AGENTRUNTIME DATA PROCESSING AGREEMENT
Effective Date: March 1, 2026 Last Updated: March 1, 2026
This Data Processing Agreement ("DPA") is entered into between AgentRuntime Labs Ltd ("AgentRuntime," "Processor," "we," "us," or "our") and the customer entity that has accepted the AgentRuntime Terms of Service ("Customer" or "Controller"). This DPA forms part of and is incorporated by reference into the AgentRuntime Terms of Service (the "Principal Agreement").
This DPA governs the processing of Personal Data by AgentRuntime on behalf of Customer in connection with the provision of the Services. Where there is a conflict between this DPA and the Principal Agreement regarding the processing of Personal Data, this DPA shall prevail.
1. DEFINITIONS
For the purposes of this DPA, the following terms have the meanings set forth below. Terms not defined herein shall have the meanings ascribed to them in applicable Data Protection Legislation.
"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
"Data Protection Legislation" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (b) the UK Data Protection Act 2018 and UK GDPR; (c) the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and California Privacy Rights Act ("CCPA/CPRA"); and (d) any other applicable national or regional data protection legislation, as may be amended or replaced from time to time.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Legislation.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
"Processing" (and "Process" and "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Services" has the meaning given in the Principal Agreement.
"Standard Contractual Clauses" or "SCCs" means the standard data protection clauses adopted by the European Commission pursuant to Article 46(2) of the GDPR, as may be updated from time to time.
"Sub-processor" means any Processor engaged by AgentRuntime to carry out Processing activities on behalf of Customer.
2. ROLES AND RESPONSIBILITIES
2.1 Customer as Controller. Customer acts as the Controller with respect to Personal Data that Customer submits, uploads, or otherwise makes available through the Services.
2.2 AgentRuntime as Processor. AgentRuntime acts as a Processor when Processing Personal Data on behalf of Customer in connection with the Services.
2.3 Independent Controllers. To the extent AgentRuntime Processes Personal Data for its own purposes, including for account management, billing, fraud prevention, and security monitoring, AgentRuntime acts as an independent Controller with respect to such Processing, which is governed by AgentRuntime's Privacy Policy.
3. SCOPE OF PROCESSING
3.1 Subject Matter. AgentRuntime shall Process Personal Data solely to the extent necessary to provide the Services to Customer.
3.2 Duration. AgentRuntime shall Process Personal Data for the duration of the Principal Agreement, unless otherwise required by applicable law.
3.3 Nature and Purpose. The nature and purpose of Processing includes the operation of platform infrastructure, execution of workflows, storage and transmission of data, and provision of technical support, each solely for the purpose of delivering the Services.
3.4 Categories of Data Subjects. Personal Data Processed under this DPA may relate to Customer's employees, contractors, clients, end-users, and other individuals whose Personal Data Customer submits to the Services.
3.5 Types of Personal Data. The types of Personal Data Processed depend on the content submitted by Customer and may include name, email address, professional information, usage data, and any other Personal Data included in Customer's workflows, datasets, or configurations.
3.6 Customer Instructions. AgentRuntime shall Process Personal Data only on Customer's documented instructions, including as set forth in this DPA and the Principal Agreement. If AgentRuntime is required by applicable law to Process Personal Data otherwise than as instructed, AgentRuntime shall, to the extent permitted by law, notify Customer prior to such Processing.
4. AGENTRUNTIME'S OBLIGATIONS
4.1 Compliance. AgentRuntime shall comply with applicable Data Protection Legislation in its role as Processor.
4.2 Confidentiality. AgentRuntime shall ensure that persons authorized to Process Personal Data on its behalf are subject to binding confidentiality obligations.
4.3 Security Measures. AgentRuntime shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, disclosure, alteration, loss, or destruction, as further described in Section 5.
4.4 Sub-processors. AgentRuntime shall comply with the Sub-processor requirements set forth in Section 6.
4.5 Assistance with Data Subject Rights. AgentRuntime shall provide Customer with reasonable assistance in responding to Data Subject rights requests, as further described in Section 7.
4.6 Data Breach Notification. AgentRuntime shall notify Customer of Personal Data Breaches in accordance with Section 8.
4.7 Data Protection Impact Assessments. Where required by applicable Data Protection Legislation, AgentRuntime shall, upon reasonable request, provide Customer with reasonable assistance in conducting data protection impact assessments and, where required, prior consultations with supervisory authorities.
4.8 Deletion and Return. Upon termination of the Principal Agreement, AgentRuntime shall delete or return Personal Data in accordance with Section 10.
4.9 Audit Rights. Upon Customer's written request, and no more than once per calendar year (unless required by a supervisory authority), AgentRuntime shall make available information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct an audit of AgentRuntime's Processing activities, provided that: (a) Customer provides at least thirty (30) days' prior written notice; (b) the audit is conducted during normal business hours with minimal disruption; and (c) Customer and AgentRuntime agree in writing on the scope, timing, and applicable confidentiality obligations.
5. SECURITY MEASURES
AgentRuntime implements and maintains industry-standard technical and organizational measures to protect Personal Data, including:
(a) Encryption. Encryption of Personal Data in transit using TLS and, where appropriate, at rest using recognized encryption standards.
(b) Access Controls. Role-based access controls implementing least-privilege principles, limiting access to Personal Data to authorized personnel with a legitimate business need.
(c) Authentication. Secure authentication mechanisms, including multi-factor authentication for access to systems Processing Personal Data.
(d) Infrastructure Isolation. Logical segregation of Customer environments and data at the infrastructure level.
(e) Monitoring and Logging. Continuous monitoring of systems for anomalous activity, unauthorized access attempts, and security incidents, with audit logs maintained for investigation purposes.
(f) Incident Response. Documented incident response procedures for detecting, containing, investigating, and remediating security incidents.
(g) Vulnerability Management. Regular security assessments, dependency scanning, penetration testing, and patch management processes.
AgentRuntime will review and update its security measures periodically or following any material changes to its infrastructure or identified risks.
6. SUB-PROCESSORS
6.1 Authorization. Customer hereby provides general authorization for AgentRuntime to engage Sub-processors to assist in providing the Services, subject to the requirements of this Section 6.
6.2 Sub-processor Obligations. AgentRuntime shall enter into a written agreement with each Sub-processor imposing data protection obligations that are at least equivalent to those set forth in this DPA. AgentRuntime shall remain responsible for the acts and omissions of its Sub-processors to the same extent as if AgentRuntime performed the Processing directly.
6.3 Sub-processor List. AgentRuntime shall maintain an up-to-date list of current Sub-processors engaged in the Processing of Customer's Personal Data, which may include:
- Cloud infrastructure and hosting providers
- Monitoring and observability platforms
- Payment processing providers
- Customer support tooling providers
This list is available upon request at privacy@agentruntime.io.
6.4 Notification of Changes. AgentRuntime shall provide Customer with reasonable advance notice of any intended changes to its Sub-processor arrangements that may materially affect the Processing of Customer's Personal Data.
6.5 Objection. Customer may object to AgentRuntime's engagement of a new Sub-processor on reasonable grounds relating to data protection by notifying AgentRuntime in writing within fourteen (14) days of receiving notice. If Customer objects and the parties cannot resolve the objection, either party may terminate the relevant Services on written notice.
7. DATA SUBJECT RIGHTS
7.1 Customer Responsibility. Customer, as Controller, is primarily responsible for receiving and responding to Data Subject rights requests in accordance with applicable Data Protection Legislation.
7.2 AgentRuntime Assistance. To the extent technically feasible and upon Customer's written request, AgentRuntime shall provide reasonable assistance to Customer in fulfilling its obligations to respond to Data Subject requests concerning the following rights:
(a) right of access to Personal Data;
(b) right to rectification of inaccurate or incomplete Personal Data;
(c) right to erasure of Personal Data ("right to be forgotten");
(d) right to restriction of Processing;
(e) right to data portability; and
(f) right to object to Processing.
7.3 Redirection. If AgentRuntime receives a Data Subject rights request directly from a Data Subject in respect of Customer's Personal Data, AgentRuntime shall, to the extent permitted by law, promptly notify Customer and shall not respond to such request without Customer's prior written authorization, unless required to do so by applicable law.
8. PERSONAL DATA BREACH NOTIFICATION
8.1 Notification. Upon becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data, AgentRuntime shall notify Customer without undue delay and, where feasible, within seventy-two (72) hours of discovery.
8.2 Content of Notification. To the extent known at the time of notification, AgentRuntime's notification shall include:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) the name and contact details of AgentRuntime's data protection contact;
(c) the likely consequences of the Personal Data Breach; and
(d) the measures taken or proposed to be taken to address the Personal Data Breach and, where applicable, to mitigate its effects.
8.3 Supplemental Information. Where full information is not available at the time of initial notification, AgentRuntime shall provide supplemental information in phases as it becomes available.
8.4 No Admission. Notification of a Personal Data Breach shall not be construed as an acknowledgment of fault or liability by AgentRuntime.
9. INTERNATIONAL DATA TRANSFERS
9.1 Transfer Restrictions. AgentRuntime shall not transfer Personal Data to any country or territory outside the European Economic Area (EEA), the United Kingdom, or any other jurisdiction with an adequacy decision, except in accordance with the requirements of applicable Data Protection Legislation.
9.2 Transfer Mechanisms. Where a transfer of Personal Data to a third country is necessary, AgentRuntime shall ensure that appropriate safeguards are in place, including by relying on:
(a) an adequacy decision by the European Commission or relevant supervisory authority;
(b) Standard Contractual Clauses (SCCs) or approved binding corporate rules; or
(c) any other legally recognized transfer mechanism under applicable Data Protection Legislation.
10. DATA RETENTION AND DELETION
10.1 Retention. AgentRuntime shall retain Personal Data only for as long as necessary to provide the Services and to comply with applicable legal obligations.
10.2 Deletion upon Termination. Upon termination or expiry of the Principal Agreement, or upon Customer's written request, AgentRuntime shall, within a reasonable time not to exceed sixty (60) days, either delete or return Customer's Personal Data, at Customer's election, and delete existing copies, unless applicable law requires further retention.
10.3 Certification. Upon request, AgentRuntime shall provide written confirmation of the deletion or return of Customer's Personal Data.
11. LIMITATION OF LIABILITY
AgentRuntime's liability under or in connection with this DPA shall be subject to the limitations of liability set forth in the Principal Agreement.
12. GOVERNING LAW
This DPA shall be governed by and construed in accordance with the governing law provisions of the Principal Agreement, except that where Standard Contractual Clauses have been executed, the governing law of such SCCs shall apply to matters covered thereby.
13. CONTACT
For data protection inquiries:
AgentRuntime Labs Ltd — Data Protection Team Email: privacy@agentruntime.io
© 2026 AgentRuntime Labs Ltd. All rights reserved.