Data Processing Agreement (DPA)
Last updated: June 11, 2026
Parties and subject matter
This Data Processing Agreement ("DPA") supplements the Terms and Conditions between AgenVIO S.r.l. ("Processor" or "AgenVIO") and the customer subscribing to the Service ("Controller" or "Customer").
This DPA governs the processing of personal data carried out by AgenVIO on behalf of the Customer in connection with the platform and related services (AI agent configuration, conversational channels, hosting, support), under Article 28 of Regulation (EU) 2016/679 (GDPR).
This DPA governs the processing of personal data carried out by AgenVIO on behalf of the Customer in connection with the platform and related services (AI agent configuration, conversational channels, hosting, support), under Article 28 of Regulation (EU) 2016/679 (GDPR).
Definitions and roles
GDPR definitions apply. The Customer acts as data controller of personal data relating to its users, customers, employees or other data subjects processed through the Service. AgenVIO acts as data processor, processing such data solely on behalf of the Customer and in accordance with the Customer's documented instructions, unless EU or Member State law requires otherwise.
Controller instructions
AgenVIO processes personal data only on documented instructions from the Customer, including those expressed in platform configuration, agent settings, enabled channels, and these Terms and DPA. If AgenVIO believes an instruction infringes the GDPR or other applicable data protection law, it will inform the Customer without undue delay.
The Customer is responsible for the lawfulness of processing, purposes, legal bases, privacy notices to data subjects, and compliance with data subject rights.
The Customer is responsible for the lawfulness of processing, purposes, legal bases, privacy notices to data subjects, and compliance with data subject rights.
Nature and categories of data
Depending on Service configuration, processing may include:
- conversational content (chat messages, email, voice transcripts);
- interaction metadata (timestamps, channel, session identifiers);
- contact data and identifiers provided by end users in conversations;
- content uploaded by the Customer to the knowledge base;
- technical and audit logs necessary for service delivery and security.
The Customer must not route special categories of data (Article 9 GDPR) through the Service unless legally permitted and appropriately configured.
- conversational content (chat messages, email, voice transcripts);
- interaction metadata (timestamps, channel, session identifiers);
- contact data and identifiers provided by end users in conversations;
- content uploaded by the Customer to the knowledge base;
- technical and audit logs necessary for service delivery and security.
The Customer must not route special categories of data (Article 9 GDPR) through the Service unless legally permitted and appropriately configured.
Processor obligations
AgenVIO undertakes to:
(i) process personal data only on behalf of the Customer and on documented instructions;
(ii) ensure persons authorized to process data are bound by confidentiality;
(iii) implement appropriate technical and organizational measures under Article 32 GDPR;
(iv) not engage sub-processors without complying with Article 28(2) and (4) GDPR;
(v) assist the Customer, within the contractual relationship, in responding to data subject rights requests;
(vi) assist the Customer with Articles 32–36 GDPR obligations, where applicable;
(vii) delete or return personal data at the end of the Service, subject to legal retention obligations;
(viii) make available to the Customer information necessary to demonstrate compliance with Article 28 GDPR and allow reasonable agreed audits.
(i) process personal data only on behalf of the Customer and on documented instructions;
(ii) ensure persons authorized to process data are bound by confidentiality;
(iii) implement appropriate technical and organizational measures under Article 32 GDPR;
(iv) not engage sub-processors without complying with Article 28(2) and (4) GDPR;
(v) assist the Customer, within the contractual relationship, in responding to data subject rights requests;
(vi) assist the Customer with Articles 32–36 GDPR obligations, where applicable;
(vii) delete or return personal data at the end of the Service, subject to legal retention obligations;
(viii) make available to the Customer information necessary to demonstrate compliance with Article 28 GDPR and allow reasonable agreed audits.
Sub-processors
The Customer authorizes AgenVIO to use sub-processors for Service delivery (hosting, AI models, messaging, telephony, email). An indicative list is described in the Privacy Policy; an up-to-date list can be requested at [email protected].
AgenVIO will inform the Customer of any intended addition or replacement of sub-processors, allowing the Customer to object on data protection grounds. Sub-processors are bound by obligations equivalent to those in this DPA.
AgenVIO will inform the Customer of any intended addition or replacement of sub-processors, allowing the Customer to object on data protection grounds. Sub-processors are bound by obligations equivalent to those in this DPA.
Security and data breaches
AgenVIO implements technical and organizational security measures proportionate to risk, including access controls, encryption where appropriate, backups, and incident management procedures.
In the event of a personal data breach, AgenVIO will notify the Customer without undue delay after becoming aware of the breach, providing available information to enable the Customer to meet notification obligations to authorities and data subjects where required.
In the event of a personal data breach, AgenVIO will notify the Customer without undue delay after becoming aware of the breach, providing available information to enable the Customer to meet notification obligations to authorities and data subjects where required.
International transfers
Where processing involves transfers of personal data to third countries, AgenVIO ensures appropriate safeguards under GDPR Chapter V (including, where applicable, Standard Contractual Clauses approved by the European Commission).
Term and termination
This DPA remains in effect for the duration of the contractual relationship. Upon termination, AgenVIO will, at the Customer's choice and subject to legal obligations, delete or return personal data processed on behalf of the Customer, in accordance with platform functionality and instructions received.
Applicable law
This DPA is governed by Italian law. Disputes are handled as set out in the Service Terms and Conditions.
For DPA requests: [email protected] — PEC: [email protected]
For DPA requests: [email protected] — PEC: [email protected]
