This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and Agiled ("Processor") for the use of the Agiled platform and services (the "Service").

This DPA applies where and only to the extent that Agiled processes Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to the General Data Protection Regulation (GDPR) or other applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Service to the Controller, as described in the Terms of Service and as further instructed by the Controller. The types of Personal Data and categories of Data Subjects processed are determined by the Controller's use of the Service.

Types of Personal Data typically processed:

Contact information (names, email addresses, phone numbers, addresses)
Financial information (invoices, payment records, billing details)
Employment information (employee records, payroll data)
Business communications and correspondence
Project and task data
Any other personal data the Customer chooses to store in the Service

Categories of Data Subjects:

Customer's clients and contacts
Customer's employees and contractors
Customer's prospects and leads
Other individuals whose data the Customer stores in the Service

3. Obligations of the Processor

The Processor shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations
Implement appropriate technical and organizational security measures as described in our Security Safeguards
Assist the Controller in responding to Data Subject requests for exercising their rights under applicable data protection law
Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation
At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless retention is required by law
Make available to the Controller all information necessary to demonstrate compliance with this DPA

4. Sub-processors

The Controller grants general authorization for the Processor to engage Sub-processors, subject to the following conditions:

The Processor will maintain a list of current Sub-processors and make it available upon request
The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object
The Processor will impose data protection obligations on Sub-processors that are no less protective than those in this DPA
The Processor remains fully liable for the acts and omissions of its Sub-processors

5. International Data Transfers

Where Personal Data is transferred outside the European Economic Area, the Processor will ensure that appropriate safeguards are in place, including:

EU Standard Contractual Clauses (SCCs) as approved by the European Commission
Additional technical and organizational measures to supplement the SCCs where necessary
Compliance with any supplementary measures required by applicable data protection authorities

6. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Encryption of data in transit and at rest
Logical isolation of customer data
Access controls and authentication mechanisms
Regular security assessments and vulnerability testing
Incident response and breach notification procedures
Employee security training and confidentiality agreements

For full details, see our Security Safeguards page.

7. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
Provide the Controller with sufficient information to meet its obligations under applicable data protection law
Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach

8. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including requests for:

Access to Personal Data
Rectification or correction of Personal Data
Erasure of Personal Data
Restriction of processing
Data portability
Objection to processing

9. Audits

The Controller may audit the Processor's compliance with this DPA, subject to reasonable notice and during normal business hours. The Processor will cooperate with such audits and provide reasonable access to relevant facilities, personnel, and records.

10. Duration and Termination

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination:

The Processor will, at the Controller's election, delete or return all Personal Data within 30 days
The Processor may retain Personal Data to the extent required by applicable law, subject to continued compliance with this DPA

Contact

For questions about this DPA, please contact us at privacy@agiled.app.