Skip to content

Legal

Data Processing Addendum — Agent Armory (Enterprise)

Version: 2026-05-19 (draft 1) Status: Draft for review by Dutch counsel before publication.

This Data Processing Addendum ("DPA") forms part of the Agent Armory Terms of Service or the Enterprise Master Service Agreement between the Customer (controller) and Agent Armory [B.V. — VERIFY] (processor), and governs the processing of personal data by Agent Armory on the Customer's behalf in connection with the Service. It satisfies Article 28 GDPR.

In the event of a conflict between this DPA and the Terms, this DPA prevails for matters concerning personal data.

1. Definitions

Capitalised terms used and not defined here have the meaning set out in the Terms or in the GDPR. "Customer Personal Data" means any personal data that Customer or its end users upload to the Service, or that Agent Armory otherwise processes on Customer's behalf.

2. Roles and scope

For Customer Personal Data, Customer is the controller and Agent Armory is the processor acting on documented instructions. The processing operations are: hosting, indexing, embedding (where enabled), serving, exporting, and deleting User Skills and related metadata.

For account, billing, and security-telemetry data of Customer's administrators and end users, Agent Armory is the controller; that processing is described in the Privacy Statement and is outside this DPA.

3. Customer instructions

The Terms, this DPA, and Customer's documented configuration of the Service constitute the entirety of Customer's instructions to Agent Armory. If Agent Armory believes an instruction infringes GDPR or other Union or Member-State data protection law, it will inform Customer in writing without undue delay.

4. Subject-matter, duration, nature, purpose, categories

Subject-matterHosting and delivery of AI-agent Skills uploaded by Customer.
DurationThe term of the Customer's subscription, plus retention windows in Section 9.
NatureStorage, search indexing, embedding generation, API delivery.
PurposeOperating the Service for Customer.
Categories of data subjectsCustomer's administrators, members, contributors, and any individuals whose data Customer chooses to include in User Skills (which is contractually discouraged — see AUP §1.3).
Categories of personal dataEmail addresses; display names; (optionally) any content Customer chooses to upload to User Skills; usage telemetry generated by Customer's API calls.
Special categoriesNone expected; Customer must not upload special-category data (Art. 9 GDPR) without separate written agreement.

5. Confidentiality

Agent Armory ensures that personnel authorised to process Customer Personal Data are bound by confidentiality (Article 28(3)(b) GDPR).

6. Security measures (Article 32 GDPR)

Agent Armory implements the following technical and organisational measures:

  • In transit: TLS 1.2+ for all external traffic; HTTPS-only.
  • At rest: managed PostgreSQL on encrypted storage; pgBackRest encrypted backups.
  • Authentication: email-OTP login with PBKDF2-hashed codes; short-lived JWT access tokens with rotating refresh tokens (RFC 6819 alignment).
  • API keys: SHA-256-hashed at rest; never logged in clear.
  • Secret-redaction: outbound responses are scanned for common credential shapes (best-effort; not a control Customer may rely upon).
  • Logging: request logs record method, path, status, duration; bodies and headers are not logged.
  • Network isolation: application, database, and backup tiers are on isolated networks; only the reverse proxy is internet-exposed.
  • Access control: least-privilege admin access; database credentials per tier; deploy keys segregated.
  • Patching: OS and container base images are rebuilt and redeployed at least monthly.
  • Backups: nightly full + WAL streaming via pgBackRest; weekly restore-verify.
  • Incident response: see Section 7.
  • Personnel: background check for engineering staff with production access [VERIFY currently in place].

7. Personal data breach (Article 33 GDPR)

Agent Armory notifies Customer of a confirmed personal data breach without undue delay and at the latest within 48 hours of becoming aware. The notification will include, to the extent then known: the nature of the breach, categories and approximate number of data subjects, categories and approximate volume of records affected, likely consequences, and the measures taken or proposed. Agent Armory cooperates with Customer's regulator-notification obligation under Article 33 GDPR.

8. Sub-processors (Article 28(2)–(4) GDPR)

Customer provides general authorisation for the sub-processors listed in docs/legal/subprocessors.md. Agent Armory:

  • maintains the list at agentarmory.ai/subprocessors;
  • gives Customer at least 30 days' prior notice by email of any intended addition or replacement;
  • allows Customer to object on reasonable data-protection grounds within that 30-day window — the parties will negotiate in good faith; if no resolution is reached, Customer may terminate the affected portion of the Service without penalty;
  • imposes on every sub-processor data-protection obligations equivalent to those in this DPA;
  • remains fully liable to Customer for the performance of its sub-processors.

9. Data subject rights

Agent Armory will, taking the nature of the processing into account, assist Customer by appropriate technical and organisational measures to respond to requests from data subjects under Chapter III GDPR. Customer can self-serve export of User Skill content via the dashboard and account-deletion via Settings → Delete Account, which triggers the deletion pipeline described in Section 10.

10. Deletion and return

On termination of the subscription, or at Customer's earlier request:

  • Customer Personal Data in User Skills is exportable in machine-readable form via the dashboard or GET /api/v1/organizations/{id}/export until the end of the termination notice period;
  • Account records are deleted within 30 days of termination;
  • Billing records are retained for 7 years as required by Article 52 Algemene Wet inzake Rijksbelastingen;
  • Backups age out under the pgBackRest retention policy (currently 30 days) and Customer Personal Data is unrecoverable thereafter.

11. Audits and inspections (Article 28(3)(h) GDPR)

Agent Armory makes available all information necessary to demonstrate compliance with this DPA. On reasonable notice (no more than once per 12 months unless required by a regulator or following a confirmed breach), Customer may audit at its expense; the parties will agree scope and timing to minimise disruption. Agent Armory may discharge this obligation by providing a current independent third-party audit report (e.g. SOC 2 Type II or ISO 27001) once such a report is available [pending — see launch checklist].

12. International transfers

Where Agent Armory or a sub-processor transfers Customer Personal Data outside the EEA, the parties rely on:

  • the European Commission's 2021 Standard Contractual Clauses (Module 3 — processor to sub-processor), which are incorporated into the relevant sub-processor's DPA and into this DPA by reference for transfers Agent Armory makes; and/or
  • the EU–US Data Privacy Framework where the sub-processor holds an active certification (current: Stripe, Resend, Google).

Customer authorises Agent Armory to enter the SCCs on its behalf with sub-processors.

13. Liability

Liability for breach of this DPA is subject to the limits in the Terms or Enterprise MSA, except that nothing in this DPA limits a party's liability to a data subject under Article 82 GDPR.

14. Governing law and term

This DPA is governed by Dutch law, in line with the Terms. It comes into force on the same date as the Terms or MSA between the parties and ends with them, except that Sections 5, 9–11, and 13 survive.

This document is a draft. Consult Dutch counsel before publication.