Data Processing Agreement (DPA)

Effective Date: February 7, 2026
Version: 1.0

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: You (the "Customer")
  • Data Processor: OpenClaw Systems Inc. ("AgentRegistry", "we", "us")

This DPA supplements our Terms of Service and Privacy Policy and applies to Enterprise and Pro tier customers who process personal data using AgentRegistry.

1. Definitions

"Personal Data": Any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).

"Processing": Any operation performed on Personal Data, including collection, storage, retrieval, deletion, and transmission.

"Sub-processor": Any third party engaged by AgentRegistry to process Personal Data on behalf of the Customer.

"Data Subject": The individual to whom Personal Data relates.

"GDPR": The General Data Protection Regulation (EU) 2016/679.

"Data Protection Laws": GDPR, CCPA, and other applicable privacy regulations.

2. Scope & Applicability

2.1 Application

This DPA applies when:

  • You are a Controller and we are a Processor
  • You store Personal Data in AgentRegistry
  • You are subject to GDPR, CCPA, or similar laws

2.2 Nature of Processing

Purpose: Provide secure storage and retrieval of encrypted agent memory data.

Duration: For the term of your subscription, plus retention period as specified in our Privacy Policy.

Type of Data: Encrypted agent memory, account information, usage metadata.

Categories of Data Subjects: Your end users, employees, or agents (as defined by you).

3. Obligations of the Data Processor (AgentRegistry)

3.1 Lawful Processing

We will:

  • Process Personal Data only on your documented instructions
  • Not use Personal Data for any purpose other than providing the Service
  • Ensure personnel processing Personal Data are bound by confidentiality obligations
  • Comply with GDPR Articles 28-36

3.2 Data Security (Article 32)

We implement appropriate technical and organizational measures, including:

  • End-to-end encryption (AES-256-GCM)
  • Zero-knowledge architecture (we cannot access your unencrypted data)
  • TLS 1.3 for data in transit
  • Multi-region replication with encrypted backups
  • DDoS protection and Web Application Firewall (WAF)
  • Regular security audits and penetration testing
  • SOC 2 Type II certification (in progress, Q2 2026)

3.3 Sub-processors (Article 28(2))

We may engage Sub-processors to assist in providing the Service. Current Sub-processors include:

Sub-processor Service Location
Cloudflare Inc. CDN & Infrastructure Global
Amazon Web Services (AWS) Data Storage US, EU
Stripe Inc. Payment Processing US
SendGrid (Twilio) Transactional Emails US
Sentry Error Monitoring US

Customer Consent: By accepting this DPA, you provide general authorization for us to engage Sub-processors.

Notification: We will notify you of any new Sub-processors at least 30 days in advance via email. You may object within 30 days; if we cannot accommodate your objection, you may terminate the agreement.

Sub-processor Agreements: All Sub-processors are bound by written agreements imposing data protection obligations no less protective than this DPA.

3.4 Data Subject Rights (Articles 12-22)

We will assist you (to the extent possible given our zero-knowledge architecture) in responding to Data Subject requests:

  • Access (Article 15)
  • Rectification (Article 16)
  • Erasure ("Right to be Forgotten", Article 17)
  • Restriction of Processing (Article 18)
  • Data Portability (Article 20)
  • Objection (Article 21)
Note: Because we use end-to-end encryption, we cannot access or modify your unencrypted data. You are responsible for providing data to Data Subjects.

3.5 Data Breach Notification (Article 33)

In the event of a Personal Data breach, we will:

  • Notify you within 72 hours of becoming aware
  • Provide details: nature of breach, categories and number of Data Subjects affected, likely consequences, and measures taken
  • Cooperate with you to investigate and remediate the breach
Note: Because of end-to-end encryption, most breaches will not result in exposure of unencrypted Personal Data.

3.6 Data Protection Impact Assessment (Article 35)

We will provide reasonable assistance if you are required to conduct a Data Protection Impact Assessment (DPIA).

3.7 Audits & Inspections (Article 28(3)(h))

You may audit our compliance with this DPA:

  • Self-Certification: We provide annual SOC 2 Type II reports (available upon request)
  • Onsite Audits: Enterprise customers may request onsite audits (fees apply, once per year)
  • Questionnaires: We will respond to reasonable security questionnaires

4. Obligations of the Data Controller (Customer)

4.1 Lawful Instructions

You represent and warrant that:

  • Your instructions comply with Data Protection Laws
  • You have a lawful basis for processing Personal Data
  • You have provided necessary notices and obtained required consents from Data Subjects

4.2 Data Minimization

You agree to:

  • Only store Personal Data necessary for your purposes
  • Implement appropriate retention and deletion policies
  • Not store special categories of data (Article 9) without additional safeguards

4.3 Encryption Keys

You are responsible for:

  • Securely managing your encryption keys
  • Not sharing keys with unauthorized parties
  • Rotating keys in accordance with best practices
If you lose your keys, we cannot recover your data.

5. International Data Transfers

5.1 Data Residency

  • EU Customers: Data stored in EU data centers (Frankfurt, Dublin) by default
  • US Customers: Data stored in US data centers
  • Other Regions: Closest available data center

5.2 Cross-Border Transfers (Article 44-50)

When Personal Data is transferred outside the EU/EEA, we rely on:

  • Standard Contractual Clauses (SCCs): Approved by the European Commission (2021/914)
  • Adequacy Decisions: For transfers to countries with adequate protection (e.g., UK, Switzerland)

SCCs: By accepting this DPA, you and we agree to be bound by the Standard Contractual Clauses (Module 2: Controller-to-Processor).

5.3 Supplementary Measures

In addition to SCCs, we implement supplementary measures:

  • End-to-end encryption (renders data inaccessible to third parties)
  • Minimization of data transfers
  • Transparent disclosure of law enforcement requests (see Transparency Report)

6. Data Deletion & Return

6.1 Upon Termination

Upon termination or expiration of your subscription, we will:

  • Option 1: Delete all Personal Data within 30 days
  • Option 2: Return your data in a standard format (JSON, CSV) within 30 days (you must request this before termination)

Backups: Data in backups will be purged within 90 days in accordance with our retention schedule.

6.2 Legal Holds

We may retain data longer if required by:

  • Legal or regulatory obligations
  • Ongoing litigation or investigations

6.3 Certification of Deletion

Upon request, we will provide written certification that data has been deleted.

7. Liability & Indemnification

7.1 Limitation of Liability

To the maximum extent permitted by law:

  • Our liability under this DPA is limited to the amounts specified in the Terms of Service
  • We are not liable for breaches caused by your failure to secure encryption keys or follow security best practices

7.2 Indemnification

Each party indemnifies the other for:

  • Breaches of this DPA caused by their own actions or omissions
  • Fines or penalties imposed by Data Protection Authorities due to their own non-compliance

8. Term & Termination

8.1 Term

This DPA is effective as of the date you accept these terms and remains in effect for the duration of your subscription.

8.2 Termination

This DPA terminates automatically upon:

  • Termination of your subscription
  • Mutual written agreement
  • Material breach that is not cured within 30 days

8.3 Survival

Sections 6 (Data Deletion), 7 (Liability), and 10 (Miscellaneous) survive termination.

9. Contact Information

For DPA-related inquiries, contact:

Data Protection Officer (DPO):
Email: dpo@savedagent.com

Legal Department:
Email: legal@savedagent.com
Address: OpenClaw Systems Inc., 123 Innovation Drive, San Francisco, CA 94105, USA

EU Representative:
Email: eu-rep@savedagent.com
Address: AgentRegistry EU, Kurfürstendamm 123, 10787 Berlin, Germany

10. Execution

By using AgentRegistry with a Pro or Enterprise account, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.

This DPA is effective as of February 7, 2026.