DATA PROCESSING AGREEMENT - MONITOR

Last updated: 12/17/2025 • Version .

DATA PROCESSING AGREEMENT - MONITOR

Between: Superagent Technologies, Inc., 1111B S Governors Ave STE 3232, Dover, DE 19904, United States ("Processor")

and

[Customer Name], [Address] ("Controller")

Effective Date: [Date of Services Agreement]

RECITALS

Controller and Processor have entered into a Services Agreement for Superagent Monitor, an AI agent security testing service. In providing Monitor, Processor processes Personal Data on behalf of Controller. This Data Processing Agreement ("DPA") governs such processing in compliance with applicable Data Protection Laws including GDPR.

1. DEFINITIONS AND SCOPE

1.1 Definitions

Capitalized terms used in this DPA have the meanings set forth below or in the Services Agreement. Terms defined in GDPR (such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject") have their GDPR meanings.

Data Protection Laws: All applicable data protection and privacy laws, including GDPR, UK GDPR, Swiss FADP, and US state privacy laws.

Monitor: Processor's AI agent security testing service as described in the Services Agreement.

Personal Data: Information relating to an identified or identifiable natural person that is submitted by Controller, returned by Controller's AI agent during testing, or generated during Monitor Assessments, as specified in Appendix A.

Services: Processor's Monitor service as described in the Services Agreement.

Sub-processor: Third party engaged by Processor to process Personal Data on behalf of Controller.

Assessment Data: Test prompts, API responses, assessment results, scores, findings, and metadata collected and stored during Monitor Assessments.

1.2 Scope and Integration

This DPA applies exclusively to Personal Data processed through Monitor for security assessment purposes. It does NOT cover Controller's user account data or dashboard activities, which are governed by Processor's Privacy Policy as a separate Controller-to-Controller relationship.

This DPA forms part of and is incorporated into the Services Agreement. In case of conflict, this DPA prevails regarding Personal Data processing.

1.3 Processing Model

Processing Purpose: Security assessment and behavioral analysis of Controller's AI agent to identify potential vulnerabilities and generate security assessments.

Data Collection: Monitor collects API Endpoint credentials, test prompts sent to Controller's AI agent, API responses received from Controller's AI agent, and assessment results including scores and vulnerability findings.

Persistent Storage: Assessment Data is stored in Processor's database systems to enable Controller to review historical assessments, compare results over time, analyze trends and changes, and implement fixes before re-testing.

Customer-Controlled Retention: Assessment Data is retained until Controller deletes it via the Dashboard or deletes the Controller account. Processor does not automatically delete Assessment Data after a fixed time period.

Deletion Process: Controller may delete Assessment Data at any time through the Dashboard. Deletion requests are executed within 30 days. Upon account termination, all Assessment Data is deleted within 30 days.

2. PROCESSOR OBLIGATIONS

2.1 Processing Instructions

Processor shall process Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required by applicable law. Controller's instructions include: conducting security Assessments of Controller's AI agent endpoint; storing Assessment Data until Controller requests deletion; analyzing API responses to detect vulnerabilities; generating security scores and findings; and providing Controller access to Assessment Data via Dashboard. Processor shall immediately inform Controller if instructions violate Data Protection Laws.

2.2 Confidentiality

Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.3 Security Measures

Processor implements appropriate technical and organizational measures to ensure security appropriate to the risk, as detailed in Appendix C. These measures include:

  • Encryption in transit using TLS 1.3 for all data transmission
  • Encryption at rest using AES-256 for all stored Assessment Data
  • Access controls with multi-factor authentication for Processor personnel
  • Role-based access controls limiting data access to authorized personnel
  • Regular security testing through Sub-processor programs and external assessments
  • Incident response procedures
  • SOC 2 Type II certification (planned within 12 months)
  • Audit logging of all access to Personal Data
  • Secure data deletion procedures

Security measures may be updated to maintain or enhance protection levels without Contract amendment.

2.4 Sub-processors

Current Sub-processors: Processor currently uses three Sub-processors to provide Monitor (detailed in Appendix B):

Vercel Inc. - Infrastructure orchestration and hosting for Monitor service execution

OpenAI, L.L.C. - AI model services for analyzing and classifying API responses to detect vulnerabilities

Convex, Inc. - Persistent database storage for Assessment Data, credentials, and metadata

Authorization: Controller provides general authorization for Processor to engage Sub-processors listed in Appendix B.

New Sub-processors: Processor shall notify Controller at least 30 days before adding or replacing Sub-processors. Controller may object within 15 days on reasonable grounds relating to data protection. If parties cannot resolve the objection, Controller may terminate the affected Services and receive a pro-rata refund of prepaid fees.

Sub-processor Requirements: Processor ensures Sub-processors are bound by data protection obligations equivalent to those in this DPA, particularly regarding security, confidentiality, and data retention. Processor remains fully liable to Controller for Sub-processor performance.

2.5 Data Subject Rights

Basic Assistance (no additional charge): Processor shall, taking into account the nature of processing, assist Controller by providing:

  • Confirmation of whether Personal Data is processed
  • Dashboard functionality for self-service data access, viewing, and deletion
  • Technical information about processing capabilities
  • API documentation for programmatic data access
  • Standard response within 5 business days to Controller requests

Enhanced Assistance (chargeable): Upon Controller's request, Processor shall provide additional assistance including:

  • Custom data extraction or formatting beyond standard Dashboard exports
  • Complex technical investigations into specific data processing activities
  • Direct communication with data subjects on Controller's behalf
  • Technical support for responding to data subject requests
  • Fees for enhanced assistance will be based on reasonable time and materials charges

Direct Data Subject Requests: If Processor receives a data subject request directly, Processor will promptly forward it to Controller and will not respond to the data subject without Controller's prior authorization, except as required by applicable law.

2.6 Assistance with Controller Obligations

Processor shall, taking into account the nature of processing and information available to Processor, assist Controller in fulfilling Controller's obligations regarding:

  • Security of processing (Article 32 GDPR)
  • Notification of personal data breaches to supervisory authorities (Article 33 GDPR)
  • Communication of personal data breaches to data subjects (Article 34 GDPR)
  • Data protection impact assessments (Article 35 GDPR)
  • Prior consultation with supervisory authorities (Article 36 GDPR)

Such assistance may be subject to reasonable fees if it requires significant Processor resources beyond standard support.

2.7 Data Breach Notification

Upon becoming aware of a Personal Data breach affecting Controller Data, Processor shall:

  • Notify Controller without undue delay and in any event within 72 hours of becoming aware
  • Provide available information about the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of Personal Data records affected, likely consequences of the breach, and measures taken or proposed to address the breach
  • Provide updates as additional information becomes available
  • Cooperate with Controller's investigation and provide reasonable assistance in responding to the breach

2.8 Deletion or Return of Data

Upon termination of Services or upon Controller's request, Processor shall, at Controller's choice:

  • Delete all Personal Data processed under this DPA, including all copies, within 30 days; or
  • Return all Personal Data to Controller in a commonly used electronic format within 30 days

Processor may retain Personal Data to the extent required by applicable law, provided that Processor shall ensure the confidentiality of such Personal Data and shall only process it as required by law.

2.9 Audit Rights

Standard Audit Materials: At no additional charge, Processor shall make available to Controller:

  • Current SOC 2 Type II report (when available)
  • Summary of security measures implemented under this DPA
  • Completed security questionnaires (reasonable frequency and scope)
  • Evidence of Sub-processor compliance with data protection obligations
  • Self-certification of compliance with this DPA

On-Site Audits: Controller may conduct on-site audits or inspections of Processor's facilities and records relating to Personal Data processing, subject to the following conditions:

  • Reasonable advance notice of at least 45 days
  • Maximum frequency of once per year unless there is a suspected breach
  • Conducted during normal business hours with minimal disruption
  • Subject to Processor's reasonable security and confidentiality requirements
  • Reasonable fees may apply to cover Processor's costs
  • Auditor must be independent and sign appropriate confidentiality agreements

Regulatory Audits: If a data protection authority requires an audit, Processor shall cooperate and provide reasonable assistance, subject to applicable law.

3. CONTROLLER OBLIGATIONS

3.1 Lawful Instructions. Controller represents that its processing instructions comply with Data Protection Laws and that it has all necessary rights and lawful bases to provide Personal Data to Processor for processing under this DPA.

3.2 Data Accuracy. Controller is responsible for ensuring the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data.

3.3 Data Subject Consents. Controller is responsible for obtaining all necessary consents and providing all necessary notices to data subjects regarding the processing of their Personal Data under this DPA.

3.4 Special Category Data Prohibition. Controller shall not submit or cause to be processed any Special Category Data (as defined in GDPR Article 9) through Monitor. Controller acknowledges that Monitor's security testing may analyze data returned by Controller's AI agent and that Controller's AI agent may return Personal Data in responses. Controller is solely responsible for ensuring its AI agent does not return Special Category Data. If Special Category Data is processed through Monitor, Controller bears full liability for such processing.

3.5 API Endpoint Authorization. Controller represents and warrants that it has all necessary authorizations to provide API Endpoints to Processor for testing and that such testing does not violate any third-party agreements, terms of service, or applicable laws.

4. INTERNATIONAL DATA TRANSFERS

4.1 Data Locations. Personal Data is processed and stored primarily in the United States. Sub-processors may process Personal Data in the United States and other jurisdictions as specified in Appendix B.

4.2 Transfer Mechanisms. For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States or other countries not subject to an adequacy decision, the parties rely on the following transfer mechanisms:

EU-U.S. Data Privacy Framework: Processor self-certifies compliance with the EU-U.S. Data Privacy Framework as approved by the European Commission (adequacy decision in effect as of July 2023). Processor's Data Privacy Framework certification is available at dataprivacyframework.gov.

UK Extension to EU-U.S. Data Privacy Framework: Processor self-certifies compliance with the UK Extension to the EU-U.S. Data Privacy Framework.

Swiss-U.S. Data Privacy Framework: Processor self-certifies compliance with the Swiss-U.S. Data Privacy Framework.

Standard Contractual Clauses: If the Data Privacy Framework adequacy decisions are invalidated or if Processor's certification lapses, the parties agree that the Standard Contractual Clauses for processors adopted by the European Commission (Module Two: Controller to Processor) are incorporated into this DPA and shall govern international data transfers. Upon request, Processor shall provide executed Standard Contractual Clauses.

4.3 Additional Safeguards. In addition to the transfer mechanisms above, Processor implements supplementary technical and organizational measures including encryption in transit and at rest, access controls and authentication, data minimization, and contractual obligations on Sub-processors.

4.4 Sub-processor Transfers. Processor ensures that Sub-processors located outside the EEA, UK, or Switzerland are subject to appropriate transfer mechanisms, including participation in Data Privacy Framework programs or execution of Standard Contractual Clauses.

5. LIABILITY AND INDEMNIFICATION

5.1 Processor Liability. Processor shall be liable to Controller for damages caused by processing that violates GDPR or this DPA. Processor shall not be liable if Processor proves it is not in any way responsible for the event giving rise to the damage.

5.2 Limitation of Liability. Subject to Section 5.1, Processor's liability under this DPA is subject to the limitation of liability provisions in the Services Agreement.

5.3 Controller Indemnification for Special Category Data. Controller shall indemnify, defend, and hold harmless Processor from any claims, damages, fines, or penalties arising from Controller's breach of Section 3.4 (Special Category Data Prohibition), including any processing of Special Category Data through Monitor.

6. TERM AND TERMINATION

This DPA remains in effect for as long as Processor processes Personal Data on behalf of Controller. This DPA will automatically terminate upon termination of the Services Agreement, subject to the data return and deletion obligations in Section 2.8.

7. GENERAL PROVISIONS

7.1 Conflicts. In case of conflict between this DPA and the Services Agreement regarding Personal Data processing, this DPA prevails.

7.2 Amendments. This DPA may only be amended by written agreement of both parties, except that Processor may update Appendix B (Sub-processors) in accordance with Section 2.4 and Appendix C (Security Measures) in accordance with Section 2.3.

7.3 Governing Law. This DPA is governed by the laws specified in the Services Agreement, except to the extent GDPR or other Data Protection Laws require otherwise.

7.4 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full effect.

APPENDIX A: DETAILS OF PROCESSING

Subject Matter of Processing

Security assessment and behavioral testing of Controller's AI agent to identify potential security vulnerabilities and risks.

Duration of Processing

Processing continues until Controller deletes Assessment Data or terminates the Services Agreement.

Nature and Purpose of Processing

  • Conducting security testing of Controller's AI agent endpoint
  • Receiving and storing responses from Controller's AI agent
  • Analyzing responses using AI models to identify potential vulnerabilities
  • Generating security assessments and findings
  • Storing Assessment Data for Controller review and historical analysis
  • Providing Controller access to Assessment Data via Dashboard

Categories of Data Subjects

End users or individuals whose Personal Data may be processed by Controller's AI agent and returned in API responses during testing. Data subjects are typically Controller's customers or end users who interact with Controller's AI agent.

Types of Personal Data

Monitor may process any Personal Data that Controller's AI agent returns in API responses during testing, including:

  • Identification data (names, email addresses, phone numbers, account identifiers)
  • Contact information
  • Transaction data
  • Usage data
  • Any other Personal Data that Controller's AI agent may return during conversational testing

PROHIBITED: Special Category Data under GDPR Article 9 (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.) is strictly prohibited and must not be processed through Monitor.

Categories of Recipients

  • Processor's authorized personnel with need-to-know for service delivery
  • Sub-processors listed in Appendix B for infrastructure, AI analysis, and data storage
  • No other recipients without Controller's authorization or as required by law

Data Retention and Deletion

Assessment Data is retained until Controller deletes it via the Dashboard or deletes the Controller account. Upon deletion request or account termination, data is deleted within 30 days.

APPENDIX B: SUB-PROCESSORS

Vercel Inc.

Address: 440 N Barranca Ave #4133, Covina, CA 91723, United States

Services Provided: Infrastructure orchestration and hosting. Vercel hosts the service execution layer that communicates with Controller's API Endpoints and routes data between Monitor components.

Data Processed: All data streams temporarily pass through Vercel infrastructure during service execution, including API Endpoint credentials, test prompts, API responses, and routing to OpenAI and Convex.

Processing Location: United States (primary), with global edge network

Security: SOC 2 Type II certified. More information: vercel.com/security

Data Retention: Transient processing only; Vercel does not persistently store Controller Data from Monitor operations.

OpenAI, L.L.C.

Address: 3180 18th Street, San Francisco, CA 94110, United States

Services Provided: AI model services for analyzing and classifying API responses from Controller's AI agent to identify potential vulnerabilities and assess security risks.

Data Processed: API responses received from Controller's AI agent, along with contextual metadata about the assessment being performed.

Processing Location: United States (default). Processing occurs through OpenAI's API services.

Models Used: GPT-5 or future GPT model versions as specified by Processor.

Security: SOC 2 Type II certified. More information: openai.com/security

Data Retention: OpenAI API usage with standard retention policy. Data submitted via Processor's OpenAI API account is not used for training OpenAI models. OpenAI retains API data for 30 days for abuse and misuse monitoring, then deletes it.

Training Opt-Out: Processor's OpenAI API usage is configured with training opt-out. Controller Data submitted to OpenAI via Monitor will not be used to train or improve OpenAI models.

Data Processing Agreement: OpenAI's Data Processing Addendum applies to Processor's use of OpenAI API services.

Convex, Inc.

Address: 555 Bryant Street, Suite 155, Palo Alto, CA 94301, United States

Services Provided: Persistent database storage for all Monitor data, including API Endpoint credentials, Assessment Data, test prompts, API responses, security scores, findings, and metadata.

Data Processed: All Personal Data and Assessment Data collected through Monitor is stored in Convex's database systems.

Processing Location: United States

Security: Industry-standard security measures including encryption at rest and in transit, access controls, and regular security assessments. More information: convex.dev/security

Data Retention: Convex stores Assessment Data persistently until Controller requests deletion via Dashboard or until 30 days after account termination.

Data Processing Agreement: Convex's Data Processing Agreement applies to Processor's use of Convex services.

Sub-processor Changes

Processor will maintain a current list of Sub-processors at superagent.sh/monitor-subprocessors and will update this Appendix B when Sub-processors are added or replaced, subject to the notification and objection procedures in Section 2.4.

APPENDIX C: SECURITY MEASURES

Processor implements the following technical and organizational security measures to protect Personal Data processed under this DPA:

1. Access Controls

Authentication:

  • Multi-factor authentication required for all Processor personnel accessing systems containing Personal Data
  • Strong password policies enforced (minimum 12 characters, complexity requirements)
  • Password rotation every 90 days
  • Account lockout after failed authentication attempts

Authorization:

  • Role-based access control (RBAC) limiting data access to authorized personnel
  • Principle of least privilege applied to all system access
  • Privileged access management for administrative functions
  • Regular access reviews and revocation of unnecessary access

Audit Logging:

  • Comprehensive logging of all access to Personal Data
  • Logs retained for minimum 1 year
  • Log monitoring for suspicious activity
  • Tamper-proof log storage

2. Data Security

Encryption:

  • All Personal Data encrypted in transit using TLS 1.3 or higher
  • All Personal Data encrypted at rest using AES-256 encryption
  • Encryption key management using industry-standard key management systems
  • Regular key rotation

Data Segregation:

  • Logical separation of Controller Data in multi-tenant architecture
  • Database-level isolation of Customer accounts
  • Application-level access controls preventing cross-account data access

Data Minimization:

  • Collection limited to data necessary for service delivery
  • Automated data deletion upon Controller request
  • No processing of Special Category Data

3. Network Security

Perimeter Security:

  • Firewall protection for all systems processing Personal Data
  • Intrusion detection and prevention systems (IDS/IPS)
  • DDoS protection mechanisms
  • Network segmentation isolating sensitive systems

Monitoring:

  • 24/7 security monitoring of infrastructure
  • Automated alerting for security incidents
  • Security information and event management (SIEM) system

4. Application Security

Secure Development:

  • Secure software development lifecycle (SDLC) practices
  • Security requirements integrated into development process
  • Code review including security review before deployment
  • Automated security testing in CI/CD pipeline

Vulnerability Management:

  • Regular vulnerability scanning of applications and infrastructure
  • Penetration testing by third parties annually
  • Prompt patching of identified vulnerabilities based on severity
  • Vulnerability disclosure program

Input Validation:

  • Comprehensive input validation to prevent injection attacks
  • Output encoding to prevent XSS attacks
  • CSRF protection on all state-changing operations
  • Rate limiting to prevent abuse

5. Physical Security

Processor uses Sub-processor infrastructure (Vercel, OpenAI, Convex) which maintain physical security controls including:

  • Data centers with 24/7 physical security and monitoring
  • Biometric or multi-factor access controls
  • Environmental controls (fire suppression, climate control)
  • Redundant power and network connectivity

6. Organizational Security

Personnel:

  • Background checks for personnel with access to Personal Data (where permitted by law)
  • Confidentiality obligations in employment agreements
  • Security awareness training for all personnel
  • Role-specific security training for engineering and operations teams

Incident Response:

  • Documented incident response plan
  • Incident response team with defined roles and responsibilities
  • Regular incident response drills and tabletop exercises
  • Post-incident review and lessons learned process

Business Continuity:

  • Backup systems for all Personal Data
  • Regular backup testing and restoration drills
  • Disaster recovery plan with defined RTO and RPO
  • Geographic redundancy for critical systems

Vendor Management:

  • Security assessment of Sub-processors before engagement
  • Contractual data protection obligations for all Sub-processors
  • Regular review of Sub-processor security practices
  • Monitoring of Sub-processor security incidents

7. Compliance and Certification

Certifications (planned):

  • SOC 2 Type II certification (target within 12 months)
  • Regular third-party security audits
  • Compliance with Data Privacy Framework requirements

Policies and Procedures:

  • Information security policy
  • Data protection policy
  • Incident response procedures
  • Access control procedures
  • Data retention and deletion procedures
  • Regular policy review and updates

8. Security Testing

Regular Testing:

  • Automated vulnerability scanning (weekly)
  • Penetration testing (annually, or more frequently if material changes)
  • Security code review for all changes to systems processing Personal Data
  • Testing of incident response procedures

Continuous Improvement:

  • Security metrics and KPI tracking
  • Regular security risk assessments
  • Integration of lessons learned from incidents and near-misses
  • Monitoring of emerging threats and vulnerabilities

UPDATES TO SECURITY MEASURES

Processor may update these security measures from time to time to maintain or enhance the security of Personal Data, including adopting new technologies, updating cryptographic standards, or implementing additional controls in response to evolving threats. Material changes that reduce the level of protection will be notified to Controller in advance.

END OF DATA PROCESSING AGREEMENT - MONITOR v1.0