EgoZ Data Processing Addendum (DRAFT)
⚠️ DRAFT — NOT LEGAL ADVICE. Review with counsel before use. This DPA template is for B2B customers and is intended to satisfy GDPR Article 28 processor obligations; adapt for other regimes as advised.
Last updated: July 7, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between [LEGAL ENTITY] ("EgoZ", "Processor") and the customer ("Controller"). It applies where EgoZ processes personal data contained in Customer Content on the Controller's behalf.
1. Definitions
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings in applicable data-protection law (incl. GDPR). "Subprocessor" means a third party engaged by EgoZ to process Personal Data.
2. Roles & scope
The Controller determines purposes and means; EgoZ processes Personal Data only to provide the Service and only on documented instructions from the Controller (including via configuration in the Console/API). This DPA does not cover EgoZ's processing of account/billing data, where EgoZ is controller.
3. Subject matter & details (Annex I)
- Subject matter: provision of the EgoZ AI-agent platform.
- Duration: the term of the Terms.
- Nature & purpose: hosting, retrieval, agent orchestration, storage of conversations/configuration.
- Types of data: identifiers and content within Customer Content (e.g. knowledge-base text, prompts, end-user messages and any personal data they contain). Excludes regulated/special-category data, which the AUP prohibits.
- Data subjects: the Controller's users/end-users.
4. Controller obligations
The Controller warrants it has a lawful basis for the Personal Data it submits and that it will not submit regulated data (PHI, PCI, etc.) absent a separate written agreement (e.g. a BAA) that EgoZ has signed. The current Service tier does not support such data.
5. Processor obligations
EgoZ will:
- process Personal Data only on the Controller's documented instructions;
- ensure persons authorised to process are bound by confidentiality;
- implement the security measures in §8;
- assist the Controller with data-subject requests and with DPIAs/consultations to the extent applicable, taking into account the nature of processing;
- at the Controller's choice, delete or return Personal Data at end of services (subject to legal retention);
- make available information necessary to demonstrate compliance and allow for audits as described in §9.
6. Subprocessors
The Controller provides general authorisation for EgoZ to engage the Subprocessors listed at Subprocessors. EgoZ will impose data-protection obligations on each Subprocessor no less protective than this DPA, and will give notice of intended changes, allowing reasonable objection.
7. International transfers
Where processing involves transfer outside the EEA/UK, the parties rely on an appropriate transfer mechanism (e.g. Standard Contractual Clauses), which are incorporated by reference. [Counsel to attach/confirm.] Note: when the Controller configures a model provider (BYOK), the Controller directs that transfer and is responsible for its lawful basis.
8. Security measures (Annex II)
- TLS in transit; AES-256-GCM encryption at rest for provider keys and other secrets.
- Tenant-scoped data isolation enforced in the data layer.
- Access controls and least-privilege for operational access.
- PII redaction on error-monitoring events before transmission.
- Hosting in the EU (EU-West) with a managed, access-controlled database.
- [Counsel/founder: add backup, logging, and incident-response specifics.]
9. Audit
EgoZ will respond to reasonable audit requests by providing relevant documentation/certifications; on-site audits as required by law and on reasonable notice. [Define cadence/limits with counsel.]
10. Personal Data Breach
EgoZ will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's Personal Data, with the information then available, and will follow the Breach Notification Runbook.
11. Liability & term
Liability under this DPA is subject to the limitations in the Terms. This DPA terminates with the Terms; obligations that by nature survive (confidentiality, deletion) continue.
12. Signatures
[LEGAL ENTITY] ___________________ Controller ___________________