Data Processing Agreement
Effective date: June 11, 2026 · Last updated: June 11, 2026
This Data Processing Agreement ("DPA") is entered into between AgentVitals ("Processor") and the customer using the AgentVitals Service ("Controller") and is incorporated into the AgentVitals Terms of Service. This DPA applies where and to the extent that AgentVitals processes Personal Data on behalf of the Controller in connection with the Service and such processing is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), or other applicable data protection laws.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by AgentVitals on behalf of the Controller in connection with the Service.
"Processing" has the meaning given under applicable data protection law and includes any operation performed on Personal Data.
"Controller" means the entity that determines the purposes and means of processing Personal Data (i.e., the AgentVitals customer).
"Processor" means AgentVitals, which processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by AgentVitals to process Personal Data on the Controller's behalf.
2. Scope and Nature of Processing
AgentVitals processes Personal Data only to the extent necessary to deliver the Service as described in the Terms of Service. Details of the processing:
- Subject-matter: AI agent readiness scanning of websites; generation and delivery of code fix pull requests; CI gate enforcement; account management.
- Duration: For the term of the Controller's subscription, plus any retention period required by applicable law.
- Nature: Collection, storage, analysis, transmission to GitHub (pull request delivery), and secure deletion.
- Purpose: Providing the AgentVitals platform as contracted.
- Categories of data subjects: The Controller's employees and end users whose data appears in scanned websites or is submitted via the Service.
- Categories of Personal Data: Email addresses; GitHub usernames; repository contents (to the extent they contain Personal Data); IP addresses; usage and event data.
3. Controller Instructions
AgentVitals processes Personal Data only on the documented instructions of the Controller (as set out in the Terms of Service and this DPA) or as required by applicable law. If applicable law requires processing beyond the Controller's instructions, AgentVitals will inform the Controller before processing unless prohibited by law. The Controller warrants that it has a lawful basis to submit Personal Data to AgentVitals for processing.
4. Technical and Organizational Security Measures
AgentVitals implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
- AES-256 encryption at rest for credentials and stored tokens (GitHub installation tokens, API keys).
- TLS 1.2 or higher for all data transmission in transit.
- HMAC signature verification on all webhook events to prevent spoofing.
- Tenant isolation at the database level (row-level filtering by account ID).
- Least-privilege access controls for employees and contractors accessing production systems.
- Regular monitoring of infrastructure for security anomalies and unauthorized access attempts.
5. Sub-processors
The Controller grants AgentVitals general authorization to engage the following sub-processors to deliver the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA |
| GitHub, Inc. (Microsoft) | Code repository integration; pull request delivery | USA |
| Render Services, Inc. | Cloud infrastructure and hosting | USA |
| Sentry | Error and performance monitoring | USA |
AgentVitals will notify the Controller of any intended changes to sub-processors (additions or replacements) at least 14 days in advance by updating this page, giving the Controller the opportunity to object on reasonable grounds. AgentVitals ensures each sub-processor is bound by data protection obligations no less protective than those in this DPA.
6. Data Subject Rights
AgentVitals will promptly notify the Controller (to the extent legally permitted) of any data subject request received that relates to the Controller's data. AgentVitals will provide reasonable assistance to enable the Controller to respond to such requests, taking into account the nature of the processing and information available to AgentVitals. The Controller remains responsible for determining whether and how to fulfill each request.
7. Personal Data Breach Notification
AgentVitals will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. The notification will include: a description of the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects.
8. International Data Transfers
Where transfer of Personal Data from the European Economic Area (EEA) or United Kingdom to a third country is required, such transfers will be conducted pursuant to the Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914) or the UK International Data Transfer Agreement (UK IDTA), as applicable. By agreeing to this DPA, the Controller and AgentVitals enter into the applicable SCCs, incorporated herein by reference, with AgentVitals acting as data importer.
9. Return and Deletion of Personal Data
Upon termination or expiration of the Service, AgentVitals will, at the Controller's written election (made within 30 days of termination), either securely return or delete all Personal Data in its possession, unless applicable law requires continued storage. AgentVitals will provide written certification of deletion upon request.
10. Audit Rights
AgentVitals will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. Upon at least 30 days' prior written notice, no more than once per calendar year, AgentVitals will allow for and cooperate with audits or inspections conducted by the Controller or an auditor appointed by the Controller, provided that: (a) the auditor agrees to reasonable confidentiality obligations; and (b) the Controller bears the reasonable cost of any such audit. AgentVitals may satisfy this obligation by providing a current third-party security audit report or SOC 2 report in lieu of a direct audit.
11. Term and Termination
This DPA is effective for the duration of the Controller's use of the Service and automatically terminates upon termination or expiration of the Terms of Service. Provisions that by their nature survive (including confidentiality, security, deletion obligations, and liability) will remain in effect after termination.
Contact and Execution
For DPA inquiries, data subject requests, or to request a countersigned copy of this agreement, contact us at support@agentvitals.ai.
By using the AgentVitals Service, the Controller agrees to the terms of this DPA, which is incorporated into and forms part of the AgentVitals Terms of Service.