Data Processing Agreement (DPA)
1. Scope & roles
This DPA applies where we process personal data on the Customer's behalf in providing the Service. The Customer is the controller (or itself a processor acting for a third-party controller) and we are the processor. It incorporates the EU/UK Standard Contractual Clauses where required (Section 9). If this DPA conflicts with the Terms, this DPA controls for data-protection matters.
2. Processing on documented instructions
We process Customer personal data only on the Customer's documented instructions (including as set out in the Terms, this DPA, and the Customer's configuration and use of the Service), and as required by applicable law (in which case we inform the Customer unless legally prohibited). We will tell the Customer if, in our opinion, an instruction infringes applicable data-protection law.
3. Confidentiality
We ensure that personnel authorized to process Customer personal data are bound by confidentiality and are trained on their obligations, and we limit access on a least-privilege, need-to-know basis.
4. Security
We implement and maintain the technical and organizational measures in Annex II, appropriate to the risk, in accordance with Article 32 GDPR. On the Confidential tier, processing occurs inside hardware-attested secure enclaves with fail-closed verification.
5. Sub-processors
The Customer provides general authorization for us to engage sub-processors to provide the Service. Current categories are listed in Annex III; a current named list is available on request. We will give the Customer at least thirty (30) days' prior notice before adding or replacing a sub-processor, during which the Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Service. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain responsible for their performance.
6. Assistance to the Controller
Taking into account the nature of processing, we provide reasonable assistance to the Customer for: (a) responding to data-subject requests (access, rectification, erasure, restriction, portability, objection); (b) security of processing, breach notification, and data-protection impact assessments and prior consultations (Articles 32–36 GDPR). Where a data subject contacts us directly, we will refer them to the Customer.
7. Personal-data breach notification
We notify the Customer of a personal-data breach affecting Customer personal data without undue delay, and no later than forty-eight (48) hours after becoming aware, with the information reasonably available to help the Customer meet its own notification obligations.
8. Return or deletion
On termination or expiry, at the Customer's choice we return or delete Customer personal data within thirty (30) days, and delete existing copies, except where retention is permitted or required by law or necessary for our or our customers' compliance, audit, or dispute-resolution obligations. The Customer acknowledges that signed Proof-of-Task-Execution (PoTE) records are retained for at least six (6) months (or longer where required) to support audit and record-keeping; these contain limited metadata, not the full payload.
9. International transfers
Where we transfer Customer personal data out of the EEA, UK, or Switzerland, the parties agree to the applicable EU Standard Contractual Clauses (Module Two or Three, as appropriate) and the UK International Data Transfer Addendum, which are incorporated by reference and completed by the details in Annex I. The SCCs are governed by the law of the Republic of Ireland.
10. Audits
We make available information necessary to demonstrate compliance with this DPA, including third-party reports or certifications where available, on request. The Customer may conduct an on-site audit no more than once per 12-month period, on at least 30 days' notice, during business hours, under confidentiality, and at the Customer's cost — except where a breach has occurred or a supervisory authority requires otherwise, in which case audits may be more frequent.
11. Liability & governing law
Liability under this DPA is subject to the limitations in the Terms. This DPA is governed by the laws of the State of Delaware, USA (except that the incorporated SCCs are governed as stated in Section 9).
Annex I — Processing details
| Item | Detail |
|---|---|
| Controller | The Customer (and any third-party controller it represents) |
| Processor | AugmentEV, Inc., a Delaware corporation |
| Subject matter | Provision of the AugmentEV / Paseo agent-execution Service |
| Duration | The term of the Terms of Service plus any retention period in Section 8 |
| Nature & purpose | Executing AI agent jobs submitted by the Customer and generating signed Proof-of-Task-Execution records |
| Types of personal data | Account/contact data; and any personal data the Customer includes in job inputs/outputs (determined and controlled by the Customer) |
| Categories of data subjects | As determined by the Customer (e.g., the Customer's users, customers, or end-users) |
| Special-category data | Only if the Customer chooses to submit it; the Customer is responsible for any additional safeguards required |
Annex II — Technical & organizational measures
- Encryption in transit: TLS 1.3 for data in transit.
- Encryption at rest & key management: encryption at rest with keys managed in FIPS 140-3, Level 3 validated hardware security modules.
- Confidential execution: Confidential-tier jobs run inside hardware-attested secure enclaves; attestation gates key release; fail-closed (unverified jobs are rejected).
- Access control: least-privilege, role-based access; multi-factor authentication for administrative access.
- Network security: network isolation, a hardened public gateway, rate limiting, and restricted administrative surfaces.
- Logging & integrity: signed, tamper-evident Proof-of-Task-Execution records and security logging.
- Resilience & recovery: backups and recovery procedures appropriate to the current (single-availability-zone, early-access) configuration.
- Governance: secure development practices, vendor due diligence, and an incident-response process.
Annex III — Sub-processors (categories)
| Category | Purpose |
|---|---|
| Cloud infrastructure & key management | Compute, storage, key management, Confidential-tier enclaves |
| Payment processing | Billing and metered payments |
| Customer-relationship & web forms | Intake forms and communications |
| Hosting, CDN & security | Website delivery and protection |
A current list of the specific named sub-processors is available to customers on request.