Data Processing Agreement

Last updated: March 1, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between AgileTune ("Processor") and the customer ("Controller") for the provision of services as described in our Terms of Service.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined by GDPR Article 4(1).
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the individual to whom Personal Data relates.

2. Scope of Processing

The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. The categories of data processed include account information, usage data, and any content uploaded to the Service by the Controller's authorized users.

3. Data Processing Obligations

The Processor shall:

  • Process Personal Data only in accordance with the Controller's documented instructions
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Delete or return all Personal Data upon termination of the agreement, at the Controller's choice
  • Make available all information necessary to demonstrate compliance

4. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3)
  • Regular access control reviews and principle of least privilege
  • Automated backup and disaster recovery procedures
  • Employee security training and background checks
  • Incident response procedures and breach notification processes
  • Regular penetration testing and vulnerability assessments

5. Sub-processors

The Processor shall not engage a Sub-processor without prior written authorization from the Controller. The Processor maintains a list of current Sub-processors and shall notify the Controller of any intended additions or replacements at least 30 days in advance, giving the Controller the opportunity to object.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations to respond to Data Subject requests exercising their rights under GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly notify the Controller upon receiving any such request directly.

7. Data Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) without ensuring adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized transfer mechanisms.

8. Term and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days and certify the deletion in writing.

9. Contact

For questions about this DPA or to request a signed copy, please contact us at legal@agiletune.com.