification status.
  • responses to a Customer Information Security questionnaire;
  • a virtual walkthrough of relevant controls.

The Customer bears its own costs for audits. If a Customer-initiated audit identifies a material non-compliance, AI Agency will bear the reasonable cost of remediation.

8. Personal Data Breach (Art. 33)

On becoming aware of a Personal Data Breach affecting Customer Personal Data, AI Agency will, within 72 hours:

  • notify Customer's designated security or privacy contact (or, if not configured, the account admin);
  • describe the nature of the Breach, the categories and approximate number of data subjects and Personal Data records concerned;
  • describe the likely consequences of the Breach;
  • describe the measures taken or proposed to address the Breach, including measures to mitigate adverse effects;
  • provide a contact point for further information.

Where not all information is available within 72 hours, AI Agency will provide it in phases without undue further delay. AI Agency's notification of, or response to, a Breach is not an admission of fault or liability.

9. CCPA terms

To the extent AI Agency processes Personal Information of California residents on behalf of Customer, AI Agency acts as a "Service Provider" under the CCPA / CPRA and:

  • will not "sell" or "share" Personal Information as those terms are defined under the CCPA / CPRA;
  • will not retain, use, or disclose Personal Information except for the limited and specified business purposes set out in the Terms and this DPA;
  • will not combine Customer Personal Information with personal information from any other source, except as permitted by the CCPA / CPRA;
  • will assist Customer in responding to consumer requests under the CCPA / CPRA.

Customer has the right, on notice, to take reasonable and appropriate steps to stop and remediate AI Agency's unauthorized use of Personal Information.

10. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that liability that cannot be excluded under Applicable Data Protection Law (including liability to data subjects under GDPR Art. 82) is not limited.

11. Term and termination

This DPA is effective on the date the Customer accepts the Terms of Service or signs an order form, whichever is earlier, and remains in effect until the Terms terminate. The provisions that by their nature survive termination (including Sections 3.8, 8, 9, and 10) survive termination of the Terms.

12. Order of precedence

In the event of a conflict between this DPA and the Terms of Service in respect of the processing of Personal Data, this DPA prevails. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

13. Governing law

This DPA is governed by the laws of the State of Delaware, USA, except that disputes arising under the SCCs are governed by the law of the EU member state designated in the SCCs.

Annex I — Description of processing

ItemDetail
Subject matterProvision of the AI Employees software-as-a-service platform
DurationThe term of the Customer's subscription, plus a 30-day post-termination grace period, plus retention windows set out in the Privacy Policy
Nature and purposeHosting, retrieval-augmented generation, automated reply generation, CRM synchronization, voice answering, knowledge management, billing, and audit logging — all to deliver the Service to Customer and Customer's end-users
Types of Personal DataContact details (name, email, phone), conversation transcripts, voice call recordings and transcripts, knowledge base content, audit logs (incl. IP and user-agent), payment metadata, integration tokens, and any Personal Data Customer chooses to upload to the Service
Categories of data subjectsCustomer's employees and authorized users of the Service; Customer's own end-users / customers / leads / contacts whose data Customer processes through the Service
Sensitive dataNone intentionally collected; Customer is responsible for not submitting special-category data unless it has a lawful basis to do so
Frequency of processingContinuous
Sub-processorsAs listed at /subprocessors
RetentionAs set out in the Privacy Policy §7

Annex II — Technical and organizational measures (Art. 32)

AI Agency implements the following measures, as further described in our Service Status page and our security documentation:

  1. Encryption.
    • AES-256-GCM encryption at rest for sensitive credentials, with HKDF-SHA256 per-tenant key derivation, per-credential random salt and nonce, and a "decrypt-use-discard" pattern with memory zeroing.
    • Encryption-key versioning with backward-compatible decryption to support key rotation.
    • TLS 1.2+ encryption for all data in transit.
    • API keys are stored as bcrypt hashes; plaintext is shown to the user once on creation and never persisted.
  2. Tenant isolation.
    • PostgreSQL Row-Level Security on all tenant-scoped tables, enforced by FORCE ROW LEVEL SECURITY and a CI coverage test. Cross-tenant-by-design tables (portal session, admin settings, etc.) use application-layer scoping.
    • Each request runs with SET LOCAL app.tenant_id so even an application bug cannot cross tenant boundaries.
  3. Access control.
    • JWT authentication with RS256 signing, JWKS rotation, JTI-based revocation via Redis, and short token lifetimes.
    • Role-based and permission-based authorization, enforced both at the route and at the data layer.
    • Multi-factor authentication is on the roadmap; the end-customer portal uses email one-time-passcode authentication today.
    • Principle of least privilege for internal staff access; production access requires authenticated VPN and is logged.
  4. Audit logging.
    • Audit log covering authentication, GDPR requests, credential access, role/permission changes, and admin actions. Per-route coverage is expanding.
    • Logs include actor, action, resource, before/after diffs, IP, user-agent, and request ID.
    • Audit writes survive transaction rollback so security-relevant events are always recorded.
  5. Webhook integrity. All inbound webhooks (Postmark, Stripe, Square, Whop, Vapi, GHL) are verified by HMAC (algorithm per provider) or Ed25519 signatures, with constant-time comparison and replay-window enforcement where supported.
  6. Vulnerability management. Dependency scanning on each commit, periodic penetration test preparation, and a documented vulnerability disclosure path at security@myemployees.ai.
  7. Backups and disaster recovery. Automated database backups retained for up to 35 days; periodic restore drills; single-region production deployment (US-East / Ashburn) with automated daily backups; multi-region failover not currently configured.
  8. Sub-processor management. Each Sub-processor is reviewed before engagement and is bound by a written agreement with GDPR-equivalent obligations. The current Sub-processor list is published at /subprocessors.
  9. Personnel. All staff are subject to written confidentiality obligations and complete security and privacy training on hire and annually thereafter.
  10. Resilience. The Service is hosted on infrastructure with redundant compute and storage. Real-time service status is published at /status.

Annex III — SCC operative options

Where the EU Standard Contractual Clauses (Decision 2021/914) apply:

  • Module: Two (Controller-to-Processor) by default; Module Three (Processor-to-Sub-processor) where applicable to onward transfers to Sub-processors.
  • Clause 7 (Docking). The optional docking clause does not apply.
  • Clause 9 (Sub-processors). Option 2 (general written authorization) with a 30-day prior-notice period as set out in Section 4 of this DPA.
  • Clause 11 (Redress). The optional independent dispute-resolution body does not apply.
  • Clause 17 (Governing law). The law of the Republic of Ireland.
  • Clause 18 (Choice of forum and jurisdiction). The courts of the Republic of Ireland.
  • Annex I.A (Parties), I.B (Description), I.C (Supervisory authority). Set out in Annex I above; the supervisory authority is the Irish Data Protection Commission unless Customer designates another competent authority.
  • Annex II (Technical and organizational measures). Set out in Annex II above.
  • Annex III (Sub-processors). Set out at /subprocessors.

For UK transfers, the UK International Data Transfer Addendum (IDTA, version B1.0, 21 March 2022) applies, with Tables 1, 2, and 3 populated by reference to this DPA, and Table 4 populated such that neither Party may end the Addendum when the Approved Addendum changes.

Privacy questions? Email privacy@myemployees.ai. For lawyer-attested versions of this document contact legal@myemployees.ai.Data Processing Agreement