Data Processing Agreement (DPA)

  • Legal
  • Data Processing Agreement

Data Processing Agreement (DPA)

Last Updated: 2 November 2025

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions and applies when you ("Customer", "Data Controller") use TaskAGI ("TaskAGI", "we", "Data Processor") to process personal data as defined by the EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018.


1. Definitions and Interpretation

1.1. Definitions: Terms used in this DPA have the meanings given in GDPR Article 4, including:
  • Personal Data: Information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.)
  • Data Controller: You (the Customer), who determines the purposes and means of processing
  • Data Processor: TaskAGI, who processes personal data on behalf of the Controller
  • Sub-processor: Third-party services engaged by TaskAGI to assist in processing (see Sub-processors List)
  • Data Subject: The identified or identifiable individual whose personal data is processed

1.2. Applicability: This DPA applies when you process personal data through TaskAGI workflows, integrations, or AI models.


2. Roles and Responsibilities

2.1. Customer as Data Controller:
  • You determine what personal data to process and for what purposes
  • You are responsible for the lawfulness of processing
  • You must have a legal basis (consent, contract, legitimate interest, etc.) to process data
  • You are responsible for obtaining data subject consents and honoring their rights

2.2. TaskAGI as Data Processor:
  • We process personal data only on your documented instructions
  • We do not determine the purposes or means of processing
  • We assist you in meeting GDPR obligations (see Section 7)
  • We implement appropriate technical and organizational measures (see Section 5)

2.3. Instructions: Your use of the Service constitutes documented instructions to process personal data. TaskAGI will only process personal data:
  • As configured in your workflows and integrations
  • As necessary to provide the Service under our Terms
  • As required by EU or Member State law (we will notify you unless legally prohibited)


3. Data Processing Details

3.1. Subject Matter: Provision of automation and AI agents platform services

3.2. Duration: For the term of your subscription and 90 days after termination (for data recovery)

3.3. Nature and Purpose:
  • Executing customer-defined workflows
  • Processing data through third-party integrations (365+ services)
  • Processing data through AI models (30+ AI providers)
  • Web scraping and data enrichment services
  • Webhook processing and scheduled task execution

3.4. Types of Personal Data:
  • Contact information (names, email addresses, phone numbers)
  • Customer/lead data from CRM systems
  • Payment and transaction data from e-commerce platforms
  • Marketing data (email campaigns, social media interactions)
  • Data scraped from websites
  • Any other personal data you choose to process via workflows

3.5. Categories of Data Subjects:
  • Your customers and leads
  • Your employees and contractors
  • Website visitors (if you use web scraping)
  • Any other individuals whose data you process

Note: The specific data processed depends entirely on your workflow configurations.


4. Sub-processors

4.1. General Authorization: You authorize TaskAGI to engage sub-processors to assist in providing the Service, subject to the requirements of this Section.

4.2. Current Sub-processors: A complete, up-to-date list of sub-processors is available at: taskagi.net/subprocessors Key sub-processor categories include:
  • Cloud Infrastructure: Server hosting and data storage providers
  • AI Model Providers: OpenAI, Anthropic, Google, ElevenLabs, Replicate (30+ total)
  • Integration Services: 365+ third-party APIs you choose to connect
  • Payment Processors: Stripe, PayPal, and other payment gateways
  • Analytics: Google Analytics
  • Support Tools: Crisp Chat

4.3. Sub-processor Requirements: TaskAGI ensures that sub-processors:
  • Provide sufficient guarantees of GDPR compliance
  • Are bound by data protection obligations equivalent to this DPA
  • Implement appropriate technical and organizational security measures
  • Process data only on TaskAGI's instructions (which derive from your instructions)

4.4. New Sub-processors:
  • We will update the sub-processors list at least 30 days before engaging new sub-processors
  • You can subscribe to email notifications of sub-processor changes
  • If you object to a new sub-processor on reasonable data protection grounds, you may terminate the affected Service within 30 days

4.5. Liability: TaskAGI remains fully liable to you for sub-processor performance under this DPA.


5. Security Measures

5.1. Technical and Organizational Measures (TOMs): TaskAGI implements appropriate measures to ensure data security, including:

5.2. Technical Security:
  • Encryption at Rest: AES-256 encryption for stored credentials (OAuth tokens, API keys)
  • Encryption in Transit: TLS 1.2+ for all data transmissions
  • Access Controls: Role-based access control (RBAC), multi-factor authentication for admin access
  • Network Security: Firewalls, intrusion detection systems, DDoS protection
  • Secure Development: Code reviews, vulnerability scanning, penetration testing

5.3. Organizational Security:
  • Access Limitation: Access to personal data limited to authorized personnel on need-to-know basis
  • Confidentiality: Employees bound by confidentiality obligations
  • Training: Regular security and data protection training for staff
  • Incident Response: Documented data breach response procedures
  • Vendor Management: Due diligence on sub-processor security practices

5.4. Physical Security:
  • Data centers with 24/7 monitoring, access controls, and environmental protections
  • Third-party certifications (ISO 27001, SOC 2 - where applicable via cloud providers)

5.5. Contact security@taskagi.net for detailed information about our security measures.


6. International Data Transfers

6.1. Transfers Outside EU/UK: Some sub-processors are located outside the European Economic Area (EEA) and United Kingdom, particularly in the United States (e.g., OpenAI, Google, AWS).

6.2. Transfer Mechanisms: We ensure adequate safeguards for international transfers using:
  • Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (2021 version)
  • Adequacy Decisions: Where the European Commission has determined adequate protection exists
  • Supplementary Measures: Additional technical/organizational measures beyond SCCs where required

6.3. Your Responsibilities:
  • By using third-party integrations located outside the EU/UK, you authorize these transfers
  • You are responsible for informing data subjects about international transfers
  • You must ensure you have legal basis for transfers (e.g., explicit consent, contractual necessity)

6.4. SCC Documentation: We will provide copies of executed SCCs upon request to: privacy@taskagi.net


7. Assisting Data Controller Obligations

TaskAGI will assist you (to the extent possible) in fulfilling your GDPR obligations:

7.1. Data Subject Rights: We will assist you in responding to data subject requests:
  • Right of Access: Provide data subject's personal data we hold on your behalf
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Delete data upon valid request
  • Right to Restriction: Temporarily restrict processing
  • Right to Portability: Export data in structured, machine-readable format (JSON)
  • Right to Object: Cease processing upon valid objection
Process: Forward data subject requests to privacy@taskagi.net. We will respond within 10 business days with necessary data/actions.

7.2. Data Breach Notification:
  • We will notify you of personal data breaches affecting your data without undue delay and within 72 hours of becoming aware
  • Notification will include: nature of breach, affected data categories, estimated number of data subjects, likely consequences, mitigation measures
  • You remain responsible for notifying supervisory authorities and data subjects as required by GDPR Articles 33 & 34

7.3. Data Protection Impact Assessments (DPIAs):
  • We will provide reasonable information about our processing practices to assist you in conducting DPIAs
  • Contact privacy@taskagi.net for DPIA assistance

7.4. Prior Consultation with Supervisory Authority:
  • We will provide necessary information if you must consult a supervisory authority

7.5. Audit Rights:
  • You may audit TaskAGI's compliance with this DPA once per year upon 30 days' written notice
  • Audits must be conducted during business hours and not disrupt operations
  • We may provide audit reports and certifications in lieu of on-site audits
  • You are responsible for audit costs


8. Data Retention and Deletion

8.1. Retention Period:
  • We retain personal data only as long as necessary to provide the Service
  • Workflow execution logs: 90 days
  • Account data: Duration of subscription + 90 days after termination
  • Backup copies: Up to 30 days for disaster recovery

8.2. Data Deletion: Upon termination or expiry of the Service:
  • We will delete or return all personal data processed on your behalf (your choice)
  • Deletion will occur within 90 days unless EU or Member State law requires longer storage
  • You can request earlier deletion at privacy@taskagi.net

8.3. Certification of Deletion: Upon request, we will provide written certification of data deletion.


9. Confidentiality

9.1. TaskAGI ensures that personnel authorized to process personal data:
  • Are subject to confidentiality obligations (by contract or statute)
  • Receive appropriate data protection training
  • Access personal data only on a need-to-know basis


10. Term and Termination

10.1. Term: This DPA remains in effect for as long as we process personal data on your behalf.

10.2. Termination: This DPA will automatically terminate when we cease all processing of your personal data.

10.3. Survival: Sections that should reasonably survive termination (confidentiality, limitation of liability) will continue to apply.


11. Liability and Indemnification

11.1. GDPR Liability Framework: Liability for GDPR violations is governed by GDPR Articles 82-84.

11.2. Liability Cap: Subject to applicable law, TaskAGI's aggregate liability under this DPA is limited as specified in the Terms and Conditions.

11.3. Customer Indemnification: You indemnify TaskAGI against claims arising from:
  • Your violation of data protection laws
  • Your processing instructions that violate GDPR
  • Lack of legal basis for processing
  • Failure to obtain required data subject consents


12. Governing Law and Jurisdiction

12.1. This DPA is governed by EU and UK law.

12.2. Disputes will be subject to the exclusive jurisdiction of EU/UK courts.

12.3. This DPA does not limit your rights under GDPR or data subjects' rights under GDPR.


13. Changes to This DPA

13.1. We may update this DPA to reflect changes in law, regulations, or data protection guidance.

13.2. Material changes will be communicated via email at least 30 days in advance.

13.3. Continued use after changes constitutes acceptance.


14. Contact and DPO

For DPA-related inquiries, data breach notifications, or data subject requests:

Privacy/DPA Inquiries: privacy@taskagi.net
Data Subject Requests: GDPR Data Rights Form
Security Incidents: security@taskagi.net

Related Documents: