Skip to content

Data Processing Addendum

Last updated: July 4, 2026

This Data Processing Addendum ("DPA") forms part of theTerms of Service (or other written agreement) between ProtoML, Inc. (doing business as "AGNT5", the "Processor", "we", or "us") and the customer accepting those terms (the "Customer"). It applies where we process personal data contained in Customer Content on the Customer's behalf and that processing is subject to the GDPR, the UK GDPR, the Swiss FADP, or similar data protection laws ("Data Protection Laws").

1. Definitions

"Personal data", "controller", "processor", "data subject", "processing", and "personal data breach" have the meanings given in the GDPR. "Customer Content" means code, data, prompts, inputs, outputs, and other material the Customer submits to or generates through the Service. "Customer Personal Data" means personal data contained in Customer Content.

2. Roles and scope

The Customer is the controller (or a processor acting for another controller) of Customer Personal Data; we are the Customer's processor. For personal data we collect for our own purposes — such as account, billing, and website analytics data — we are an independent controller, and our Privacy Policy applies instead of this DPA.

3. Details of processing

  • Subject matter and nature. Hosting, executing, persisting, replaying, and displaying the Customer's agentic workflows and associated run history, logs, and evaluation data.
  • Purpose. Providing the Service as described in the Agreement and as configured by the Customer.
  • Duration. The term of the Agreement plus the deletion periods in Section 10.
  • Categories of data and data subjects. Determined by the Customer. Because the Customer controls what its workflows process, Customer Personal Data may relate to any category of data subject (for example, the Customer's end users, employees, or customers) and may include any category of personal data the Customer submits.

4. Customer instructions

We process Customer Personal Data only on the Customer's documented instructions, including the Agreement, the Customer's configuration and use of the Service, and this DPA, unless required otherwise by law (in which case we will inform the Customer unless the law prohibits it). We will inform the Customer if, in our opinion, an instruction infringes Data Protection Laws.

5. Confidentiality

We ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations, and we limit access to personnel who need it to provide the Service.

6. Security

We implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, including those described in the Annex below. We may update these measures, provided the updates do not materially reduce the overall level of protection.

7. Sub-processors

The Customer authorizes us to engage the sub-processors listed below. We will impose data protection obligations on sub-processors that are no less protective than this DPA, and we remain responsible for their performance. We will give at least 30 days' notice before adding or replacing a sub-processor (by updating this page and notifying account administrators by email); the Customer may object on reasonable data protection grounds, and if we cannot resolve the objection, the Customer may terminate the affected services with a pro-rata refund of prepaid fees.

Sub-processorPurposeLocation
Hetzner Online GmbHCloud infrastructure and hostingEuropean Union
Cloudflare, Inc.Content delivery, DNS, and network securityGlobal (US-headquartered)
Functional Software, Inc. (Sentry)Error monitoring and diagnosticsUnited States
OpenAI, L.L.C. (optional)LLM-based evaluation scoring — engaged only if the Customer enables LLM-as-judge scorers backed by OpenAI modelsUnited States
Anthropic, PBC (optional)LLM-based evaluation scoring — engaged only if the Customer enables LLM-as-judge scorers backed by Anthropic modelsUnited States

Third-party services the Customer's own workloads call with the Customer's credentials (including model providers) are not sub-processors; the Customer engages them directly.

8. Data subject requests

Taking into account the nature of the processing, we will assist the Customer with appropriate technical and organizational measures to respond to data subject requests. If a data subject contacts us directly about Customer Personal Data, we will refer them to the Customer and not respond substantively except as required by law.

9. Personal data breach

We will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required for the Customer to meet its own breach notification obligations, updating it as the investigation progresses.

10. Deletion and return

Execution history is deleted automatically at the end of the run-history window of the Customer's plan. Upon termination of the Agreement, the Customer has 30 days to export Customer Content, after which we will delete Customer Personal Data within 30 days, except where retention is required by law. Data in backups is overwritten in the ordinary cycling of backups.

11. Assistance and audits

We will reasonably assist the Customer with data protection impact assessments and consultations with supervisory authorities, taking into account the nature of the processing and the information available to us. We will make available information reasonably necessary to demonstrate compliance with this DPA, and allow audits by the Customer or its independent auditor no more than once per 12 months, on at least 30 days' notice, during business hours, without disrupting the Service, and subject to confidentiality obligations. The Customer bears the costs of audits unless they reveal material non-compliance.

12. International transfers

Customer Personal Data is hosted in the European Union and, where the Customer's configuration or optional features require, may be processed in the United States. Where a transfer of Customer Personal Data from the EEA, the UK, or Switzerland to a third country requires a transfer mechanism, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2: controller-to-processor, or Module 3: processor-to-processor, as applicable), as supplemented by the UK International Data Transfer Addendum and the Swiss adaptations, with the details in this DPA completing the annexes.

13. Liability and precedence

Each party's liability under this DPA is subject to the limitations of liability in the Agreement. If this DPA conflicts with the Agreement regarding the processing of Customer Personal Data, this DPA controls; if the Standard Contractual Clauses conflict with this DPA, the Clauses control.

Annex: Technical and organizational measures

  • Encryption of data in transit (TLS) across public networks;
  • Logical isolation of customer workloads and data by workspace, project, and deployment;
  • Role-based access control, scoped API keys, and least-privilege access for personnel;
  • Centralized logging, monitoring, and alerting for production systems;
  • Durable, replicated storage of execution state with scheduled backups;
  • Automatic deletion of execution history at the end of plan retention windows;
  • Secrets management for customer credentials, stored encrypted and never exposed in logs;
  • Vendor review of sub-processors and data protection terms with each of them.

Contact

Questions about this DPA:privacy@agnt5.com. Enterprise customers requiring a countersigned DPA can contactlegal@agnt5.com.