AgencyEngine

Data Processing Agreement

Effective: May 6, 2026

Version 1.0

This Data Processing Agreement ("DPA") is incorporated by reference into the Agency Engine Terms of Service. It is automatically binding on every Agency Engine customer ("Controller") processing personal data through the Platform. No counter-signature is required; acceptance of the Terms constitutes execution of this DPA.

1. Background and Definitions

Agency Engine Inc. ("Processor") provides software-as-a-service to Controller. In doing so, Processor processes Personal Data on behalf of Controller. This DPA governs that processing.

Capitalized terms have the following meanings:

  • Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"); the UK GDPR and Data Protection Act 2018; the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and any other privacy or data protection law applicable to Processor's processing of Personal Data on Controller's behalf.
  • Personal Data, Data Subject, Controller, Processor, Process / Processing, Sub-processor, and Personal Data Breach have the meanings given in GDPR Art. 4. For US-only processing, equivalent CCPA/CPRA terms apply: Personal Information, Consumer, Business, Service Provider.
  • SCCs means the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor) are incorporated by reference and apply where personal data of EEA, UK, or Swiss Data Subjects is transferred from Controller to Processor.
  • UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018.

2. Scope and Roles

For the purpose of this DPA, Controller is the "controller" (GDPR) / "business" (CCPA/CPRA), and Processor is the "processor" (GDPR) / "service provider" (CCPA/CPRA). Controller determines the purposes and means of processing; Processor processes Personal Data only on documented instructions from Controller, including with regard to international transfers.

3. Subject Matter, Duration, Nature, and Purpose

  • Subject matter: Processor's provision of CRM, communications, AI assistance, analytics, billing, and support services to Controller as described in the Terms.
  • Duration: the term of Controller's subscription, plus 30 days for export and 90 days for deletion, plus any retention period required by law.
  • Nature and purpose: hosting, transmitting, displaying, organizing, retrieving, analyzing, and otherwise processing Personal Data to perform the Platform on Controller's instructions.
  • Categories of Data Subjects: Controller's prospects, clients, leads, household members, beneficiaries, referral sources, and any other natural person whose Personal Data Controller inputs into the Platform.
  • Categories of Personal Data: contact identifiers (name, email, phone, address); demographic information (age, gender, household income range); insurance-relevant information (health questionnaire responses, prior coverage, beneficiary designations); communication content (call recordings, SMS, email); marketing attribution (UTM, gclid, IP, user agent); behavioral data (form submissions, page views).
  • Special categories may incidentally include health information voluntarily provided by Data Subjects in connection with insurance applications, processed only to enable Controller to quote and bind insurance products. Processor does not separately solicit special-category data.

4. Processor Obligations

Processor will:

  1. Process Personal Data only on documented instructions from Controller (including these Terms, the Platform's configuration settings, and any subsequent written instructions), unless required to do so by law to which Processor is subject; in such case, Processor will inform Controller of that legal requirement before processing, unless that law prohibits such information.
  2. Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  3. Implement and maintain the technical and organizational measures described in Annex II below, appropriate to the risk presented.
  4. Engage Sub-processors only in compliance with Section 5 below.
  5. Taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill Controller's obligation to respond to Data Subject rights requests under GDPR Chapter III, CCPA/CPRA, or other applicable law.
  6. Assist Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to Processor.
  7. On termination of services, at Controller's election, delete or return all Personal Data and delete existing copies, except where law requires storage.
  8. Make available to Controller all information necessary to demonstrate compliance with this DPA, and allow for audits as described in Section 8.

5. Sub-processors

General authorization. Controller hereby grants general authorization for Processor to engage Sub-processors. The current list of Sub-processors is available at agencyengine.app/subprocessors.

Notice of changes. Processor will provide at least 30 days' prior notice (by email or in-Platform) of any addition or replacement of Sub-processors. Controller may object on reasonable grounds related to data protection within that notice period; if the parties cannot resolve the objection, Controller may terminate the affected services and receive a prorated refund of prepaid fees.

Sub-processor obligations. Processor will impose on every Sub-processor data protection obligations no less protective than those in this DPA. Where the Sub-processor fails to fulfill its data protection obligations, Processor remains fully liable to Controller for the performance of the Sub-processor's obligations.

6. International Data Transfers

Where Personal Data of Data Subjects in the EEA, UK, or Switzerland is transferred to Processor in the United States or to any Sub-processor outside the EEA, UK, or Switzerland in a country that has not received an adequacy decision, the parties incorporate by reference and agree to be bound by:

  • The EU SCCs (Implementing Decision (EU) 2021/914): Module 2 (Controller-to-Processor) where Controller is the data exporter; Module 3 (Processor-to-Processor) where Controller is itself a processor for the Data Subject.
  • The UK Addendum for Personal Data subject to the UK GDPR.
  • For Personal Data subject to Swiss FADP, references in the SCCs to GDPR are deemed to include FADP, and the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for Swiss Data Subjects.

SCC parameter selections (auto-completed):

  • Clause 7 (Docking clause): not applicable.
  • Clause 9(a) (Sub-processor authorization): General written authorization, with at least 30 days' prior notice of changes per Section 5 above.
  • Clause 11(a) (Independent dispute resolution): the parties opt out of independent dispute resolution.
  • Clause 17 (Governing law): Irish law for transfers from the EEA; English & Welsh law for the UK Addendum.
  • Clause 18 (Choice of forum and jurisdiction): the courts of Ireland for the SCCs; the courts of England and Wales for the UK Addendum.
  • Annex I to the SCCs is completed by Section 3 above (Categories of Data Subjects and Personal Data), Section 7 (Security), and /subprocessors (Sub-processor list).
  • Annex II to the SCCs is completed by Annex II of this DPA below.

7. Security and Personal Data Breach

Processor maintains the technical and organizational measures listed in Annex II. Processor will notify Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Controller's Personal Data. Notice will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address it. Processor will assist Controller in fulfilling Controller's breach-notification obligations to supervisory authorities and Data Subjects.

8. Audit Rights

On reasonable prior written notice (no less than 30 days, except in the event of a Personal Data Breach), no more than once per year, and at Controller's expense, Controller may audit Processor's compliance with this DPA. Processor may satisfy this obligation by providing the most recent third-party SOC 2 Type II report, ISO 27001 certification, or equivalent industry-standard attestation covering Processor's services. Audits must be conducted during business hours, with minimum disruption, and subject to confidentiality obligations.

9. CCPA/CPRA Service Provider Terms

For Personal Information of California consumers, Processor acts as a "service provider" or "contractor" under Cal. Civ. Code § 1798.140(ag), (j). Processor:

  1. Will not Sell or Share Personal Information as those terms are defined under CCPA/CPRA;
  2. Will not retain, use, or disclose Personal Information for any purpose other than the specific purposes in the Terms and this DPA, including not for any "commercial purpose" outside the direct business relationship with Controller;
  3. Will not retain, use, or disclose Personal Information outside the direct business relationship with Controller;
  4. Will not combine the Personal Information received from Controller with Personal Information from any other source, except as expressly permitted by Cal. Civ. Code § 1798.140(ag)(1) (e.g., for purposes of detecting security incidents);
  5. Will comply with all applicable obligations under CCPA/CPRA and provide the same level of privacy protection required of Controller;
  6. Will notify Controller if Processor determines it can no longer meet its obligations under CCPA/CPRA;
  7. Permits Controller to take reasonable and appropriate steps to (i) ensure Processor uses the Personal Information consistent with Controller's obligations under CCPA/CPRA and (ii) stop and remediate unauthorized use of Personal Information;
  8. Will assist Controller in fulfilling Controller's obligations to respond to Consumer requests under CCPA/CPRA.

Processor certifies that it understands the restrictions in this Section 9.

10. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set forth in the Terms, except that nothing in the Terms or this DPA limits or excludes liability where doing so would be prohibited by Applicable Data Protection Law (including, where applicable, Data Subjects' rights against Processor under SCC Clause 12).

11. Term and Termination

This DPA takes effect on the date Controller accepts the Terms and continues for the duration of the Terms. On expiration or termination of the Terms, Sections 4(g), 5 (with respect to surviving Sub-processor obligations), 7, 8, 9, and 10 survive.

Annex I — Description of Processing

A. List of Parties.

  • Data exporter (Controller): Controller, as identified by the email and business information on file in the Platform.
  • Data importer (Processor): Agency Engine Inc., a New Mexico C corporation, 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM, 87110. Contact: dpo@agencyengine.app.

B. Description of Transfer. See Section 3 above (Subject matter, duration, nature, purpose, categories of Data Subjects and Personal Data).

C. Competent Supervisory Authority. For EEA Data Subjects, the supervisory authority of Controller's establishment, or, where Controller is not established in the EEA, the supervisory authority of the EEA member state in which the Data Subjects are located. For UK Data Subjects, the UK Information Commissioner's Office.

Annex II — Technical and Organizational Measures

  • Encryption in transit: TLS 1.2+ for all data in transit over public networks.
  • Encryption at rest: AES-256-GCM for sensitive credentials (OAuth tokens, MFA secrets, encrypted columns); database storage encryption at rest by infrastructure provider.
  • Authentication: bcrypt password hashing; multi-factor authentication available; short-lived JWTs for session authentication; CSRF protection on all state-changing endpoints.
  • Access controls: Postgres row-level security (RLS) enforces strict tenant isolation; principle of least privilege for staff access; quarterly access reviews; audit logging of administrative access.
  • Network security: Cloudflare WAF; rate limiting on all public endpoints; DDoS protection; egress allowlist for outbound traffic.
  • Vulnerability management: automated dependency scanning; CodeQL static analysis; Dependabot updates; security patches deployed within 7 days of vendor release for critical vulnerabilities.
  • Logging and monitoring: Sentry error monitoring; structured application logs retained 90 days; security event logs retained for the period required by law.
  • Backup and disaster recovery: hosted infrastructure provider performs continuous replication and point-in-time recovery for paid database tiers; backups encrypted at rest.
  • Personnel: all personnel with access to Personal Data are bound by written confidentiality obligations; access removed within 24 hours of role change or departure.
  • Vendor due diligence: Sub-processors are evaluated for SOC 2 Type II, ISO 27001, or equivalent attestations before engagement; reviewed annually.
  • Incident response: documented incident response plan; on-call rotation; postmortems conducted for any incident impacting Personal Data.
  • Secure development: code review on every change; CI pipeline enforces type checks, tests, lint, and security scans before deploy; staged deployments with automated rollback.

Annex III — Sub-processors

The current list of authorized Sub-processors is maintained at agencyengine.app/subprocessorsand incorporated by reference into this DPA.

Contact

Questions about this DPA: dpo@agencyengine.app. Privacy questions: privacy@agencyengine.app.