HomeData Processing Agreement

Data Processing Agreement

Last updated January 01, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Agenized ApS (“Processor”, “we”, “us”, or “our”) and the customer that has accepted the Terms and Conditions for the Service (“Customer”, “Controller”, “you”). This DPA applies to the extent Processor processes Personal Data on behalf of Customer in connection with the Service.

1. Parties

Controller (Customer): The business entity that enters into the Terms and Conditions for the Service.
Processor: Agenized ApS, Slamrebjergvej 6A, 3730 Nexø, Denmark, VAT DK46093208.

2. Definitions

Terms used in this DPA have the meanings given in the EU General Data Protection Regulation 2016/679 (“GDPR”), unless otherwise defined.

    • “Personal Data”: Any information relating to an identified or identifiable natural person.

    • “Processing”: Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.

    • “Customer Personal Data”: Personal Data processed by Processor on behalf of Customer under this DPA.

    • “Subprocessor”: Any processor engaged by Processor to assist in processing Customer Personal Data.

    • “Security Incident”: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Personal Data Breach” under the GDPR).

3. Roles and Scope

Customer is the Controller of Customer Personal Data. Processor processes Customer Personal Data only as a Processor on behalf of Customer, except where Processor acts as a Controller for separate data it processes for its own purposes (for example, billing, account administration, and sales).

4. Subject Matter, Duration, Nature, and Purpose of Processing

Subject matter: Provision of the Service to Customer, including AI-assisted customer support workflows, integrations, and related features.

Duration: For the term of the Customer’s subscription and any additional period required for deletion, return, or retention as described in Section 11.

Nature and purpose: Hosting, storing, transmitting, and otherwise processing Customer Personal Data to operate, maintain, secure, and support the Service, and to carry out Customer’s documented instructions.

5. Categories of Data Subjects and Personal Data

The categories below are typical. Customer controls what data is submitted to the Service.

Data subjects may include:

    • Customer’s representatives, administrators, and authorized users.

    • Customer’s end-users and contacts (for example, Customer’s customers) who communicate via connected channels.

    • Individuals whose Personal Data appears in Customer content, knowledge sources, tickets, messages, or integrations.

Personal Data may include:

    • Identifiers and contact details (for example, name, email, phone number, usernames, social handles).

    • Conversation content and metadata (for example, messages, timestamps, channel identifiers).

    • Customer support context (for example, order references, ticket IDs, CRM identifiers) as provided by Customer or end-users.

    • Technical data (for example, IP address, device data, logs) related to usage of the Service.

Special categories of data: Customer should not submit special categories of data (GDPR Article 9) unless Customer has a lawful basis and appropriate safeguards. The Service does not offer specific technical or contractual controls for special categories (e.g. health, biometrics). By using the chat widget and connected channels, end-users are presented with a configurable privacy notice and, where enabled, an optional confirmation step before sending their first message.

6. Customer Instructions

Processor will process Customer Personal Data only on documented instructions from Customer, including instructions provided via Customer’s configuration and use of the Service.

If Processor believes an instruction violates applicable law, Processor will inform Customer (unless prohibited by law).

7. Processor Obligations

    • Process Customer Personal Data only as set out in this DPA and Customer’s documented instructions.

    • Ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations.

    • Implement appropriate technical and organizational measures to protect Customer Personal Data (see Section 8 and Annex 2).

    • Not sell Customer Personal Data.

8. Security Measures

Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures described in Annex 2 (Security Measures).

Processor implements technical and organizational measures including: (a) encryption in transit via TLS for all API and application traffic; (b) encryption at rest for database and, where used, file storage (e.g. database and S3 encryption); (c) access control and authentication (e.g. role-based access, strong authentication for admin and API access); (d) encryption of sensitive stored secrets (e.g. channel credentials) using keyed encryption; (e) centralized logging and monitoring, with security-relevant events logged; (f) logical separation of customer data by account; (g) regular backups and recovery procedures; (h) vulnerability and patch management; (i) a documented incident response and breach notification process; (j) confidentiality and security obligations for personnel. Data center and physical security are provided by Processor’s hosting and infrastructure suppliers.

9. Subprocessors

Customer grants Processor a general authorization to engage Subprocessors for the provision of the Service.

9.1 Current Subprocessors

An up-to-date list of Subprocessors can be found at: https://agenized.com/legal/subprocessors.

9.2 Changes to Subprocessors

Processor will provide notice of intended changes to Subprocessors by updating Annex 1 or the published list. Customer may object to a new Subprocessor within 30 days of notice by providing written reasons related to data protection. If the parties cannot resolve the objection, Customer may terminate the affected part of the Service in accordance with the Terms and Conditions.

9.3 Subprocessor Terms

Processor will enter into a written agreement with each Subprocessor imposing data protection obligations that are no less protective than those in this DPA. Processor remains responsible for Subprocessors’ performance of their obligations.

10. International Transfers

Customer Personal Data may be processed in the EEA and may be transferred outside the EEA depending on subprocessors and connected third-party platforms.

Where transfers outside the EEA occur, Processor ensures appropriate safeguards, including European Commission Standard Contractual Clauses (SCCs). Where Processor acts as processor on behalf of Customer, the SCCs Module Two (Controller to Processor) apply. Processor will make the executed SCCs (or a copy) available to Customer on request or publish them at: https://agenized.com/legal/scc.

11. Deletion and Return of Data

Upon termination or expiration of the subscription, Processor will, at Customer’s choice and subject to Service capabilities and applicable law: (a) return Customer Personal Data in a commonly used, machine-readable format (e.g. via API export or bulk export on request), and/or (b) delete Customer Personal Data. Processor may retain Customer Personal Data where required by law or for a limited period for backups, security, and dispute resolution, provided it remains protected and is deleted in accordance with Processor’s retention cycle (typically within 90 days after the retention trigger). During the subscription, Processor applies configurable retention: message content may be redacted after a configurable period (default 30 days), and contact PII may be anonymized or removed after a configurable period of inactivity (default 90 days). Final deletion of account-related data is completed within [e.g. 30–90] days after effective termination, except where longer retention is required by law.”

12. Assistance to Customer

Taking into account the nature of processing, Processor will provide reasonable assistance to Customer to:

    • Respond to requests from data subjects (access, deletion, etc.), to the extent applicable and within Processor’s control.

    • Meet GDPR obligations relating to security, breach notification, DPIAs, and consultations with supervisory authorities.

Reasonable assistance within the scope of the Service is included. Customer acknowledges that assistance that is not standard (e.g. extensive custom exports, repeated or complex audits, or legal/DPIA support beyond providing information) may be chargeable at Processor’s then-current professional services or support rates.

13. Personal Data Breach Notification

Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

Processor’s notification will include, where available, relevant information about the nature of the breach, likely consequences, and measures taken or proposed to address the breach.

Customer is responsible for determining whether to notify supervisory authorities and affected individuals, unless otherwise required by applicable law.

14. Audits and Compliance

Processor will make available information reasonably necessary to demonstrate compliance with this DPA.

Customer may conduct an audit no more than once per year, or more frequently if required by law or in response to a material Security Incident, subject to:

    • Reasonable prior written notice.

    • Scope limited to data protection controls relevant to the Service.

    • Confidentiality and security requirements.

    • Audit conducted during normal business hours, without unreasonable disruption.

    • Customer bears its own audit costs and reimburses Processor’s reasonable costs for providing assistance (e.g. staff time, preparation of documentation) at Processor’s then-current rates, unless otherwise agreed in writing.

Processor may satisfy audit obligations in whole or in part by providing third-party reports or certifications where available (e.g. SOC 2 Type II or ISO 27001). At the date of this DPA, Processor does not hold such a certification; upon obtaining one, Processor will make it available to Customer under confidentiality.

15. Confidentiality

Processor will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations. Each party will keep the other party’s confidential information confidential, subject to applicable law and the Terms and Conditions.

16. Liability

Liability under this DPA is subject to the liability provisions in the Terms and Conditions. Nothing in this DPA expands Processor’s liability beyond what is set out in the Terms and Conditions, except where liability cannot be limited under applicable law (e.g. gross negligence, wilful misconduct, or breach of confidentiality).

17. Order of Precedence

In case of conflict between this DPA and the Terms and Conditions regarding processing of Personal Data, this DPA will prevail. For all other conflicts, the Terms and Conditions will prevail.

18. Governing Law

This DPA is governed by the laws of Denmark, and disputes will be subject to the courts of Copenhagen, Denmark, unless mandatory law requires otherwise.

Annex 1: Subprocessors (Suppliers)

Subprocessor Name Service Provided Processing Location(s) Data Categories Transfer Mechanism (If Outside EEA) Link to Terms/Privacy or DPA
OpenAI AI/LLM (chat, classification, embeddings if used) US Conversation content, prompts, responses (as sent by Customer) SCCs (Controller–Processor or Processor–Processor as applicable) https://openai.com/policies/
Stripe Billing, subscriptions, payment method storage US Billing contact, payment identifiers, no full payment card details stored by Processor SCCs / Stripe DPA https://stripe.com/legal
AWS Hosting, database, object storage (e.g. RDS, S3), compute  EU All Customer Personal Data processed by the Service   SCCs; AWS as processor https://aws.amazon.com/privacy/    https://aws.amazon.com/compliance/gdpr-center/  

Annex 2: Security Measures

Processor maintains a security program appropriate to the nature of the Service and the risks to Customer Personal Data. The measures below are examples and should be adapted to your actual implementation.

    • Access control: Role-based access, least privilege, strong authentication for administrative access.

    • Encryption: Encryption in transit: TLS 1.2 or higher for all client and server communication. Encryption at rest: database and file storage (e.g. S3) use encryption at rest as provided by the infrastructure provider; sensitive application secrets (e.g. channel credentials) are encrypted with keyed encryption before storage.

    • Logging and monitoring: Structured logging for application and security-relevant events; logs retained in accordance with Processor’s retention policy; monitoring and alerting for availability and security events.

    • Segregation: Logical separation of data by customer account; multi-tenant isolation in application and database layer.

    • Backups and recovery: Regular automated backups of databases and critical configuration; backup retention and restore procedures in place; recovery tested periodically.

    • Vulnerability management: Dependency and vulnerability scanning; security-relevant patches applied in accordance with Processor’s patch policy and risk assessment.

    • Incident response: Documented incident response process; Personal Data Breach notification to Controller without undue delay as set out in Section 13.

    • Physical security: Handled by Processor’s hosting/infrastructure providers; data centers with access controls, monitoring, and physical safeguards.

    • Employee confidentiality: Confidentiality and data protection obligations in employment or contractor agreements; security and privacy awareness training for personnel with access to personal data.

Annex 3: Customer Instructions and Service Settings

Customer instructions are given through configuration and use of the Service, including: (a) connected channels and integrations selected by Customer; (b) knowledge sources and content uploaded or linked by Customer; (c) agent and routing settings, automations, and actions configured by Customer; (d) retention, redaction, and privacy notice settings available in the Service (e.g. message retention days, contact PII retention days, optional privacy confirmation in the chat widget). Export and deletion options are available via the Service API and, where applicable, the admin or merchant interface.

  •  

Sign In

Try for free