Data Processing Agreement (DPA)

Last Updated: March 15, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between AgentPack, Inc. (“AgentPack,” “Processor,” “we,” “us,” or “our”) and the customer identified in the Agreement (“Customer,” “Controller,” “you,” or “your”) (each a “Party” and together the “Parties”).

This DPA governs the processing of Personal Data by AgentPack on behalf of Customer in connection with the provision of AgentPack’s cloud-based artificial intelligence platforms including www.keum.ai and audiopub.ai (the “Service”). This DPA is incorporated into and forms an integral part of the Agreement.

By accepting the Agreement or using the Service, the Customer agrees to the terms of this DPA.

1. DEFINITIONS

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.

Affiliate

means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means ownership of more than 50% of voting shares or equity interests.

Applicable Data Protection Law

means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, CCPA, and any other applicable privacy and data protection laws.

CCPA

means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.

Controller

means the entity that determines the purposes and means of the processing of Personal Data. For purposes of this DPA, Customer is the Controller.

Customer Data

means any data, including Personal Data, that Customer or its Authorized Users submit, upload, or transmit to the Service.

Data Subject

means an identified or identifiable natural person about whom Personal Data relates.

EEA

means the European Economic Area.

GDPR

means the General Data Protection Regulation (EU) 2016/679.

Personal Data

means any information relating to an identified or identifiable natural person that is processed by AgentPack on behalf of Customer in connection with the Service, as defined under Applicable Data Protection Law.

Personal Data Breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

Processing

(and “Process”) means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure, or destruction.

Processor

means the entity that processes Personal Data on behalf of the Controller. For purposes of this DPA, AgentPack is the Processor. 

Standard Contractual Clauses

or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries approved by the European Commission, as amended or replaced from time to time. 

Sub-processor

means any third party engaged by AgentPack to process Personal Data on behalf of Customer in connection with the Service.

Supervisory Authority

means an independent public authority established by an EEA Member State or the UK pursuant to the GDPR or UK GDPR.

UK GDPR

means the GDPR as incorporated into United Kingdom law by the UK Data Protection Act 2018.

2. SCOPE AND ROLES OF THE PARTIES

2.1 Relationship of the Parties

The Parties acknowledge and agree that:

  • Customer is the Controller of Personal Data and determines the purposes and means of Processing Personal Data.
  • AgentPack is the Processor and processes Personal Data only on behalf of and in accordance with Customer’s documented instructions.
  • Customer is solely responsible for ensuring that its instructions comply with Applicable Data Protection Law.
  • This DPA applies only to the extent that AgentPack processes Personal Data on behalf of Customer as a Processor. It does not apply to the extent that AgentPack processes personal data as a Controller (e.g., for its own business operations, such as billing, account management, or marketing to Customer contacts).

2.2 Scope of Processing

AgentPack shall process Personal Data only:

  • As necessary to provide the Service in accordance with the Agreement;
  • As documented in this DPA and any applicable Order;
  • As instructed by Customer through use of the Service or in written instructions; and
  • As required by applicable law, provided that AgentPack shall inform Customer of such legal requirement before processing, unless prohibited by law.

2.3 Details of Processing

Subject Matter:

The subject matter of the processing is the provision of AgentPack’s AI-powered platform services as described in the Agreement.

Duration:

The duration of processing is for the term of the Agreement, including any renewal periods, and for the data retention period specified in Section 8 of this DPA.

Nature and Purpose of Processing:

AgentPack will process Personal Data for the purpose of providing the Service, which includes:

  • Hosting and storing Customer Data
  • Processing AI queries and generating responses
  • Providing analytics and reporting features
  • Maintaining and improving Service functionality
  • Providing customer support
  • Detecting and preventing fraud and abuse
  • Complying with legal obligations

Types of Personal Data:

The categories of Personal Data processed may include:

  • Contact information (names, email addresses, phone numbers)
  • Account credentials (usernames, passwords)
  • Business information (company name, job title)
  • Usage data (IP addresses, device information, activity logs)
  • Content data (documents, files, queries, AI agent configurations)
  • Communications data (support tickets, messages)
  • Any other data that Customer chooses to input into the Service

Categories of Data Subjects:

Data Subjects may include:

  • Customer’s employees, contractors, and agents (Authorized Users)
  • Customer’s customers and end users
  • Any other individuals whose Personal Data Customer submits to the Service
3. CUSTOMER INSTRUCTIONS AND COMPLIANCE

3.1 Processing Instructions

AgentPack shall process Personal Data only on documented instructions from Customer, unless required to do so by applicable law. The Agreement, this DPA, and Customer’s use of the Service constitute Customer’s complete and final documented instructions to AgentPack for the processing of Personal Data. Additional instructions outside the scope of these documented instructions require prior written agreement between the Parties.

3.2 Compliance with Instructions

If AgentPack believes that any instruction from Customer violates Applicable Data Protection Law, AgentPack will promptly inform Customer and may suspend performance of the instruction until Customer confirms or modifies it. AgentPack shall not be liable for any delays, failures, or consequences resulting from such suspension.

3.3 Customer Responsibilities

Customer represents, warrants, and covenants that:

  • It has all necessary rights, consents, and legal bases to collect, use, and disclose Personal Data and to provide it to AgentPack for processing under this DPA.
  • Its instructions to AgentPack comply with all Applicable Data Protection Laws.
  • It has provided or will provide all necessary privacy notices to Data Subjects and has obtained or will obtain all necessary consents from Data Subjects as required by Applicable Data Protection Law.
  • It is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data.
  • It will not provide any Special Categories of Personal Data (as defined in Article 9 of the GDPR) or data relating to criminal convictions and offenses (as defined in Article 10 of the GDPR) to AgentPack without prior written agreement on additional safeguards.
4. SECURITY MEASURES

4.1 Security Obligations

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AgentPack shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

4.2 Technical and Organizational Measures

AgentPack’s security measures include:

Access Control:

  • Multi-factor authentication for AgentPack personnel
  • Role-based access controls
  • Least privilege access principles
  • Regular access reviews and revocation upon termination

Data Encryption:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256 or equivalent
  • Encrypted backups

Network Security:

  • Firewalls and intrusion detection/prevention systems
  • Regular security patches and updates
  • Network segmentation
  • DDoS protection

Application Security:

  • Secure software development lifecycle
  • Regular security code reviews
  • Penetration testing at least annually
  • Vulnerability scanning and remediation

Physical Security:

  • Data centers with 24/7 security monitoring
  • Access controls to facilities
  • Environmental controls (fire suppression, climate control)

Organizational Measures:

  • Information security policies and procedures
  • Employee security training and awareness programs
  • Confidentiality agreements for all personnel
  • Background checks for personnel with access to Personal Data
  • Incident response and business continuity plans

4.3 Security Documentation

Upon Customer’s written request and subject to confidentiality obligations, AgentPack will provide Customer with reasonable information about its security measures. AgentPack is working toward SOC 2 Type II certification with target completion in Q4 2026. Documentation of security measures is available upon request under NDA.

5. SUB-PROCESSORS

5.1 Authorized Sub-Processors

Customer provides general authorization for AgentPack to engage Sub-processors to process Personal Data in connection with the Service. AgentPack’s current list of Sub-processors is available at keum.ai/legal/subprocessors/.

5.2 Sub-processor Requirements

AgentPack shall:

  • Enter into an agreement with each Sub-processor that imposes data protection obligations on the Sub-processor that are substantially similar to those imposed on AgentPack under this DPA, including with respect to security, confidentiality, and international data transfers.
  • Remain fully liable to Customer for the performance of any Sub-processor’s obligations.
  • Ensure that Sub-processors process Personal Data only for the purposes set out in this DPA and in accordance with Customer’s documented instructions.

5.3 Changes to Sub-Processors

AgentPack will update the list of sub-Processors at keum.ai/legal/subprocessors/ to reflect changes in:

  • the Sub-processors; or
  • Making material changes to an existing Sub-processor’s role.

If Customer objects to a new or changed Sub-processor on reasonable data protection grounds, Customer must notify AgentPack. If the Parties cannot resolve the objection within 30 days, Customer may terminate the affected Service by providing written notice to AgentPack, and AgentPack will refund any prepaid fees for the terminated portion of the subscription on a pro-rata basis. This is Customer’s sole remedy for objections to Sub-processors.

6. DATA SUBJECT RIGHTS

6.1 Assistance with Data Subject Requests

Taking into account the nature of the processing, AgentPack shall provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, data portability, restriction of processing, and objection to processing.

6.2 Data Subject Request Procedures

If AgentPack receives a Data Subject request directly, AgentPack will:

  • Promptly notify Customer of the request;
  • Not respond to the request directly (except as required by law) without Customer’s prior written authorization; and
  • Provide reasonable assistance to Customer in responding to the request.

Customer is responsible for responding to Data Subject requests. AgentPack may charge a reasonable fee for assistance with Data Subject requests that require substantial effort or resources.

6.3 Data Export and Portability

Customer may export Customer Data at any time using the Service’s export functionality or by requesting an export from support@agentpack.ai. AgentPack will provide Customer Data in CSV format or another commonly used machine-readable format within 30 days of a written request.

7. PERSONAL DATA BREACHES

7.1 Breach Notification

AgentPack shall notify Customer without unreasonable delay, and in any event no later than 72 hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The notification shall include, to the extent available:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  • The name and contact details of AgentPack’s data protection officer or other contact point;
  • A description of the likely consequences of the Personal Data Breach;
  • A description of the measures taken or proposed to be taken to address the Personal Data Breach and mitigate its potential adverse effects.

7.2 Investigation and Remediation

AgentPack shall:

  • Investigate the Personal Data Breach promptly and diligently;
  • Take reasonable steps to remediate the breach and prevent future occurrences;
  • Cooperate with Customer and regulatory authorities in investigating and remediating the breach;
  • Not disclose the Personal Data Breach to third parties (other than Sub-processors, legal advisors, or Supervisory Authorities) without Customer’s prior written consent, except as required by law.

7.3 Customer Responsibilities

Customer is solely responsible for:

  • Determining whether to notify Supervisory Authorities and Data Subjects of the Personal Data Breach as required by Applicable Data Protection Law;
  • Meeting all notification requirements under Applicable Data Protection Law;
  • Providing AgentPack with any information necessary to fulfill AgentPack’s obligations under this Section 7.
8. DATA RETENTION AND DELETION

8.1 Retention Period

AgentPack shall retain Customer Data only for as long as necessary to provide the Service or as required by law. Specific retention periods are:

  • Active accounts: Data retained for the duration of the subscription
  • After termination: Data deleted within 30 days
  • Backup copies: Deleted within 180 days in accordance with backup retention schedules
  • LegalHold: As required by law, regulation, legal process, or when necessary to protect our legal rights.
  • Logs and metadata: Retained for up to 24 months for security and operational purposes
  • Aggregated and anonymized data: Indefinitely as long as the data can no longer identify any Data Subject.

8.2 Return and Deletion

Upon termination or expiration of the Agreement, or upon Customer’s written request, AgentPack shall, at Customer’s option:

  • Return all Customer Data to Customer in a commonly used
  • machine-readable format; and/or
  • Delete all Customer Data from AgentPack’s systems in accordance with 8.1

8.3 Certification of Deletion

Upon Customer’s written request, AgentPack will provide written certification that Customer Data has been deleted or returned in accordance with this Section 8.

9. AUDITS AND COMPLIANCE

9.1 Customer Audit Rights

Customer has the right to conduct audits (including inspections) to verify AgentPack’s compliance with its obligations under this DPA, subject to the following conditions:

  • Customer must provide AgentPack with at least 30 days’ advance written notice of any audit request;
  • Audits may be conducted no more than once per year unless required by a Supervisory Authority or in response to a Personal Data Breach;
  • Audits must be conducted during AgentPack’s normal business hours and must not unreasonably interfere with AgentPack’s business operations;
  • Customer must enter into a reasonable confidentiality agreement with AgentPack before conducting the audit; 
  • Customer is responsible for all costs associated with the audit, including reasonable fees charged by AgentPack for assistance;
  • Customer may appoint a mutually agreed-upon independent third-party auditor to conduct the audit on Customer’s behalf.

9.2 Audit Reports and Certifications

In lieu of conducting an audit, Customer may request and AgentPack will provide (subject to confidentiality obligations):

  • Documentation of AgentPack’s security measures and controls;
  • Summaries of security assessments and penetration test results;
  • Other reasonable documentation of AgentPack’s compliance with its obligations under this DPA.

AgentPack is working toward SOC 2 Type II certification with target completion in Q4 2026. 

9.3 Supervisory Authority Audits

AgentPack shall cooperate with and assist Supervisory Authorities in their audits and investigations to the extent permitted by law.

10. INTERNATIONAL DATA TRANSFERS

10.1 Data Transfer Locations

AgentPack processes Personal Data primarily in the United States. Customer acknowledges and agrees that Personal Data may be transferred to, stored, and processed in the United States and other countries where AgentPack or its Sub-processors maintain facilities.

10.2 Transfers from the EEA, UK, and Switzerland

For transfers of Personal Data from the EEA, United Kingdom, or Switzerland to countries that have not been subject to an adequacy decision by the European Commission (including the United States), the Parties agree to rely on the following transfer mechanisms:

  • Standard Contractual Clauses: The Standard Contractual Clauses for the transfer of personal data to processors established in third countries (Module Two: Controller to Processor) as approved by European Commission Decision 2021/914 of June 4, 2021, are hereby incorporated by reference and form an integral part of this DPA. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
  • Supplementary Measures: AgentPack implements appropriate technical and organizational measures as supplementary safeguards to ensure an adequate level of protection, including encryption, access controls, and the security measures described in Section 4 of this DPA.

10.3 UK Addendum

For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, issued by the UK Information Commissioner’s Office) is incorporated by reference.

10.4 Swiss Addendum

For transfers of Personal Data from Switzerland, the Swiss Federal Data Protection and Information Commissioner’s (FDPIC) modifications to the Standard Contractual Clauses are incorporated by reference.

10.5 Alternative Transfer Mechanisms

If the Standard Contractual Clauses or other transfer mechanisms are invalidated, amended, or replaced by Supervisory Authorities or courts, the Parties shall cooperate in good faith to promptly implement alternative transfer mechanisms that comply with Applicable Data Protection Law.

11. CCPA AND US STATE PRIVACY LAWS

11.1 Applicability

This Section 11 applies only to the extent that AgentPack processes Personal Information (as defined in the CCPA) on behalf of Customer and Customer is subject to the CCPA or other US state privacy laws.

11.2 Service Provider/Processor Role

For purposes of the CCPA and similar US state privacy laws, AgentPack is a Service Provider or Processor. AgentPack:

  • Shall not sell or share (as those terms are defined under applicable US state privacy laws) Customer’s Personal Information;
  • Shall not retain, use, or disclose Customer’s Personal Information for any purpose other than providing the Service or as otherwise permitted by the CCPA and this DPA;
  • Shall not retain, use, or disclose Customer’s Personal Information outside of the direct business relationship between AgentPack and Customer;
  • Certifies that it understands and will comply with the restrictions in this Section 11.2.

11.3 Sub-processor Disclosure

Customer authorizes AgentPack to disclose Personal Information to Sub-processors as set forth in Section 5, provided that AgentPack ensures that Sub-processors are bound by contractual obligations consistent with this Section 11.

12. LIABILITY AND INDEMNIFICATION

12.1 Limitation of Liability

Each Party’s liability under this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall exclude or limit either Party’s liability for matters that cannot be excluded or limited under Applicable Data Protection Law.

12.2 Indemnification

Customer shall indemnify and hold harmless AgentPack from and against all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to:

  • Customer’s breach of its obligations under this DPA;
  • Customer’s violation of Applicable Data Protection Law;
  • Customer’s instructions to AgentPack that violate Applicable Data
  • Protection Law;
  • Claims by Data Subjects or Supervisory Authorities arising from Customer’s processing of Personal Data or Customer’s instructions to AgentPack.
13. TERM AND TERMINATION

13.1 Term

This DPA shall commence on the date Customer accepts the Agreement and shall remain in effect for as long as AgentPack processes Personal Data on behalf of Customer.

13.2 Termination

This DPA shall automatically terminate upon termination or expiration of the Agreement. Either Party may terminate this DPA if the other Party materially breaches this DPA and fails to cure such breach within 30 days after receiving written notice.

13.3 Effect of Termination

Upon termination of this DPA, AgentPack shall return or delete Customer Data as provided in Section 8. All obligations that by their nature should survive termination shall survive, including confidentiality obligations, audit rights for the period of processing, and provisions relating to international data transfers.

14. GENERAL PROVISIONS

14.1 Amendments

AgentPack may update this DPA from time to time to reflect changes in Applicable Data Protection Law, guidance from Supervisory Authorities, or changes to AgentPack’s data processing practices. AgentPack will provide Customer with at least 30 days’ notice of any major changes that are specific to AgentPack. Customer’s continued use of the Service after such changes become effective constitutes acceptance of the updated DPA.

14.2 Conflicts

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

14.3 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect. The Parties shall negotiate in good faith to replace any invalid provision with a valid provision that achieves the original intent.

14.4 Governing Law

This DPA shall be governed by the same laws as the Agreement, except to the extent that Applicable Data Protection Law requires otherwise.

14.5 Entire Agreement

This DPA, together with the Agreement and any applicable Orders,constitutes the entire agreement between the Parties regarding the processing of Personal Data and supersedes all prior agreements and understandings.

14.6 Order of Precedence

In the event of a conflict between documents, the order of precedence shall be: (1) Standard Contractual Clauses; (2) this DPA; (3) the Agreement.

15. CONTACT INFORMATION

For questions or concerns regarding this DPA or data protection matters, please contact:

AgentPack, Inc.
Data Protection Officer
1111b S Governors Avenue, STE 40565
Dover, Delaware 19904
Email: dpo@agentpack.ai

For general privacy inquiries: privacy@agentpack.ai