Data Processing Agreement
最近更新: 2026-07-18
This is the Article 28 agreement referenced by the Privacy Policy and Terms of Service. A countersigned copy is available on request at contact@agent4.io.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and SUCHKA Spółka z ograniczoną odpowiedzialnością, ul. Stefana Batorego 18/108, 02-591 Warsaw, Poland, KRS 0001219139, NIP 7011295965 ("Processor", "agent4.io"), and applies where the Processor processes personal data on the Controller's behalf under Article 28 GDPR.
Where this DPA conflicts with the Terms of Service, this DPA prevails on data protection matters.
1. Roles
The Controller determines the purposes and means of processing the personal data it puts into the platform — uploaded documents, its end users' conversations, derived memories and end-user identifiers. The Processor processes that data only to provide the service.
The Processor is an independent controller of its own customer account and billing data; that processing is governed by the Privacy Policy, not by this DPA.
2. Subject matter, duration, nature and purpose
Subject matter. Provision of the agent4.io platform: knowledge retrieval, conversation handling across web and messaging channels, per-end-user memory, scheduled follow-ups, and tool invocation.
Duration. For as long as the Controller's account is active, plus the deletion periods in §9.
Nature and purpose. Storage, indexing, embedding, retrieval, transmission, encryption, generation of replies, and deletion — in each case to operate the service for the Controller.
Categories of data subjects. The Controller's end users, and any individuals mentioned in the content the Controller uploads.
Types of personal data. Identifiers assigned by the Controller; contact details its agents are configured to collect; the content of conversations; facts derived from those conversations; and whatever personal data appears in uploaded documents — which the Controller decides.
Special categories. The platform is not designed for Article 9 data. If the Controller's use involves it — plausible in legal, immigration or health-adjacent work — the Controller is responsible for its lawful basis and for any resulting DPIA, and should tell us before doing so.
3. Processing on instructions
The Processor processes personal data only on the Controller's documented instructions, which consist of this DPA, the Terms of Service, and the Controller's configuration and use of the platform, including any transfer of data to a third country the Controller configures.
The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection law, and may suspend that instruction until it is confirmed or withdrawn.
Where the Processor is required by law to process beyond the Controller's instructions, it will inform the Controller before doing so unless that law prohibits it.
The Processor does not use the Controller's personal data to train models for other customers, and does not sell it.
4. Confidentiality
The Processor ensures that persons authorised to process the personal data are bound by confidentiality obligations, and limits access to personnel who need it to perform their duties.
5. Security
The Processor implements the technical and organisational measures in Annex II, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing, as well as the risk to data subjects.
6. Sub-processors
The Controller gives general authorisation for the sub-processors listed in Annex III.
The Processor will give the Controller at least 30 days' notice before adding or replacing a sub-processor. The Controller may object on reasonable data protection grounds within that period; if the objection cannot be resolved, the Controller may terminate the affected part of the service without penalty, with a pro-rata refund of prepaid fees for the unused term.
The Processor imposes on each sub-processor data protection obligations no less protective than these, and remains fully liable to the Controller for its sub-processors' performance.
7. Data subject requests
Taking into account the nature of the processing, the Processor assists the Controller with appropriate technical and organisational measures in fulfilling requests to exercise data subject rights.
The platform provides the Controller with direct means to access, export, correct and delete end-user data. Where a request reaches the Processor directly, it will not respond on the Controller's behalf, but will forward it to the Controller without undue delay.
8. Breach notification and assistance
The Processor notifies the Controller without undue delay, and in any case within 48 hours, of becoming aware of a personal data breach affecting the Controller's data, with the information available to it and updates as the investigation proceeds.
The Processor assists the Controller with its obligations under Articles 32 to 36 GDPR, including data protection impact assessments and prior consultation, taking into account the nature of the processing and the information available to it.
9. Deletion and return
The Controller may delete its data at any time through the platform. On termination, the Processor deletes the Controller's personal data within 30 days, except where Union or Member State law requires retention, and will confirm deletion in writing on request.
Backups are purged on the ordinary rotation cycle. Until then, backup copies remain subject to this DPA.
Export functions are available while the account is active; the Controller is responsible for exporting what it needs before closing the account.
10. Audits
The Processor makes available the information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates.
Audits are at most once per year — unless a breach or a supervisory authority requires otherwise — on at least 30 days' notice, during business hours, subject to confidentiality, and conducted so as not to disrupt the service or affect other customers. The Controller bears its own costs.
11. International transfers
Personal data is processed in the region stated in Annex I and may be transferred to the sub-processors in Annex III.
Where a transfer is made to a third country without an adequacy decision, it is made under the European Commission's standard contractual clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (controller to processor) or Module 3 (processor to processor) as applicable, which are incorporated into this DPA by reference and prevail over it in case of conflict. For UK personal data, the UK International Data Transfer Addendum applies. The supplementary measures relied on are those in Annex II, in particular field-level encryption of customer content keyed per space.
12. Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service, except where those limitations are not permitted by applicable data protection law.
Annex I — Processing details
| Controller | The customer identified in the account |
| Processor | SUCHKA sp. z o.o., Warsaw, Poland |
| Processing region | Amazon Web Services, us-west-2 (Oregon, United States) |
| Frequency | Continuous, for the duration of the agreement |
| Retention | Until deleted by the Controller, or 30 days after termination |
Annex II — Technical and organisational measures
- Encryption at rest. Customer content is encrypted at field level with keys scoped per space, so access to the database alone does not yield readable conversations or documents.
- Optional end-to-end encryption for sensitive conversations.
- Encryption in transit. TLS on all external connections.
- Tenant and space isolation enforced at database level through row-level security, not solely by application code.
- Access control. Administrative access restricted to personnel who require it, authenticated individually, and logged. API keys are scoped per tenant and revocable.
- Data minimisation in inference. Only the current message, the passages retrieved for it and the memories retrieved for that end user are sent to a model — not the Controller's knowledge base as a whole, and never another controller's data.
- Segregation. Each tenant's data, tool configuration and credentials are separated; one tenant's agents cannot address another's resources.
- Backups encrypted and rotated; restoration tested.
- Logging of administrative actions and security-relevant events.
Annex III — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services EMEA SARL | Compute, database, object storage, backups | United States (us-west-2) |
| Stripe (where payment processing is enabled) | Subscription billing | Ireland / United States |
| Email delivery provider | Transactional email | See current list |
| Model providers | Language and embedding inference | See current list |
Where the Controller configures its own model provider or its own MCP-connected systems, those are the Controller's processors, not ours, and are outside this Annex.
The current list, and notice of changes, is available at contact@agent4.io.