Hael · Trust

Data Processing Addendum

Version
v1
Effective
Last reviewed

View change history

Data Processing Addendum (DPA)

This Data Processing Addendum forms part of the Agreement between Agent X Ltd ("Processor") and you ("Controller") and reflects the parties' agreement with regard to the Processing of Personal Data, in accordance with Article 28 of the UK GDPR and EU GDPR.

1. Definitions

Capitalised terms have the meanings given in the GDPR. "Processing" means any operation performed on Personal Data.

2. Roles and scope

The Controller appoints the Processor to Process Personal Data only on the Controller's documented instructions, including with regard to international transfers.

3. Processor obligations

The Processor will:

  1. Process Personal Data only on documented instructions
  2. Ensure persons authorised to Process are bound by confidentiality
  3. Implement appropriate technical and organisational measures (Annex II)
  4. Engage Sub-processors only with prior general authorisation, with 30 days' advance notice of changes
  5. Assist the Controller with data subject requests, DPIAs, and breach notification
  6. Make available all information necessary to demonstrate compliance and allow audits
  7. Delete or return Personal Data at the end of the Agreement

4. Sub-processors

The current list of authorised Sub-processors is published at /sub-processors. The Controller may object to a new Sub-processor within the 30-day notice period.

5. International transfers

Where Personal Data is transferred outside the UK/EU, the Standard Contractual Clauses (Commission Implementing Decision 2021/914) apply, with the UK Addendum (B1.0) for UK transfers.

6. Sub-processor breaches

The Processor is liable for the acts and omissions of its Sub-processors to the same extent as for its own.

7. Audit rights

Once per 12-month period (or more frequently following a Personal Data Breach), the Controller may audit the Processor's compliance, on 30 days' written notice and during normal business hours.

8. Personal Data Breach notification

The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Controller data.

9. Annex I — Subject matter and details

  • Subject matter: Provision of the Agent X platform
  • Duration: Term of the Agreement plus the deletion window
  • Nature and purpose: AI governance, audit, compliance tooling
  • Data subjects: Controller's authorised users
  • Categories: Account data, authentication data, usage logs

10. Annex II — Technical and organisational measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Tamper-evident hash-chained audit log
  • Least-privilege RBAC with separation of duties
  • MFA-required admin access
  • 24/7 security monitoring with SIEM
  • Quarterly third-party penetration testing
  • Vendor security review programme
  • Documented BCP/DR with tested RTO/RPO targets

A signed PDF copy of this DPA is available on request from dpo@agent-x.example.

Need a copy for procurement? Download the versioned PDF.Download PDF
Need a counter-signed copy? Email dpo@agent-x.example — we sign and return within 2 business days.