# Data Processing Agreement *Template — April 2026* *Execute a signed version: security@agentlattice.com* > **Important:** This is a template for discussion purposes only. It is not a complete executed DPA. Standard Contractual Clauses (SCCs) annexes (Annex I, II, and III) are required for GDPR-compliant international data transfers and are provided separately during the execution process. Do not self-execute this template without completing the SCC annexes. Contact security@agentlattice.com to initiate a signed DPA. --- This Data Processing Agreement ("DPA") forms part of the AgentLattice Terms of Service or other written agreement between AgentLattice, Inc. ("Processor") and the customer entity identified in the applicable order form or agreement ("Controller"). --- ## 1. Definitions **"Personal Data"** means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services. **"Processing"** has the meaning given in applicable Data Protection Laws. **"Data Protection Laws"** means all applicable laws and regulations relating to the processing of Personal Data, including the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) as applicable. **"Services"** means the AgentLattice platform and related services provided under the Agreement. **"Subprocessor"** means any third party engaged by the Processor to process Personal Data on behalf of the Controller. --- ## 2. Roles and Responsibilities The parties acknowledge that: a) The Controller is the data controller of Personal Data processed in connection with the Services. b) The Processor is a data processor acting on behalf of the Controller. c) The Processor will process Personal Data only on documented instructions from the Controller, including those set out in this DPA and the Agreement. --- ## 3. Nature and Purpose of Processing **Subject matter:** AgentLattice processes action metadata generated by AI agents operating on behalf of the Controller. This includes agent identity information, action type records, policy evaluation results, and audit trail data. **Duration:** For the term of the Agreement, and as required by applicable law following termination. **Nature:** Collection, storage, retrieval, deletion, and analysis of action metadata for governance, audit, and policy enforcement purposes. **Purpose:** Providing AI agent governance, identity management, policy enforcement, anomaly detection, and compliance reporting services. **Categories of data subjects:** The Controller's employees, contractors, and systems acting as or operating AI agents. **Categories of Personal Data:** Agent identity references (identifiers, not personal details), operator email addresses, action metadata, and audit records as described in the AgentLattice Privacy Policy. --- ## 4. Processor Obligations The Processor shall: a) Process Personal Data only on documented instructions from the Controller. b) Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: - AES-256 encryption at rest - TLS 1.2+ encryption in transit - Logical tenant isolation via row-level security - Tamper-evident cryptographic audit log chains - Access controls and privileged access management d) Notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data breach. e) Make available all information necessary to demonstrate compliance with obligations in this DPA. f) Not engage any new Subprocessor without prior written authorization from the Controller, or comply with the general authorization mechanism described in Section 5. --- ## 5. Subprocessors The Controller provides general written authorization for the Processor to engage Subprocessors, subject to the following conditions: a) The Processor maintains a current list of Subprocessors at agentlattice.com/security/subprocessors. b) The Processor will notify the Controller of any intended addition or replacement of Subprocessors by updating the subprocessors page and notifying enterprise customers by email at least 30 days in advance. c) If the Controller objects to the new Subprocessor on reasonable grounds relating to data protection, the Controller may notify the Processor in writing within 30 days of notification. If the parties cannot resolve the objection, the Controller may terminate the affected Services upon written notice. d) The Processor will impose data protection terms on Subprocessors that are equivalent to those in this DPA. --- ## 6. Data Subject Rights The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a data subject exercising their rights under applicable Data Protection Laws. The Processor shall not respond to such requests without the Controller's prior written consent, unless required by applicable law. --- ## 7. Security The Processor implements and maintains appropriate technical and organizational security measures as described in the AgentLattice Security Overview (available at agentlattice.com/security and downloadable from that page). These measures include, but are not limited to: encryption at rest and in transit, logical data isolation, tamper-evident audit logging, anomaly detection, access controls, incident response procedures, and regular security assessments. --- ## 8. Audits The Processor shall make available all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to: a) Reasonable advance notice (at least 30 days) b) Confidentiality obligations on the Controller's auditor c) Cost-bearing by the Controller for audits beyond annual frequency The Processor may satisfy audit obligations by providing its most recent third-party audit reports (SOC 2 Type II report upon completion, or current Vanta readiness evidence) under NDA. --- ## 9. International Data Transfers Where the processing of Personal Data involves a transfer from the EEA, UK, or Switzerland to a country not providing an adequate level of data protection, the parties agree to rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), Module 2 (Controller-to-Processor), as the appropriate transfer mechanism. Upon execution, the parties will complete and attach: Annex I (description of processing and transfer), Annex II (technical and organizational security measures), and Annex III (list of subprocessors). These annexes are provided separately as part of the DPA execution process — contact security@agentlattice.com to initiate. *Note: This template is not a complete executed DPA. SCC annexes are required for GDPR compliance and are finalized during the execution process.* --- ## 10. Deletion and Return of Data Upon termination of the Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data to the Controller within 90 days, and delete existing copies, unless applicable law requires storage of the Personal Data. --- ## 11. Term This DPA is effective for the duration of the Agreement and survives termination to the extent required by applicable Data Protection Laws. --- ## 12. Order of Precedence In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict with respect to the processing of Personal Data. --- *This is a template for discussion purposes. To execute a signed DPA, contact security@agentlattice.com.* *Controller (Customer):* Name: ___________________________ Title: ___________________________ Date: ___________________________ Signature: _______________________ *Processor (AgentLattice, Inc.):* Name: ___________________________ Title: ___________________________ Date: ___________________________ Signature: _______________________