data processing agreement
What this is
This Data Processing Agreement (“DPA”) describes how Agentmatica processes personal data on your behalf when you use the Service — the content your agent indexes and the conversations, leads, and contact details your website visitors submit. It supplements our Terms of Service and Privacy Policy and is incorporated into your agreement with us by using the Service. Need a countersigned copy for your records? Email privacy@agentmatica.com and we'll return one promptly.
Roles
You (the customer) are the data controller of the personal data processed through your agents. Agentmatica is your data processor (GDPR Art. 28) and processes that data only on your documented instructions: to crawl and index the sources you connect, answer visitor questions, capture leads you configure, and provide the dashboard, notifications, and exports.
Data processed
- Content data: pages, documents, and product data from sources you connect.
- Visitor data: chat messages, and — where you enable lead capture — names, email addresses, and phone numbers visitors choose to share.
- Configuration data: agent settings, team members, and escalation rules.
We do not use this data to train public or shared AI models. AI inference runs through zero-retention API configurations.
Subprocessors
We use the following subprocessors, each bound by a data processing agreement with obligations no less protective than this one. We'll give at least 30 days' notice (via email or in-product) before adding or replacing a subprocessor, and you may object on reasonable data-protection grounds.
- Supabase Inc. — Authentication, Postgres database, file storage. Location: United States (EU regions on request).
- Anthropic / OpenAI / Google — AI model inference (zero-retention API configurations). Location: United States.
- DodoPayments — Payment processing, merchant of record. Location: United States.
- Resend — Transactional email delivery. Location: United States.
- Upstash — Caching and rate limiting. Location: United States / EU.
- Amazon Web Services (Amplify) — Application hosting and delivery. Location: United States.
Security measures
- Encryption in transit (TLS 1.2+) and at rest.
- Workspace-scoped data isolation enforced at the database layer (row-level security).
- Role-based access within workspaces; least-privilege API tokens.
- Automated retention windows with warning emails before any purge, and CSV export at any time.
- Vulnerability reports: security@agentmatica.com.
International transfers
Where processing involves transfers of EU/UK personal data outside the EEA/UK, the parties rely on the European Commission's Standard Contractual Clauses (Module 2: controller → processor) and the UK International Data Transfer Addendum, which are incorporated by reference into this DPA.
Assistance & data subject requests
Taking into account the nature of the processing, we'll assist you in responding to data subject requests (access, erasure, portability, restriction). Conversations and leads are exportable as CSV from your dashboard; individual records can be deleted from the dashboard or on request. If a data subject contacts us directly about data you control, we'll refer them to you.
Breach notification
We'll notify you without undue delay after becoming aware of a personal data breach affecting your data, with enough detail to meet your own notification obligations.
Deletion & return
On termination of your account, we delete personal data processed on your behalf within 30 days, except where law requires retention. You can export everything as CSV before closing your account. Retention windows during the life of the account follow your plan's data retention policy, with warnings before any purge.
Audit
On written request (no more than once per year), we'll make available the information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audits or certifications of our infrastructure providers.
Contact
Privacy and DPA questions: privacy@agentmatica.com.