Data Processing Agreement

Provider processes personal data on behalf of Customer within the provision of "The Protocol" platform services according to the Main Agreement.

The duration corresponds to the term of the Main Agreement.

• Storage of agent metadata
• Processing of transaction data
• Identity management (SPIFFE/SPIRE)
• Log analysis and monitoring
• Backup and disaster recovery

Provision of infrastructure for autonomous AI agents according to agreed services.

• Identification data (names, email addresses)
• Contact data
• Technical identifiers (IP addresses, DIDs)
• Transaction data
• Log data
• Contract data

• Customer employees
• Customer's customers
• Agent operators
• Other authorized users

Processor shall process data only on documented instructions from Customer.

Processor ensures all personnel are bound by confidentiality per Art. 28(3)(b) GDPR.

Processor implements technical and organizational measures per Art. 32 GDPR (see Annex 1).

• Approval required for new sub-processors
• Current list in Annex 2
• Same data protection obligations

Assistance with:

• Data subject rights (Art. 12-22 GDPR)
• Data protection impact assessments
• Data breach notifications
• Supervisory authority communication

• Inspection of relevant documents
• Access to business premises (with notice)
• Conduct audits
• Obtain information

• Issue additional instructions
• Change processing procedures
• Deletion instructions

• Technical/organizational changes
• Key personnel changes
• Location changes

• AES-256 for data at rest
• TLS 1.3 for transmission
• Key management with HSM

• 24/7 Security Operations Center
• Intrusion Detection System (IDS)
• Security Information and Event Management (SIEM)

• Documented incident response plan
• 24/7 on-call service
• Regular drills

• ISO 27001
• SOC 2 Type II