# AgentFlow Enterprise Data Processing Agreement Template Template - legal review required This template is provided for business review and should be reviewed by legal counsel before signature. It is not legal advice, a certification, or a legal compliance guarantee. This template describes implementation and vendor readiness and should be finalized by the parties before use. ## 1. Parties This Data Processing Agreement ("DPA") is entered into by and between: Customer: - Legal name: [Customer Legal Name] - Address: [Customer Address] - Registry / tax identifier: [Customer Registry or Tax Identifier] - Contact email: [Customer Contact Email] - Signatory: [Customer Signatory Name and Title] Vendor: - Business name: Xolo Go OÜ - Ciprian-Stefan Plesca, doing business as AgentFlow Enterprise - Founder / operator: Ciprian Stefan Plesca - Registry code: 14717109 - VAT number: EE102156920 - Address: Paju tn 1a, 50603 Tartu, Tartu Maakond, Estonia - Contact email: contact@agentflow-enterprise.com Effective date: [Effective Date] The customer and vendor may each be referred to as a "party" and together as the "parties." ## 2. Definitions "Customer Personal Data" means personal data submitted to, stored in, or processed through AgentFlow Enterprise on behalf of the customer. "Controller" means the party that determines the purposes and means of processing Customer Personal Data. "Processor" means the party that processes Customer Personal Data on behalf of the Controller. "Subprocessor" means a third-party provider engaged by the Processor to process Customer Personal Data in order to provide the service. "Services" means the AgentFlow Enterprise SaaS platform, related implementation support, configured integrations, and associated support activities described in the applicable agreement or order form. ## 3. Processing Instructions The customer is generally the Controller of Customer Personal Data. AgentFlow Enterprise / Xolo Go OÜ - Ciprian-Stefan Plesca acts as Processor where it processes Customer Personal Data on the customer's behalf. The Processor will process Customer Personal Data only according to documented customer instructions, the applicable service agreement, this DPA once signed, and configurations selected by the customer, unless otherwise required by applicable law. The customer is responsible for ensuring that it has a lawful basis, appropriate notices, and necessary rights to provide Customer Personal Data to the Services. ## 4. Confidentiality The Processor will limit access to Customer Personal Data to personnel or service providers who need access to provide, secure, support, or improve the Services. Personnel or service providers with access to Customer Personal Data should be subject to confidentiality obligations or equivalent professional duties appropriate to their role. ## 5. Security Measures The Processor will maintain appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature of the Services and the customer's configuration. Measures may include: - Encrypted transport for service traffic. - Server-side handling of secrets and provider credentials. - Protected dashboard access and authenticated sessions. - Tenant-aware data handling and least-privilege access patterns where applicable. - Payment handling through a dedicated payment provider. - Error monitoring and operational diagnostics where configured. - Data minimization for AI, CRM, notification, analytics, and email payloads. - Environment-based configuration for production services. - Backup, retention, and deletion review during production onboarding. This section is an implementation template and does not claim SOC 2, ISO 27001, penetration test, security audit, contractual SLA, or legal compliance certification. ## 6. Subprocessors The customer authorizes the Processor to use subprocessors needed to provide the Services, subject to the customer review and signature process agreed by the parties. The public subprocessor list is available at: https://agentflow-enterprise.com/subprocessors Expected providers may include core infrastructure, billing, AI processing, monitoring, analytics, and optional integrations configured for the customer. Optional integrations should process Customer Personal Data only when enabled, configured, and needed for the relevant workflow. The Processor should keep provider payloads limited and avoid sending unnecessary personal data to optional integrations. ## 7. Assistance With Data Subject Requests Taking into account the nature of processing and the information available to the Processor, the Processor will provide reasonable assistance to the customer for data subject requests related to Customer Personal Data. Requests may include access, correction, deletion, restriction, export, or objection support where technically available and applicable to the configured Services. The customer remains responsible for determining how to respond to a data subject request. ## 8. Personal Data Breach Assistance The Processor will provide reasonable assistance to the customer in assessing and responding to a confirmed personal data breach involving Customer Personal Data processed by the Services. The final signed DPA should define notification mechanics, contact points, evidence capture, remediation responsibilities, and any timing requirements. This template does not create a standalone contractual SLA unless signed terms state one. ## 9. Return or Deletion of Personal Data At the end of the Services, or upon verified customer request, the Processor will return, export, or delete Customer Personal Data according to the signed agreement, applicable law, technical feasibility, and configured retention schedules. The Processor may retain limited records where required for legal, tax, security, billing, fraud prevention, or dispute-resolution purposes. ## 10. Audit and Cooperation The Processor will provide reasonable cooperation for customer review of processing activities, security measures, subprocessors, and service configuration relevant to Customer Personal Data. Any audit scope, format, timing, confidentiality requirements, security restrictions, and costs should be agreed in writing by the parties before the audit begins. ## 11. International Transfers Customer Personal Data may be processed by infrastructure providers, payment providers, AI providers, analytics providers, monitoring providers, and optional integration providers depending on customer configuration and vendor terms. The parties should review vendor processing terms, selected regions, account settings, and applicable transfer mechanisms before signature and production onboarding. ## 12. Liability and Precedence Note This template is intended to support business and legal review. The final signed agreement, master services agreement, order form, or other written contract between the parties should define liability, indemnity, precedence, governing law, and conflict rules. If this DPA conflicts with a signed master agreement or order form, the parties should state which document controls before signature. ## 13. Signatures Customer: - Legal name: [Customer Legal Name] - Signatory name: [Customer Signatory Name] - Title: [Customer Signatory Title] - Signature: ______________________________ - Date: [Date] Vendor: - Legal name: Xolo Go OÜ - Ciprian-Stefan Plesca, doing business as AgentFlow Enterprise - Signatory name: Ciprian Stefan Plesca - Title: Founder / Operator - Signature: ______________________________ - Date: [Date]