Get API key →

Data Processing Addendum.

GDPR Article 28 processor terms, CCPA service-provider addendum, and Standard Contractual Clauses — incorporated into the AgentPrizm Terms of Service.

Effective: June 3, 2026v1.0

Last updated: June 3, 2026

01Introduction & execution

This Data Processing Addendum ("DPA") supplements and is incorporated by reference into the AgentPrizm Terms of Service ("Terms"). It governs the processing of Personal Data by VUGA Enterprises LLC doing business as AgentPrizm ("AgentPrizm" or "Processor") on behalf of the customer ("Controller" or "Customer") in connection with the AgentPrizm hosted memory service ("Service").

This DPA is offered to business customers who process Personal Data of EU/EEA, UK, Swiss, or California residents through the Service. By entering into the Terms, the Customer is deemed to have accepted this DPA. No wet ink signature is required for the standard DPA to be binding.

Custom DPA or negotiated terms. If your organization requires a separately countersigned DPA, a mutual NDA prior to review, or negotiated terms, contact [email protected] with the subject line "DPA Request". We will respond within 5 business days.

In case of conflict between this DPA and the Terms, this DPA governs with respect to the processing of Personal Data.

02Definitions

Capitalized terms used but not defined below have the meanings given in the Terms.

  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data — here, the Customer.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller — here, AgentPrizm.
  • "Sub-processor" means any third party engaged by AgentPrizm to process Personal Data in connection with the Service.
  • "Data Subject" means the identified or identifiable natural person whose Personal Data is processed.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1). Under CCPA, this includes "personal information" as defined in California Civil Code § 1798.140.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction, as defined in GDPR Article 4(2).
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council. "UK GDPR" means the GDPR as retained and amended in UK law under the European Union (Withdrawal) Act 2018. "Swiss FADP" means the Swiss Federal Act on Data Protection.
  • "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries adopted by the European Commission (Decision 2021/914, Module 2: Controller-to-Processor).
  • "CCPA" means the California Consumer Privacy Act of 2018 (Cal. Civil Code § 1798.100 et seq.) as amended by the California Privacy Rights Act (CPRA).
  • "Security Incident" means any unauthorized or unlawful processing, accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by AgentPrizm.

03Subject-matter & processing details

Subject-matter: The provision of the AgentPrizm hosted memory database service, including ingestion, storage, semantic retrieval (RAG), embedding generation, and related API operations.

Duration: For the duration of the Terms and for as long as AgentPrizm retains any Personal Data per Section 9 (Deletion & return) below.

Nature and purpose of processing: Storing, indexing, embedding, and retrieving memory records (facts, lessons, directives, preferences, contacts, bookmarks) submitted by the Customer's agents or end users; providing semantic recall, compaction, and profile-generation services; providing API access, audit trails, and the web dashboard.

Categories of Personal Data: The types of Personal Data processed depend on what the Customer chooses to ingest. They may include: names; professional and contact information; work history and preferences; communications content; behavioral and interaction data; any other information that Customer's agents store as memory records. AgentPrizm does not knowingly process special categories of Personal Data (GDPR Article 9) and the Service must not be used to process such data or PHI.

Categories of Data Subjects: Customer's employees, contractors, agents, end users, and any other individuals whose Personal Data is stored in memory records by the Customer.

04Processor obligations

AgentPrizm agrees to the following obligations as Processor:

  • Documented instructions. AgentPrizm will process Personal Data only on documented instructions from the Controller, as set out in the Terms and this DPA and in any subsequent written instructions the Customer provides. If AgentPrizm is required to process Personal Data under EU/Member State law, AgentPrizm will inform the Customer before processing unless that law prohibits disclosure on important public-interest grounds.
  • Confidentiality. AgentPrizm will ensure that persons authorized to process Personal Data are under an appropriate obligation of confidentiality (whether contractual or statutory).
  • Purpose limitation. AgentPrizm will not process Personal Data for any purpose other than performing the Service, complying with applicable law, and as described in the Terms and this DPA.
  • No selling or sharing. AgentPrizm will not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate the Customer's Personal Data to any third party for monetary or other valuable consideration, and will not use or disclose it for any commercial purpose other than performing the Service.
  • No model training. AgentPrizm will not use Customer Personal Data to train, fine-tune, or improve any machine learning model beyond what is necessary to provide the Service to that Customer.
  • Assistance. AgentPrizm will assist the Customer, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligation to respond to requests for exercising Data Subjects' rights under GDPR Chapter III and applicable law. AgentPrizm will also assist the Customer in meeting its obligations under GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation) given the nature of processing and information available to AgentPrizm.
  • Legal compliance. AgentPrizm will notify the Customer if it believes an instruction from the Customer violates applicable data protection law.

05Security measures

Taking into account the state of the art, costs, and the risks to Data Subjects, AgentPrizm implements and maintains appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data ("Security Measures"). The Security Measures currently include:

  • Encryption in transit: All data transmitted between clients and the Service uses TLS 1.2 or higher. HSTS preload headers are set. HTTP is redirected to HTTPS.
  • Encryption at rest (per-field): OAuth connector tokens (Notion, Google, Dropbox) are encrypted at rest using AES-256-GCM with per-record initialization vectors, stored separately from the data they authorize.
  • API key hashing: API keys are stored only as SHA-256 hashes. Plaintext keys are never persisted. Keys use a namespaced prefix (ap_) to distinguish them from other secrets.
  • Tenant isolation: All database queries are scoped to the authenticated user's ID at the application layer. Multi-tenancy is enforced in the API middleware and has been independently audited. No user can access another user's data through the API.
  • Access controls: Production infrastructure access is restricted to SSH key authentication (root login disabled, Fail2Ban active, UFW deny-by-default). Application administrative endpoints require separate authentication. API access requires a valid API key with per-key rate limits.
  • Security headers: Six security headers are set on all responses, including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
  • SSRF protection: Ingest endpoints validate and restrict outbound requests to prevent Server-Side Request Forgery, including DNS-rebinding defense.
  • Backups: Nightly database backups with 30-day retention.
  • OS hardening: Automatic OS security patching, daily security audit scripts, intrusion detection (Fail2Ban).

AgentPrizm may update Security Measures over time provided the overall level of protection is not materially reduced. AgentPrizm will make available to the Customer information reasonably necessary to demonstrate compliance with this section, subject to the Audit Rights section below.

The Customer acknowledges, as disclosed in the Terms and on the security page, that the Service currently operates on a single-region deployment without a separately disclosed availability SLA, and that the Customer is responsible for maintaining its own backups of Customer Data as appropriate for its risk profile.

06Sub-processors

General authorization. The Customer grants AgentPrizm a general authorization to engage the sub-processors listed at agentprizm.com/subprocessors ("Sub-processor List"). AgentPrizm will enter into data processing agreements with each Sub-processor that impose obligations no less protective of Personal Data than those in this DPA.

30-day advance notice. AgentPrizm will provide at least 30 days' written notice (by email to the Customer's account email address and/or by posting to the Sub-processor List with a "last updated" date) before adding a new Sub-processor that will process Customer Personal Data or making material changes to an existing Sub-processor engagement.

Objection right. The Customer may object to a new or changed Sub-processor on reasonable data-protection grounds by notifying AgentPrizm in writing at [email protected] within the 30-day notice period. If the parties cannot resolve the objection within a reasonable time, either party may terminate the affected Services on written notice without penalty to the Customer. Continued use of the Service after the 30-day period without objection constitutes acceptance of the new Sub-processor.

AgentPrizm liability. AgentPrizm remains liable to the Customer for the acts and omissions of its Sub-processors to the same extent AgentPrizm would be liable if it performed the services directly, subject to the limitations in the Terms.

07Data-subject requests

If AgentPrizm receives a request from a Data Subject exercising rights under GDPR Chapter III (or equivalent applicable law) in relation to Personal Data for which the Customer is the Controller, AgentPrizm will:

  • Promptly forward the request to the Customer (without responding to the Data Subject directly unless instructed by the Customer or required by law);
  • Not respond to the Data Subject on the Customer's behalf without the Customer's prior written authorization.

AgentPrizm provides the following self-service mechanisms to assist the Customer in fulfilling Data Subject rights: account deletion (which triggers deletion of all Customer Data per the Terms), memory deletion via the DELETE /api/v1/agent/memories/:id and POST /api/v1/agent/forget API endpoints, and data export via the API or CLI.

08Breach notification

AgentPrizm will notify the Customer without undue delay — and in any event, to the extent practicable, within 72 hours — after becoming aware of a Security Incident affecting Customer Personal Data. Notification will be sent to the email address associated with the Customer's account and/or to a designated security contact if one has been provided.

The notification will include, to the extent then known: (a) a description of the nature of the Security Incident, including categories and approximate numbers of Data Subjects and records affected; (b) the name and contact details of the data protection contact or other point of contact from whom more information can be obtained; (c) the likely consequences of the Security Incident; and (d) the measures taken or proposed to address the Security Incident.

Where information is not yet available at the time of initial notification, AgentPrizm will provide it in phases as it becomes available. AgentPrizm's notification of a Security Incident does not constitute an acknowledgment of fault or liability.

The Customer is responsible for any required notifications to supervisory authorities and Data Subjects under applicable law.

09Deletion & return of data

Upon termination or expiration of the Terms, or upon the Customer's written request, AgentPrizm will:

  • Make Customer Data available for export via the API or CLI for 30 days following the effective date of termination;
  • Securely delete or destroy all Customer Personal Data (including copies in backups, on their normal rotation cycle) within 90 days of the expiration of the export window, unless applicable law requires longer retention;
  • Upon written request, provide the Customer with written confirmation that deletion has been completed.

This section is consistent with the account-deletion flow described in the Terms. The Customer may also delete individual memories at any time using the API or dashboard; deletion is effective within the Service immediately and from backups on the next backup rotation cycle.

10Audit rights

AgentPrizm will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA. The Customer may exercise its audit rights under GDPR Article 28(3)(h) as follows:

  • Document-based audit: The Customer may request, no more than once per calendar year (absent a Security Incident or regulatory requirement), written responses to a reasonable security questionnaire. AgentPrizm will respond within 30 business days.
  • On-site or technical audit: The Customer may request a technical audit with at least 60 days' written notice. The audit must be conducted during normal business hours, at the Customer's expense, by an auditor agreed upon by both parties (agreement not to be unreasonably withheld), and subject to a mutual confidentiality agreement. The Customer must share audit results with AgentPrizm.
  • Security documentation: AgentPrizm may satisfy audit requests by providing its current security documentation, and any third-party audit reports or certifications it holds at the time of the request. (AgentPrizm does not currently hold a SOC 2 or equivalent attestation — see our Security page.)

11International transfers & Standard Contractual Clauses

The parties acknowledge that the Service is operated from the United States, and that Personal Data of EU/EEA, UK, and Swiss Data Subjects will be transferred to the United States in connection with the Service.

EU Standard Contractual Clauses. To the extent that the processing involves a transfer of Personal Data from the EEA (or data originating in the EEA) to the United States or another country not recognized by the European Commission as providing an adequate level of data protection, the parties agree to incorporate the EU Standard Contractual Clauses for Controller-to-Processor transfers (European Commission Decision 2021/914, Module 2) into this DPA by reference. The SCCs are supplemented as follows:

  • Clause 7 (Docking clause): applicable — either party may accede to the SCCs on mutual agreement.
  • Clause 9 (Use of sub-processors): Option 2 (general written authorization) applies, consistent with Section 6 of this DPA.
  • Clause 11 (Redress): The optional language is not adopted.
  • Clause 13 (Supervision): The competent supervisory authority is determined based on the Customer's EU establishment or, if none, the supervisory authority of Ireland.
  • Clause 17 (Governing law): Irish law governs the SCCs.
  • Clause 18 (Choice of forum): Dublin, Ireland.
  • Annex I(A): Data exporter = Customer (Controller); data importer = AgentPrizm (Processor).
  • Annex I(B): Categories of data subjects and types of personal data as described in Section 3 of this DPA.
  • Annex I(C): Competent supervisory authority as set out in Clause 13 above.
  • Annex II (Technical and organizational measures): The Security Measures described in Section 5 of this DPA.
  • Annex III (List of sub-processors): agentprizm.com/subprocessors.

UK GDPR. For transfers from the UK, the parties incorporate the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office (as amended from time to time) into this DPA by reference, with the SCCs (Module 2) as the approved addendum tables.

Swiss FADP. For transfers from Switzerland, the SCCs apply as adapted for Swiss law as required by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

OpenAI sub-processor note. Customer memory text and ingested content may be transmitted to OpenAI in the United States for embedding generation and RAG inference under AgentPrizm's API account. This transfer is covered by the sub-processor authorization in Section 6 of this DPA, the SCC Annex III reference, and the SCCs incorporated herein. AgentPrizm maintains OpenAI as a sub-processor pursuant to OpenAI's enterprise API data processing terms. A copy of the applicable SCCs and sub-processor documentation is available on written request to [email protected].

12CCPA service-provider addendum

This section applies to the extent AgentPrizm processes the "personal information" (as defined by CCPA) of California residents on behalf of the Customer.

Service provider relationship. For purposes of CCPA, AgentPrizm acts as a "service provider" (as defined in Cal. Civil Code § 1798.140(ag)) and not as a "third party." AgentPrizm receives Personal Data from the Customer for the limited and specified business purpose of providing the Service.

AgentPrizm agrees to the following CCPA-specific obligations:

  • No sale or sharing. AgentPrizm will not sell or share (as those terms are defined in CCPA § 1798.140) Customer Personal Data.
  • No use beyond service purpose. AgentPrizm will not retain, use, or disclose Customer Personal Data: (a) for any purpose other than the specific business purpose of providing the Service; (b) for AgentPrizm's own commercial purposes; or (c) outside the direct business relationship between AgentPrizm and the Customer.
  • No further collection. AgentPrizm will not combine Customer Personal Data with personal information that AgentPrizm receives from, or on behalf of, another person or persons, or collects from its own interaction with consumers, except as permitted by CCPA.
  • Sub-processors. AgentPrizm will notify sub-processors of the restrictions and obligations in this section and require them to comply to the same level of protection.
  • Consumer rights assistance. AgentPrizm will assist the Customer in responding to verifiable consumer requests under CCPA through the mechanisms described in Section 7 of this DPA.
  • Certification. AgentPrizm certifies that it understands and will comply with the restrictions and requirements of CCPA and Cal. Code Regs. tit. 11 applicable to service providers.

13General

Incorporation. This DPA is incorporated into and governed by the Terms. All capitalized terms not defined herein have the meanings given in the Terms. In the event of a conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA controls.

Liability cap. For the avoidance of doubt, AgentPrizm's total liability to the Customer for all claims arising out of or relating to this DPA — whether in contract, tort (including negligence), or otherwise, and including claims relating to security measures, sub-processors, breach notification, or data deletion — is subject in all respects to the exclusions and aggregate limitation of liability set out in the Limitation of Liability section of the Terms, which are incorporated into this DPA by reference.

Governing law. Except as provided in the SCCs and the CCPA addendum, this DPA is governed by the laws of the State of Florida, United States, consistent with the Terms. The SCCs are governed by the law specified therein.

Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in full effect.

Updates. AgentPrizm may update this DPA from time to time. Material changes will be posted with a new "last updated" date and notified to customers with at least 30 days' notice. Continued use of the Service after the effective date of any change constitutes acceptance.

Contact. Questions about this DPA: [email protected]. VUGA Enterprises LLC dba AgentPrizm, 18117 Biscayne Blvd Unit 1039, Aventura, FL 33160, United States.

Talk to us