Data Processing Agreement (DPA)
Effective Date: 01.01.2025
Last Updated: 01.01.2025
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") between UTILHELP SOFTWARE & SOLUTIONS SRL ("Data Processor," "we," "us," or "our") and the entity or individual accepting this DPA ("Data Controller," "you," or "your") for the use of Agerra.AI services ("Services").
1. Definitions
For the purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Data Subject" means the individual to whom Personal Data relates
- "Sub-processor" means any third party engaged by us to process Personal Data
- "GDPR" means the EU General Data Protection Regulation 2016/679
- "Data Protection Laws" means all applicable data protection and privacy laws including GDPR
2. Processing of Personal Data
2.1 Scope and Roles
- You act as the Data Controller for Personal Data processed through the Services
- We act as the Data Processor processing Personal Data on your behalf
- This DPA applies to all Personal Data processed by us in providing the Services
2.2 Your Instructions
We will process Personal Data only:
- In accordance with your documented instructions
- To provide the Services as described in the Agreement
- As required by applicable laws
2.3 Purpose and Duration
- Purpose: To provide AI-powered customer support agent services
- Duration: For the term of the Agreement plus any retention period required by law
2.4 Categories of Data and Data Subjects
Categories of Personal Data:
- Contact information (names, email addresses)
- Communication data (chat logs, support tickets)
- Usage data and analytics
- Any data you choose to upload or process through the Services
Categories of Data Subjects:
- Your website visitors and customers
- Your employees and agents
- Any individuals whose data you process through the Services
3. Data Processor Obligations
We shall:
- Process Personal Data only as instructed by you
- Ensure persons processing Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to Data Subject requests
- Delete or return Personal Data upon termination of the Agreement
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits and inspections
4. Technical and Organizational Measures
We implement industry-standard security measures including:
- Encryption of data in transit and at rest
- Access controls and authentication mechanisms
- Regular security assessments and monitoring
- Incident response procedures
- Employee training on data protection
- Physical security of data centers (via our infrastructure providers)
5. Sub-processors
5.1 Authorized Sub-processors
You acknowledge and agree to our use of the following sub-processors:
| Sub-processor | Purpose | Location | Privacy & Terms |
|---|
| Stripe, Inc. | Payment processing | United States | Privacy Policy,Terms,DPA |
| Google LLC (Gemini) | AI/LLM services | United States | Privacy Policy,Gemini Terms,Cloud DPA |
| Anthropic, PBC | AI/LLM services | United States | Privacy Policy,Terms,Commercial Terms |
| OpenAI, L.L.C. | AI/LLM services | United States | Privacy Policy,Terms,Business Terms |
| Amazon Web Services (S3) | Data storage | Multiple regions | Privacy Policy,Data Privacy,DPA |
| Vercel Inc. | Application hosting | United States | Privacy Policy,Terms,DPA |
| DigitalOcean, LLC | Infrastructure/hosting | United States | Privacy Policy,Terms,DPA |
| Firecrawl | Web scraping/data collection | United States | Privacy Policy,Terms |
| Trigger.dev | Background job processing | United States | Privacy Policy,Terms |
| Sentry | Error monitoring | United States | Privacy Policy,Terms,DPA |
| Microsoft (Clarity) | Analytics | United States | Privacy Statement,Clarity Terms |
| Google (Analytics) | Analytics | United States | Privacy Policy,Terms,Data Processing Terms |
5.2 New Sub-processors
- We may engage new sub-processors with 30 days' prior notice
- You may object to new sub-processors on reasonable grounds
- If objections cannot be resolved, you may terminate the affected Services
5.3 Sub-processor Requirements
We ensure each sub-processor:
- Is bound by data protection obligations no less protective than this DPA
- Only processes Personal Data as necessary to provide their services
- Implements appropriate security measures
6. International Data Transfers
6.1 Transfer Mechanisms
Where Personal Data is transferred outside the EEA, we ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Other lawful transfer mechanisms under Data Protection Laws
6.2 Your Acknowledgment
You acknowledge that using the Services may involve transferring Personal Data to countries outside the EEA, particularly to the United States where many of our sub-processors are located.
7. Data Subject Rights
7.1 Assistance with Requests
We will assist you in fulfilling Data Subject requests for:
- Access to their Personal Data
- Rectification or erasure
- Data portability
- Restriction of processing
- Objection to processing
7.2 Procedure
- Forward Data Subject requests to us promptly
- We will respond within reasonable timeframes
- Costs may apply for excessive or complex requests
8. Security Incidents
8.1 Notification
We will notify you without undue delay upon becoming aware of a Personal Data breach affecting your data.
8.2 Information Provided
Breach notifications will include:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Likely consequences
- Measures taken or proposed to address the breach
8.3 Cooperation
We will cooperate with you to investigate and mitigate any security incidents.
9. Audits and Compliance
9.1 Audit Rights
You have the right to audit our compliance with this DPA, subject to:
- Reasonable advance notice
- During regular business hours
- No more than once per year (unless required by law)
- Execution of a confidentiality agreement
9.2 Certifications
We may provide relevant certifications or audit reports in lieu of on-site audits where appropriate.
10. Liability and Indemnification
10.1 Liability
Each party's liability under this DPA is subject to the limitations in the Agreement.
10.2 Indemnification
Each party shall indemnify the other against damages arising from their breach of Data Protection Laws.
11. Data Retention and Deletion
11.1 Retention Period
We retain Personal Data only for as long as necessary to provide the Services and comply with legal obligations.
11.2 Deletion Upon Termination
Upon termination, we will delete or return all Personal Data within 30 days, unless retention is required by law.
11.3 Secure Deletion
Deletion will be performed using industry-standard secure deletion methods.
12. GDPR-Specific Provisions
12.1 EU Representative
If required under GDPR, we will appoint an EU representative.
12.2 Records of Processing
We maintain records of processing activities as required under Article 30 of GDPR.
12.3 Data Protection Officer
Contact our data protection team at: agerra.mail@gmail.com
13. Miscellaneous
13.1 Amendments
This DPA may only be amended with mutual written consent.
13.2 Severability
If any provision is invalid, the remainder of the DPA remains in effect.
13.3 Governing Law
This DPA is governed by the same law as the Agreement.
13.4 Order of Precedence
In case of conflict, this DPA prevails over the Agreement regarding data protection matters.
14. Contact Information
For data protection inquiries:
UTILHELP SOFTWARE & SOLUTIONS SRL
Email: agerra.mail@gmail.com
Attn: Data Protection Team
ANNEX 1: STANDARD CONTRACTUAL CLAUSES
Note: If transferring data outside the EEA, append the appropriate EU Standard Contractual Clauses here
By accepting our Terms and Conditions, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.