Data Processing Agreement | AgentForge

1. Partiti

Din il-DPA hu entered into bejn:

Data Controller ("Controller"): Il-entity customer li tu entrat f'subscription agreement għal AgentForge services u tiddetermina il-finnjati u miżuri ta' proċessar ta' data personali.
Data Processor ("Processor"): KOWEX Co. Holding, kumpanija registrata fil-Ċeka, operat il-platform AgentForge f'agentforge.community.

2. Ambitu ta' Proċessar

Il-Processor għandu nipproċessa data personali on behalf ta' l-Controller biss għal-finnjata ta' pprovduta tal-AgentForge platform services, inklużi:

Pprovduta ta' aċċess għal-AgentForge API u dashboard
Hosting u serving ta' MCP server configurations
Proċessar ta' API requests bejn aġenti u MCP servers
Mantenut ta' usage logs u analytics
Immaniġġament ta' authentication u access control
Proċessar ta' subscription u billing operations

Il-Processor għandu nipproċessa data personali biss fuq documented instructions minn il-Controller, sakemm ma hu meħtieġ li jagħmel hekk mil-liġi EU jew Member State.

3. Kategoriji ta' Data Proċessata

Il-kategoriji li ġejjin ta' data personali jistgħu jkunu proċessati taħt din il-DPA:

Kategorija	Data Elements	Data Subjects
Account information	Email address, display name, authentication credentials (hashed)	Controller's employees, authorized users
API usage data	Endpoints called, timestamps, response codes, rate-limit counters	Controller's employees, agents
Server metadata	MCP server names, descriptions, tool definitions, capabilities	Controller's employees
Technical data	IP addresses, user agent strings, request metadata	Controller's employees, agents

4. Miżuri tas-Sigurtà

Il-Processor jimplimenta u jmantnu l-miżuri tekniċi u organizzazzjonali li ġejjin biex assigura l-sigurtà ta' data personali b'konformità mal-GDPR Article 32:

Encryption at rest: Il-database storage kollu hu encrypted bl-AES-256. API keys huma maħżuna bħala salted hashes.
Encryption in transit: Il-data transmesa bejn clients, servers, u sub-processors hi protetta bil-TLS 1.2 jew ogħla.
Access controls: Role-based access control (RBAC) b'least-privilege principles. Multi-factor authentication għal administrative access. Row Level Security (RLS) enforzat f'database layer.
Audit logging: Kollu API access u administrative actions huma logged b'timestamps, actor identification, u action details. Logs huma mirzuna għal 90 jiem.
Infrastructure security: Managed hosting fuq Supabase (SOC 2 Type II) u Vercel b'automated patching u vulnerability scanning.
Incident response: Dokumentat incident response procedures b'definiti roles u communication protocols.

5. Sub-processors

Il-Controller igibu general authorization biex il-Processor jimpjega l-sub-processors li ġejjin. Il-Processor għandu nnotifika l-Controller mill-inqas 30 jiem advance ta' kwalunkwe intended changes lis-sub-processors, jagħti l-Controller l-opportunità ta' objezzjoni.

Sub-processor	Finnjata	Lokazzjoni
Supabase Inc.	Database hosting, authentication, storage	EU (Frankfurt, Ġermanja)
Stripe Inc.	Payment processing, subscription management	EU
Vercel Inc.	Application hosting, edge delivery	EU edge (global CDN)
Anthropic PBC	AI-powered features (agent recommendations)	US (b'SCCs)

6. Data Breach Notification

F'ħin ta' personal data breach, il-Processor għandu:

Nnotifika l-Controller mingħajr undue delay u m'aktar minn 72 sigħat wara li jkun became aware ta' l-breach, b'konformità mal-GDPR Article 33.
Pprovdi comprehensive details inklużi n-natura ta' l-breach, kategoriji u approx number ta' data subjects affettati, likely consequences, u miżuri miħuda jew proposed biex ittieġ il-breach.
Kooopera fully ma' l-Controller fl-investigazzjoni ta' l-breach u fulfilling ta' l-obligations notification ta' l-Controller lis-supervisory authorities u affected data subjects.
Dokumenta kollu breaches regardless ta' severity, mmanitenaw records ta' facts, effects, u remedial actions miħuda.

7. Data Return u Deletion

Fuq termination jew expiry ta' l-service agreement, il-Processor għadu, f'għażla ta' l-Controller:

Irretorna kollu data personali lis-Controller f'structured, commonly used, machine-readable format (JSON export), inklużi account data, server configurations, u usage logs.
Iħassar kollu data personali fi 30 jiem minn termination date, inklużi kollu copies f'active systems u backups, sakemm ma hu ritenut meħtieġ mil-liġi EU jew Member State.

Il-Processor għadu pprovdi written confirmation ta' deletion fuq request. Billing records jistgħu jkunu mirzuna għal sa 10 snin kif mħtar mil-liġi ta' kontabilità Ċeka (Act No. 563/1991 Coll.).

8. Audit Rights

Il-Controller għadu r-ragun li jivverifikah il-compliance tal-Processor ma' din il-DPA:

Annual audits: Il-Controller jista' joqgħod jew jimpjega independent audit ta' l-data processing activities tal-Processor once per calendar year, b'mill-inqas 30 jiem prior written notice.
Scope: Audits jistgħu koppru security measures, sub-processor management, data handling procedures, u breach response capabilities.
Kooopera: Il-Processor għadu pprovdi kollu information neċessar biex jiddemunsrira l-compliance, inklużi aċċess għal relevant facilities, systems, u personnel matul normal business hours.
Certification alternative: Il-Processor jista' jissodisfa audit requirements billi pprovdi current SOC 2 Type II reports, ISO 27001 certifications, jew equivalent independent assessments.

9. International Transfers

Il-Processor m'aħdemx ittrasferi data personali barra mill-European Economic Area (EEA) sakemm:

Il-European Commission issiriet adequacy decision għall-destination country (GDPR Article 45).
Appropriate safeguards huma f'post, inklużi Standard Contractual Clauses (SCCs) approvati mil-European Commission (GDPR Article 46(2)(c)).
Transfer Impact Assessment (TIA) hu ġie mwettaq u dokumentat għall-transfer specifiku.

Allokurrenti, l-unika sub-processor li jinsaħ barra mill-EEA hu Anthropic PBC (United States), għalih SCCs huma f'post u AI processing m'aħdemx jinvolvi persistent storage ta' data personali.

10. Kontatt għad-DPA Execution

Biex trequest execution ta' din il-DPA, diskutu termini, jew ittieġ dwar l-practices ta' protezzjoni tad-data tiegħna:

KOWEX Co. Holding — Enterprise Team
Email: enterprise@agentforge.community
Data Protection Officer: privacy@agentforge.community

Request Signed DPA

Din il-DPA hu ggovernat mil-liġi ta' Ċeka. Kwalunkwe disputes li joriġjinaħ minn din il-DPA għandhom jkunu soġġetti għall-exclusive jurisdiction tal-courts ta' Ċeka. Din il-DPA għandha tibqa' f'effett għat-tul tal-użu tal-Controller ta' AgentForge services u kemm-il ħin li l-Processor jriżnu kwalunkwe data personali proċessata on behalf ta' l-Controller.

1. Partiti

Din il-DPA hu entered into bejn:

Data Controller ("Controller"): Il-entity customer li tu entrat f'subscription agreement għal AgentForge services u tiddetermina il-finnjati u miżuri ta' proċessar ta' data personali.
Data Processor ("Processor"): KOWEX Co. Holding, kumpanija registrata fil-Ċeka, operat il-platform AgentForge f'agentforge.community.

2. Ambitu ta' Proċessar

Il-Processor għandu nipproċessa data personali on behalf ta' l-Controller biss għal-finnjata ta' pprovduta tal-AgentForge platform services, inklużi:

Pprovduta ta' aċċess għal-AgentForge API u dashboard
Hosting u serving ta' MCP server configurations
Proċessar ta' API requests bejn aġenti u MCP servers
Mantenut ta' usage logs u analytics
Immaniġġament ta' authentication u access control
Proċessar ta' subscription u billing operations

Il-Processor għandu nipproċessa data personali biss fuq documented instructions minn il-Controller, sakemm ma hu meħtieġ li jagħmel hekk mil-liġi EU jew Member State.

3. Kategoriji ta' Data Proċessata

Il-kategoriji li ġejjin ta' data personali jistgħu jkunu proċessati taħt din il-DPA:

Kategorija	Data Elements	Data Subjects
Account information	Email address, display name, authentication credentials (hashed)	Controller's employees, authorized users
API usage data	Endpoints called, timestamps, response codes, rate-limit counters	Controller's employees, agents
Server metadata	MCP server names, descriptions, tool definitions, capabilities	Controller's employees
Technical data	IP addresses, user agent strings, request metadata	Controller's employees, agents

4. Miżuri tas-Sigurtà

Il-Processor jimplimenta u jmantnu l-miżuri tekniċi u organizzazzjonali li ġejjin biex assigura l-sigurtà ta' data personali b'konformità mal-GDPR Article 32:

Encryption at rest: Il-database storage kollu hu encrypted bl-AES-256. API keys huma maħżuna bħala salted hashes.
Encryption in transit: Il-data transmesa bejn clients, servers, u sub-processors hi protetta bil-TLS 1.2 jew ogħla.
Access controls: Role-based access control (RBAC) b'least-privilege principles. Multi-factor authentication għal administrative access. Row Level Security (RLS) enforzat f'database layer.
Audit logging: Kollu API access u administrative actions huma logged b'timestamps, actor identification, u action details. Logs huma mirzuna għal 90 jiem.
Infrastructure security: Managed hosting fuq Supabase (SOC 2 Type II) u Vercel b'automated patching u vulnerability scanning.
Incident response: Dokumentat incident response procedures b'definiti roles u communication protocols.

5. Sub-processors

Sub-processor	Finnjata	Lokazzjoni
Supabase Inc.	Database hosting, authentication, storage	EU (Frankfurt, Ġermanja)
Stripe Inc.	Payment processing, subscription management	EU
Vercel Inc.	Application hosting, edge delivery	EU edge (global CDN)
Anthropic PBC	AI-powered features (agent recommendations)	US (b'SCCs)

6. Data Breach Notification

F'ħin ta' personal data breach, il-Processor għandu:

Nnotifika l-Controller mingħajr undue delay u m'aktar minn 72 sigħat wara li jkun became aware ta' l-breach, b'konformità mal-GDPR Article 33.
Pprovdi comprehensive details inklużi n-natura ta' l-breach, kategoriji u approx number ta' data subjects affettati, likely consequences, u miżuri miħuda jew proposed biex ittieġ il-breach.
Kooopera fully ma' l-Controller fl-investigazzjoni ta' l-breach u fulfilling ta' l-obligations notification ta' l-Controller lis-supervisory authorities u affected data subjects.
Dokumenta kollu breaches regardless ta' severity, mmanitenaw records ta' facts, effects, u remedial actions miħuda.

7. Data Return u Deletion

Fuq termination jew expiry ta' l-service agreement, il-Processor għadu, f'għażla ta' l-Controller:

Irretorna kollu data personali lis-Controller f'structured, commonly used, machine-readable format (JSON export), inklużi account data, server configurations, u usage logs.
Iħassar kollu data personali fi 30 jiem minn termination date, inklużi kollu copies f'active systems u backups, sakemm ma hu ritenut meħtieġ mil-liġi EU jew Member State.

8. Audit Rights

Il-Controller għadu r-ragun li jivverifikah il-compliance tal-Processor ma' din il-DPA:

Annual audits: Il-Controller jista' joqgħod jew jimpjega independent audit ta' l-data processing activities tal-Processor once per calendar year, b'mill-inqas 30 jiem prior written notice.
Scope: Audits jistgħu koppru security measures, sub-processor management, data handling procedures, u breach response capabilities.
Kooopera: Il-Processor għadu pprovdi kollu information neċessar biex jiddemunsrira l-compliance, inklużi aċċess għal relevant facilities, systems, u personnel matul normal business hours.
Certification alternative: Il-Processor jista' jissodisfa audit requirements billi pprovdi current SOC 2 Type II reports, ISO 27001 certifications, jew equivalent independent assessments.

9. International Transfers

Il-Processor m'aħdemx ittrasferi data personali barra mill-European Economic Area (EEA) sakemm:

Il-European Commission issiriet adequacy decision għall-destination country (GDPR Article 45).
Appropriate safeguards huma f'post, inklużi Standard Contractual Clauses (SCCs) approvati mil-European Commission (GDPR Article 46(2)(c)).
Transfer Impact Assessment (TIA) hu ġie mwettaq u dokumentat għall-transfer specifiku.

Allokurrenti, l-unika sub-processor li jinsaħ barra mill-EEA hu Anthropic PBC (United States), għalih SCCs huma f'post u AI processing m'aħdemx jinvolvi persistent storage ta' data personali.

10. Kontatt għad-DPA Execution

Biex trequest execution ta' din il-DPA, diskutu termini, jew ittieġ dwar l-practices ta' protezzjoni tad-data tiegħna:

KOWEX Co. Holding — Enterprise Team
Email: enterprise@agentforge.community
Data Protection Officer: privacy@agentforge.community

Request Signed DPA