Data Processing Agreement

Integracio — AI Agents as a Service

Effective Date: March 25, 2026
Last Updated: March 25, 2026

Parties

Data Processor:
Space IT sp. z o.o., registered in Poland ("Processor", "Integracio")
Contact: info@integrac.io

Data Controller:
The entity or individual subscribing to the Integracio platform ("Controller", "Client")

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Controller and the Processor, and governs the processing of personal data by the Processor on behalf of the Controller in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • Processing — any operation performed on Personal Data, as defined in Article 4(2) GDPR.
  • Sub-Processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • SCCs — Standard Contractual Clauses approved by the European Commission for international data transfers.

2. Scope and Purpose of Processing

2.1. Subject Matter

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Integracio AI agent platform services as described in the Terms of Service.

2.2. Nature and Purpose

Processing Activity Purpose
AI inference (prompts and responses) Generating AI agent responses to Controller's or Controller's end-users' queries
Data storage (Firestore, GCS) Maintaining conversation history, client profiles, agent state
Integration data processing Accessing Controller's connected third-party services (calendar, email, etc.)
Transcription and summarization Processing meeting recordings into structured summaries
Embedding and vector search Enabling Knowledge Base (RAG) functionality

2.3. Categories of Data Subjects

  • Controller's employees and authorized users
  • Controller's customers or contacts (where Controller uses CRM or communication agents)

2.4. Types of Personal Data

  • Email addresses
  • Names and professional roles
  • Conversation content (messages, queries, AI responses)
  • Calendar entries, email metadata, meeting recordings
  • Contact information (when using CRM agent)
  • Usage metrics and interaction logs

2.5. Duration

Processing continues for the duration of the service agreement. Upon termination, data is handled per Section 10 of this DPA.

3. Obligations of the Processor

The Processor shall:

3.1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by EU or Member State law — in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).

3.2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 5.

3.4. Not engage another processor (Sub-Processor) without prior written authorization of the Controller, subject to Section 6.

3.5. Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by appropriate technical and organizational measures.

3.6. Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultations with supervisory authorities (Articles 32–36 GDPR).

3.7. At the choice of the Controller, delete or return all Personal Data upon termination and delete existing copies, unless EU or Member State law requires storage.

3.8. Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations, and allow for and contribute to audits and inspections (see Section 8).

4. Obligations of the Controller

The Controller shall:

4.1. Ensure that it has a valid legal basis for processing Personal Data and for instructing the Processor to process it on its behalf.

4.2. Provide documented processing instructions to the Processor.

4.3. Ensure compliance with data subject notification obligations (Articles 13–14 GDPR) for data processed through the Service.

4.4. Notify the Processor promptly of any data subject requests that the Processor must assist with.

5. Technical and Organizational Measures

The Processor implements the following security measures:

5.1. Encryption

Layer Measure
In transit TLS 1.3 (public endpoints), WireGuard/Tailscale (internal infrastructure)
At rest AES-256 encryption (Firestore, GCS, Secret Manager — Google-managed keys)

5.2. Access Control

  • Role-based access control for all systems
  • No Processor personnel access to Controller data in plain text
  • OAuth tokens and credentials stored exclusively in Google Secret Manager
  • Multi-factor authentication for infrastructure access

5.3. Data Isolation

  • Per-client data paths in Firestore (clients/{client_id}/...)
  • Per-client storage prefixes in Google Cloud Storage
  • Per-client vector DB collections in Qdrant
  • Stateless AI inference (no cross-client data leakage)

5.4. Infrastructure Security

  • AI inference endpoints (vast.ai, Mac mini) accessible only via private VPN mesh (Tailscale)
  • No direct public access to databases or inference servers
  • Automated health checks and monitoring

5.5. Incident Response

  • 24/7 automated monitoring and alerting
  • Documented incident response procedures
  • Data breach notification per Section 7

6. Sub-Processors

6.1. Authorized Sub-Processors

The Controller hereby provides general written authorization for the Processor to engage the following Sub-Processors:

Sub-Processor Processing Activity Location
Google Cloud Platform Infrastructure: compute, storage, secrets management EU (europe-west3, europe-west4)
Google (Vertex AI / Gemini) AI inference (primary LLM provider) EU regions
Anthropic AI inference (fallback LLM provider) EU-accessible
Stripe Payment and subscription processing EU/EEA
Postmark / SendGrid Transactional email delivery EU/US (covered by EU-US Data Privacy Framework or SCCs)
vast.ai GPU compute for self-hosted AI inference (ephemeral processing only) EU region instances

6.2. Notification of Changes

The Processor shall notify the Controller of any intended changes to the list of Sub-Processors (additions or replacements) at least 30 days before the change, providing the Controller an opportunity to object.

6.3. Objection Right

If the Controller objects to a new Sub-Processor on reasonable data protection grounds, the Processor will make reasonable efforts to provide an alternative arrangement. If no alternative is feasible, the Controller may terminate the affected part of the Service without penalty.

6.4. Sub-Processor Obligations

The Processor shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-Processor's obligations.

7. Data Breach Notification

7.1. Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting the Controller's Personal Data.

7.2. Notification Content

The notification shall include:

  • Nature of the breach, including categories and approximate number of data subjects and records affected
  • Name and contact details of the Processor's point of contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

7.3. Ongoing Updates

The Processor shall provide ongoing updates as more information becomes available, and cooperate with the Controller in investigating and remedying the breach.

7.4. Controller's Obligations

The Controller is responsible for assessing whether the breach requires notification to the supervisory authority (Article 33 GDPR) or to affected data subjects (Article 34 GDPR).

8. Audits and Inspections

8.1. Audit Right

The Controller (or an independent auditor appointed by the Controller) may conduct audits to verify the Processor's compliance with this DPA, subject to reasonable notice (at least 30 days), during business hours, and no more than once per calendar year (unless a Data Breach has occurred or a supervisory authority requires an audit).

8.2. Scope

Audits may cover:

  • Technical and organizational security measures
  • Sub-Processor management
  • Data breach response procedures
  • Data deletion and retention practices

8.3. Cooperation

The Processor shall cooperate with audits and provide necessary access to relevant systems, facilities, and documentation. The Controller shall bear the costs of audits unless the audit reveals material non-compliance by the Processor.

8.4. Certifications and Reports

Where available, the Processor may satisfy audit requirements by providing relevant certifications, SOC 2 reports, or third-party audit reports.

9. International Data Transfers

9.1. Primary Processing Location

All primary data processing occurs within the EU/EEA.

9.2. Transfers Outside EEA

Where Sub-Processors process data outside the EEA, the Processor ensures adequate protection through:

  • Adequacy decisions by the European Commission
  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)

9.3. Transfer Impact Assessment

The Processor shall, upon request, provide the Controller with information necessary to conduct a transfer impact assessment for any data transfers outside the EEA.

10. Data Return and Deletion

10.1. During the Agreement

The Controller may request a data export at any time during the service period. Data will be provided in a structured, machine-readable format (JSON or CSV).

10.2. Upon Termination

Upon termination of the service agreement:

  1. The Processor shall continue to store Controller data for 30 days to allow data export
  2. After 30 days, all Controller Personal Data shall be permanently deleted from all systems (Firestore, GCS, Qdrant, Secret Manager)
  3. The Processor shall provide written confirmation of deletion upon request
  4. Billing records required by tax law are retained as legally mandated and are not considered Controller Personal Data for the purpose of deletion

10.3. Exceptions

Data may be retained beyond the deletion period only if required by EU or Member State law. The Processor shall inform the Controller of any such legal requirement.

11. Liability

Liability for data protection breaches is governed by GDPR Article 82 and the limitation of liability provisions in the Terms of Service, to the extent permitted by applicable law.

12. Term and Amendments

12.1. Term

This DPA is effective as of the date the Controller accepts the Terms of Service and remains in effect for the duration of the service agreement, plus the data deletion period described in Section 10.

12.2. Amendments

This DPA may be amended by the Processor to reflect changes in applicable law or regulatory guidance. Material changes will be communicated to the Controller at least 30 days in advance.

13. Governing Law

This DPA is governed by and construed in accordance with the laws of the Republic of Poland. Any disputes shall be resolved per the dispute resolution provisions of the Terms of Service.

14. Contact

For DPA-related queries:

Space IT sp. z o.o.
Email: info@integrac.io

This Data Processing Agreement is provided as a template and should be reviewed by qualified legal counsel before use in production.