Data Processing Agreement

A1. Definitions

"Processor": AI Agent B.V. (KvK 99763842), Beethovenstraat 669, 1083 HK Amsterdam. "Controller": the Customer who uses the Services. "Personal Data": all data that the Controller processes via the Services and that relates to an identified or identifiable natural person. "Sub-processor": a third party engaged by the Processor to process Personal Data.

A2. Subject and duration

The Processor processes Personal Data exclusively on behalf of the Controller in the context of implementing and supporting the Customer's AI agent deployment. Processing lasts for the duration of the agreement between the parties. Upon termination, all Personal Data on the Processor's systems is automatically deleted within 30 days (unless a statutory retention obligation requires longer storage). During the term of the agreement, the Controller may at any time request deletion or return; this will be completed within 14 days of the request (see A5).

A3. Nature and purpose

Processing by AI Agent primarily concerns project communication, contact and billing data of the Controller, and leads/form data from our own website (see A4.1). Incidentally and solely functionally, AI Agent may have temporary access to personal data of end users on the Controller's infrastructure (see A4.2), only to the extent necessary for providing the agreed Services (implementation, configuration and support).

A4. Types of personal data

This Data Processing Agreement covers two categories of personal data:

A4.1 Data that AI Agent directly processes in its own systems (see A6 for sub-processors):

• Name, role and contact details of representatives and contact persons of the Controller
• Invoice and billing data (company name, address, Chamber of Commerce and VAT number)
• Leads, contact messages and results of self-assessments or online tools on our own website
• Communication and project documentation during implementation and ongoing support

A4.2 Data of end users of the Controller's AI agent:

End-user personal data (chat messages, conversation history, phone numbers, email addresses via channels such as WhatsApp, Telegram, Slack) runs on the Controller's infrastructure and is not structurally processed by AI Agent. AI Agent has, at most, temporary and functional access to such data during active implementation or specific support, only to the extent necessary for the provision of the agreed Services.

A5. Obligations of the Processor

• Process Personal Data only on documented instructions from the Controller
• Ensure that authorized persons are bound by confidentiality
• Take appropriate technical and organizational measures to secure the data (encryption at rest and in transit, access controls, automatic TLS, SSH key authentication)
• Assist the Controller with requests from data subjects (access, correction, deletion)
• At the Controller's specific request during the term of the agreement, delete or return Personal Data within 14 days; upon termination of the agreement, the automatic 30-day deletion period applies (see A2)
• Notify the Controller without undue delay after discovery of a data breach, and in any event in time to enable the Controller to comply with its own 72-hour notification obligation under GDPR Art. 33

A6. Sub-processors

The Processor uses the following sub-processors:

• Hetzner Online GmbH (Falkenstein, Germany) - Server hosting for internal CRM and business administration (contact details, project and billing data)
• Supabase Inc. (Frankfurt, Germany) - Database for leads, contact requests and (where applicable) results of self-assessments or online tools on our own website
• Resend (US, GDPR-compliant via Standard Contractual Clauses) - Sending transactional email (e.g. contact form, certificates)
• Vercel (US, GDPR-compliant via Standard Contractual Clauses) - Website hosting and anonymous analytics
• Calendly (US, GDPR-compliant via Standard Contractual Clauses) - Appointment scheduling on pages with Calendly widget

The Processor will inform the Controller in advance of any changes to sub-processors. The Controller has the right to object within 14 days.

A7. Data location

Data of end users of the AI agent (see A4.2) is stored on the Controller's infrastructure; the Controller determines and secures the location of this data. Personal data that AI Agent processes in its own systems (see A4.1) is stored within the European Union: internal CRM and business administration at Hetzner (Falkenstein, Germany), leads and website form submissions at Supabase (Frankfurt, Germany). For sub-processors outside the EU (Resend, Vercel), Standard Contractual Clauses apply as a GDPR-compliant transfer mechanism.

A8. Audit

The Controller has the right to have compliance with this DPA audited, at its own expense and with reasonable notice. The Processor will cooperate and provide all necessary information.