Home

GDPR · Data processing

Data Processing Agreement

Last updated: April 16, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and ZUI TECHNOLOGY, S.L. (“Processor” or “HostAgentes”) under which HostAgentes provides managed hosting for AI agents and open-source tools (the “Services”) at https://www.hostagentes.com.

This DPA reflects the parties’ agreement with respect to the Processing of Personal Data under Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018, and other applicable data protection laws.

1. Definitions

  • “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, “Sub-processor”: as defined in the GDPR.
  • “Customer Data”: any data Controller submits to the Services, including agent configurations, knowledge bases, logs, and end-user content.

2. Roles and scope

Controller determines the purposes and means of processing. Processor processes Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.

3. Subject matter and duration

  • Subject matter: hosting and processing of Customer Data for the operation of AI agent workloads on Paperclip, OpenClaw, Activepieces, Dify, Flowise, and Langflow.
  • Duration: for the term of the subscription, plus 30 days for data deletion.
  • Nature and purpose: automated hosting, execution, storage, and monitoring of Customer workloads.
  • Types of Personal Data: account data, agent configurations, prompts, completions, logs, and any end-user data the Controller chooses to submit.
  • Categories of Data Subjects: Controller’s authorised users, Controller’s end customers, and any individual whose data Controller chooses to submit.

4. Processor obligations

HostAgentes shall:

  1. Process Personal Data only on Controller’s documented instructions, as set out in the Agreement and this DPA.
  2. Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement appropriate technical and organisational measures as described in our Security page, including encryption at rest (AES-256) and in transit (TLS 1.3), access controls, and audit logging.
  4. Assist Controller in responding to Data Subject requests under Articles 15–22 of the GDPR.
  5. Assist Controller with personal data breach notifications, DPIAs, and prior consultations with supervisory authorities (Articles 32–36 GDPR).
  6. Delete or return all Personal Data after the end of the provision of the Services, except where storage is required by law.
  7. Make available to Controller all information necessary to demonstrate compliance with GDPR and allow for audits on reasonable notice.

5. Sub-processors

Controller provides general authorisation for HostAgentes to engage sub-processors. A current list is published at hostagentes.com/legal/subprocessors. Current sub-processors include:

  • Infrastructure: Amazon Web Services (AWS), Vercel.
  • Database: Supabase (PostgreSQL).
  • Payments: Stripe.
  • Email: Resend / Postmark.
  • Analytics: Microsoft Clarity (only after end-user consent).

HostAgentes shall notify Controller of any intended changes to sub-processors at least 30 days in advance. Controller may object in writing; if the parties cannot agree a reasonable solution, Controller may terminate affected Services.

6. International transfers

Where Personal Data is transferred outside the EEA or UK, HostAgentes shall rely on one of the transfer mechanisms recognised by GDPR Chapter V, including the Standard Contractual Clauses (2021/914) incorporated herein by reference for EEA transfers, and the UK Addendum for UK transfers.

7. Security of processing

Technical and organisational measures applied by HostAgentes are described at /legal/security and include, without limitation:

  • Customer workloads in isolated execution environments with logical separation.
  • AES-256 encryption at rest, TLS 1.3 in transit, automated key rotation.
  • Role-based access controls, MFA for all administrative access.
  • Continuous vulnerability scanning, patching, and monitoring.
  • Immutable audit logs with tamper-evident storage.
  • Regular penetration testing and third-party security reviews.

8. Breach notification

HostAgentes shall notify Controller without undue delay (and within 72 hours of becoming aware) of any Personal Data breach affecting Controller’s data, including a description of the breach, its likely consequences, and the mitigation measures taken or proposed.

9. Audits

Controller may audit HostAgentes’s compliance with this DPA on reasonable notice during business hours. Where available, SOC 2 Type II and equivalent third-party reports will be made available under NDA in lieu of on-site audit.

10. Return and deletion

On termination of the Services, HostAgentes shall delete Customer Data and existing copies within 30 days, unless law requires retention. Controller may request an export of Customer Data within that window.

11. Liability

Each party’s liability under this DPA is subject to the limitations in the Agreement. Nothing in this DPA limits either party’s liability to Data Subjects under applicable data protection law.

12. Governing law

This DPA is governed by the laws of Spain. Any disputes are subject to the exclusive jurisdiction of the courts of Madrid, Spain, save for mandatory protections granted to Data Subjects under applicable law.

13. Order of precedence

In the event of conflict, this DPA takes precedence over the Agreement with respect to Personal Data processing, and the Standard Contractual Clauses take precedence over this DPA with respect to EEA transfers.

14. Entire agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties relating to the Processing of Personal Data under the Services.

Execute this DPA

If you’re an enterprise customer and need a countersigned copy of this DPA, email privacy@hostagentes.com with your company details and we’ll return a signed copy within 48 hours.

This DPA is a template and does not constitute legal advice. Review with your counsel before relying on it.