Data Processing Agreement
Effective date: March 26, 2026
For Enterprise Customers
This Data Processing Agreement ("DPA") forms part of the agreement between KOWEX Co. Holding ("Processor") and the subscribing entity ("Controller") for the use of the AgentForge platform. To request a countersigned copy of this DPA for your organization, contact us below.
1. Parties
This DPA is entered into between:
- Data Controller ("Controller"): The customer entity that has entered into a subscription agreement for AgentForge services and determines the purposes and means of processing personal data.
- Data Processor ("Processor"): KOWEX Co. Holding, a company registered in the Czech Republic, operating the AgentForge platform at agentforge.community.
2. Scope of Processing
The Processor shall process personal data on behalf of the Controller solely for the purpose of providing the AgentForge platform services, including:
- Providing access to the AgentForge API and dashboard
- Hosting and serving MCP server configurations
- Processing API requests between agents and MCP servers
- Maintaining usage logs and analytics
- Managing authentication and access control
- Processing subscription and billing operations
The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law.
3. Categories of Data Processed
The following categories of personal data may be processed under this DPA:
| Category | Data Elements | Data Subjects |
|---|---|---|
| Account information | Email address, display name, authentication credentials (hashed) | Controller's employees, authorized users |
| API usage data | Endpoints called, timestamps, response codes, rate-limit counters | Controller's employees, agents |
| Server metadata | MCP server names, descriptions, tool definitions, capabilities | Controller's employees |
| Technical data | IP addresses, user agent strings, request metadata | Controller's employees, agents |
4. Security Measures
The Processor implements and maintains the following technical and organizational measures to ensure the security of personal data in accordance with GDPR Article 32:
- Encryption at rest: All database storage is encrypted using AES-256. API keys are stored as salted hashes.
- Encryption in transit: All data transmitted between clients, servers, and sub-processors is protected by TLS 1.2 or higher.
- Access controls: Role-based access control (RBAC) with least-privilege principles. Multi-factor authentication for administrative access. Row Level Security (RLS) enforced at the database layer.
- Audit logging: All API access and administrative actions are logged with timestamps, actor identification, and action details. Logs are retained for 90 days.
- Infrastructure security: Managed hosting on Supabase (SOC 2 Type II) and Vercel with automated patching and vulnerability scanning.
- Incident response: Documented incident response procedures with defined roles and communication protocols.
5. Sub-processors
The Controller grants general authorization for the Processor to engage the following sub-processors. The Processor shall notify the Controller at least 30 days in advance of any intended changes to sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, storage | EU (Frankfurt, Germany) |
| Stripe Inc. | Payment processing, subscription management | EU |
| Vercel Inc. | Application hosting, edge delivery | EU edge (global CDN) |
| Anthropic PBC | AI-powered features (agent recommendations) | US (with SCCs) |
6. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.
- Provide comprehensive details including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
- Cooperate fully with the Controller in investigating the breach and fulfilling the Controller's notification obligations to supervisory authorities and affected data subjects.
- Document all breaches regardless of severity, maintaining records of facts, effects, and remedial actions taken.
7. Data Return and Deletion
Upon termination or expiry of the service agreement, the Processor shall, at the Controller's choice:
- Return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON export), including account data, server configurations, and usage logs.
- Delete all personal data within 30 days of the termination date, including all copies in active systems and backups, except where retention is required by EU or Member State law.
The Processor shall provide written confirmation of deletion upon request. Billing records may be retained for up to 10 years as required by Czech accounting law (Act No. 563/1991 Coll.).
8. Audit Rights
The Controller has the right to verify the Processor's compliance with this DPA:
- Annual audits: The Controller may conduct or commission an independent audit of the Processor's data processing activities once per calendar year, with at least 30 days' prior written notice.
- Scope: Audits may cover security measures, sub-processor management, data handling procedures, and breach response capabilities.
- Cooperation: The Processor shall provide all information necessary to demonstrate compliance, including access to relevant facilities, systems, and personnel during normal business hours.
- Certification alternative: The Processor may satisfy audit requirements by providing current SOC 2 Type II reports, ISO 27001 certifications, or equivalent independent assessments.
9. International Transfers
The Processor shall not transfer personal data outside the European Economic Area (EEA) except where:
- The European Commission has issued an adequacy decision for the destination country (GDPR Article 45).
- Appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Article 46(2)(c)).
- A Transfer Impact Assessment (TIA) has been conducted and documented for the specific transfer.
Currently, the only sub-processor located outside the EEA is Anthropic PBC (United States), for which SCCs are in place and AI processing does not involve persistent storage of personal data.
10. Contact for DPA Execution
To request execution of this DPA, discuss terms, or inquire about our data protection practices:
KOWEX Co. Holding — Enterprise Team
Email: enterprise@agentforge.community
Data Protection Officer: privacy@agentforge.community
This DPA is governed by the laws of the Czech Republic. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of the Czech Republic. This DPA shall remain in effect for the duration of the Controller's use of AgentForge services and for as long as the Processor retains any personal data processed on behalf of the Controller.