Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Data Controller") and AI Agent Tester ("Processor", "we", "us") and governs the processing of personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This DPA supplements our Terms of Service and Privacy Policy.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Data Controller" means the Customer who determines the purposes and means of processing personal data
• "Data Processor" means AI Agent Tester, who processes personal data on behalf of the Customer
• "Data Subject" means the individual to whom personal data relates
• "Processing" means any operation performed on personal data
• "Sub-processor" means any third party engaged by the Processor to process personal data
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Data Protection Laws" means GDPR and any other applicable data protection legislation

3. Scope and Roles

3.1 Controller and Processor

The Customer acts as the Data Controller and AI Agent Tester acts as the Data Processor with respect to personal data processed through the Service.

3.2 Processing Activities

The Processor shall process personal data only as necessary to provide the Service and in accordance with the Customer's documented instructions.

4. Customer Obligations

As the Data Controller, the Customer shall:

• Ensure it has all necessary rights and consents to process personal data
• Comply with all applicable Data Protection Laws
• Provide clear and lawful instructions for processing
• Ensure the accuracy of personal data provided
• Inform AI Agent Tester of any restrictions on processing
• Respond to data subject requests in accordance with Data Protection Laws

5. Processor Obligations

AI Agent Tester shall:

5.1 Processing Instructions

• Process personal data only on documented instructions from the Customer
• Not process personal data for any other purpose unless required by law
• Inform the Customer if instructions violate Data Protection Laws

5.2 Confidentiality

• Ensure persons authorized to process personal data are bound by confidentiality
• Maintain the confidentiality of all personal data
• Implement appropriate access controls

5.3 Security Measures

• Implement appropriate technical and organizational security measures
• Protect against unauthorized or unlawful processing
• Protect against accidental loss, destruction, or damage
• Regularly test, assess, and evaluate security effectiveness

See our Security Policy for detailed security measures.

5.4 Sub-processing

• Obtain Customer consent before engaging new sub-processors
• Maintain a list of authorized sub-processors (see Section 7)
• Impose the same data protection obligations on sub-processors
• Remain liable for sub-processor performance

5.5 Data Subject Rights

• Assist the Customer in responding to data subject requests
• Implement technical measures to facilitate data subject rights
• Respond to Customer requests within a reasonable timeframe

5.6 Data Breach Notification

• Notify the Customer without undue delay upon becoming aware of a personal data breach
• Provide sufficient information to enable the Customer to meet breach notification obligations
• Cooperate with the Customer in investigating and remedying the breach

5.7 Data Protection Impact Assessments

• Assist the Customer in conducting Data Protection Impact Assessments (DPIAs)
• Provide necessary information about processing operations
• Support consultations with supervisory authorities when required

5.8 Deletion and Return

• Delete or return all personal data upon termination of services
• Delete existing copies unless retention is required by law
• Provide certification of deletion upon request

5.9 Audit and Compliance

• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits and inspections
• Provide compliance certifications and audit reports

6. Details of Processing

6.1 Subject Matter and Duration

Processing of personal data necessary to provide AI-powered browser testing and test automation services for the duration of the Customer's subscription.

6.2 Nature and Purpose

• Storage and hosting of Customer data
• Test execution and automation
• AI-powered test generation and optimization
• Team collaboration and organization management
• Integration with third-party services
• Analytics and reporting

6.3 Categories of Data Subjects

• Customer employees and contractors
• Organization members and invitees
• Test subjects (if personal data included in test data)

6.4 Types of Personal Data

• Contact information (email address, name)
• Account credentials (encrypted)
• Profile information (avatar, preferences)
• Organization and team membership data
• Usage data and logs
• Test data (which may contain personal data depending on Customer use)
• Integration credentials (OAuth tokens)

7. Sub-processors

7.1 Authorized Sub-processors

The Customer authorizes AI Agent Tester to engage the following sub-processors:

7.2 Sub-processor Changes

We will provide at least 30 days' notice before adding or replacing sub-processors. Customers may object to new sub-processors by contacting us within 14 days of notice.

8. International Data Transfers

8.1 Transfer Mechanisms

For transfers of personal data from the EEA to countries without an adequacy decision, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary measures to ensure appropriate safeguards
• Transfer impact assessments where required

8.2 Data Localization

Enterprise customers may request data localization options. Contact us at enterprise@ai-agent-tester.com for details.

9. Security Measures

AI Agent Tester implements the following technical and organizational measures:

9.1 Technical Measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication support
• Role-based access control (RBAC)
• Database Row-Level Security (RLS)
• Secrets encryption and secure storage
• Regular security patches and updates
• Intrusion detection and prevention systems
• Automated vulnerability scanning

9.2 Organizational Measures

• Security policies and procedures
• Employee security training and awareness
• Background checks for personnel with data access
• Confidentiality agreements for all personnel
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular security audits and assessments
• Vendor risk management program

For comprehensive details, see our Security Policy.

10. Data Breach Procedures

10.1 Notification

In the event of a personal data breach, we will:

• Notify affected Customers without undue delay (within 72 hours when feasible)
• Provide details of the breach, including categories and approximate number of affected data subjects
• Describe likely consequences of the breach
• Describe measures taken or proposed to address the breach

10.2 Investigation and Remediation

We will:

• Investigate the breach and its root cause
• Take immediate steps to contain and mitigate the breach
• Implement measures to prevent recurrence
• Cooperate with the Customer and regulatory authorities
• Document all breach-related activities

11. Data Subject Rights

We will assist Customers in fulfilling data subject rights requests, including:

• Right of Access: Provide data subject access to their personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Delete personal data when required
• Right to Restriction: Restrict processing in certain circumstances
• Right to Data Portability: Provide data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests

Customers should direct data subject requests to us at privacy@ai-agent-tester.com. We will respond within 30 days.

12. Audit Rights

12.1 Documentation

Upon reasonable request, we will provide:

• Documentation demonstrating compliance with this DPA
• Relevant security certifications (SOC 2, ISO 27001, etc.)
• Third-party audit reports (subject to confidentiality)

12.2 Audits and Inspections

Customers may conduct audits subject to:

• Reasonable advance notice (at least 30 days)
• Execution of a confidentiality agreement
• Conducting audits during business hours
• Minimizing disruption to our operations
• Customer bearing costs of the audit

13. Data Retention and Deletion

13.1 Retention Period

We retain personal data for as long as necessary to provide the Service and as required by law.

13.2 Deletion Upon Termination

Upon termination or expiry of the agreement:

• We will delete or return all personal data within 30 days
• Backups will be deleted in accordance with our backup retention policy (up to 30 days)
• We may retain data if required by law with appropriate safeguards
• We will provide certification of deletion upon request

13.3 Customer Deletion Requests

Customers may request deletion of specific data at any time through the Service interface or by contacting support.

14. Liability and Indemnification

14.1 Processor Liability

The Processor shall be liable for damages caused by processing that violates this DPA or Data Protection Laws, except where the Processor is not responsible for the event giving rise to the damage.

14.2 Limitation

Total liability under this DPA is subject to the limitation of liability provisions in our Terms of Service.

15. Term and Termination

15.1 Term

This DPA commences when you accept our Terms of Service and continues for as long as we process personal data on your behalf.

15.2 Survival

Obligations related to data deletion, confidentiality, and liability survive termination.

16. Governing Law and Dispute Resolution

This DPA is governed by the same law and dispute resolution provisions as our Terms of Service. For matters specifically related to GDPR, the courts of the EU Member State where the Customer is established shall have jurisdiction.

17. Contact Information

For DPA-related inquiries, contact: