Data Processing Agreement

Last updated: 2025-04-28

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“ToS”) between:

(1) “User” or “Customer” (also referred to herein as “Controller”), who is the individual or legal entity that has entered into the ToS and established an account or workspace in AgentRunner; 

AND

(2) GBD Software as a Service Limited (“AgentRunner,” “Processor,” “we,” “us,” or “our”), having its registered address at Szikra Tanya 93, Lakitelek, 6065, Hungary,

each a “Party” and together, the “Parties.”

By using the AgentRunner platform or services (“Service”) to process personal data, Customer agrees to this DPA. If Customer does not agree, Customer must discontinue use of AgentRunner.

DEFINITIONS & SCOPE 

Definitions

  1. “Controller” (or “Customer”) means the entity or individual responsible for determining the purposes and means of processing Personal Data and for ensuring that any personal data is lawfully collected and used.
  2. “Processor” (or “AgentRunner”) means GBD Software as a Service Limited, which processes personal data on behalf of the Controller under the ToS and this DPA.
  3. “Sub-processor” means any third party engaged by AgentRunner that processes personal data under the authority or instructions of AgentRunner.
  4. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), as defined under GDPR or relevant data protection laws.
  5. “Processing” (and its derivatives) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, storing, using, disclosing, or deleting.
  6. “Data Subject” means an individual whose Personal Data is processed.
  7. “Agent” or “Agents” means the automated node-based workflows created by the Customer within AgentRunner.
  8. “Logs” means any internal or system logs of the Agents’ operation, including error reports, usage activity, or other diagnostic data.
  9. “Beta Phase” or “Beta” means the early-release state of the Service, during which features and data handling processes are subject to unexpected errors or changes.

Geographic Scope

This DPA applies globally to the extent AgentRunner processes Personal Data that is subject to the EU General Data Protection Regulation (“GDPR”) or other applicable privacy laws.

SUBJECT MATTER AND DURATION OF PROCESSING 

Subject Matter

AgentRunner provides a platform for building and running Agents that may transmit or transform Customer Data (including Personal Data) between applications and large language models (“LLMs”), and store related logs for diagnostic or quality purposes.

Duration

Processing will continue for as long as Customer uses AgentRunner’s Service or until the Customer terminates its account or workspace in accordance with the ToS. Once use has ceased, AgentRunner will, within approximately thirty (30) days, delete or irreversibly anonymize any Personal Data stored in logs or in the Customer’s Agents, unless otherwise required by law.

NATURE AND PURPOSE OF PROCESSING 

Nature of Processing

AgentRunner collects, stores, and displays Personal Data for the following activities:

  1. Automating processes between various integrated applications and LLMs.
  2. Storing and displaying logs for quality control, debugging, or performance analysis.
  3. During the Beta Phase, AgentRunner may access logs or data to improve its platform or diagnose issues.

Purpose

AgentRunner processes Personal Data strictly in accordance with Customer’s instructions, as laid out in this DPA and the ToS, for the purpose of providing the Service. AgentRunner does not process Personal Data for its own independent reasons without the Customer’s documented instructions, except where required by law.

Beta Phase and Minimization of Personal Data

Customer is advised to refrain from uploading unnecessary or sensitive Personal Data. AgentRunner may temporarily access logs containing Personal Data to resolve issues, improve performance, or test new features during Beta.

TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

Types of Personal Data

  1. Any data the Customer chooses to upload to or process within the Agents, such as names, contact details, or other PII.
  2. AgentRunner does not control or monitor the content Customer uploads; therefore, any type of personal data could be included at the Customer’s discretion.

Prohibited Sensitive Data

Customer agrees not to intentionally process in AgentRunner any “special categories” of personal data (e.g., health, biometric, child data) nor other high-risk data requiring heightened security. If such data is inadvertently processed, Customer remains fully liable for compliance with all relevant laws.

Categories of Data Subjects

May include employees, end-user customers, or other individuals whose data is input by the Customer.

OBLIGATIONS OF THE CONTROLLER (CUSTOMER) 

Lawful Basis

Customer warrants that it has a valid legal basis (e.g., consent, legitimate interest, contract) for each Personal Data processing activity performed via AgentRunner.

Accuracy, Minimization, and Responsibility

Customer is solely responsible for the accuracy, quality, legality, and appropriateness of the Personal Data uploaded into AgentRunner. Customer must ensure that it does not upload data beyond what is necessary for the intended purpose.

No Sensitive Data

Customer acknowledges and agrees not to upload or process special categories of personal data through AgentRunner. If special categories of data are inadvertently processed, Customer remains responsible for any additional GDPR or local law obligations.

OBLIGATIONS OF THE PROCESSOR (AGENTRUNNER) 

Processing on Documented Instructions

AgentRunner shall process Personal Data only on the instructions of the Customer, unless required by applicable law (in which case AgentRunner shall inform Customer of that legal requirement unless prohibited).

Legal Requests

If a subpoena, court order, or other formal request for Personal Data is received, AgentRunner will (i) promptly notify Customer, unless barred from doing so by law; (ii) restrict disclosure as lawfully possible; and (iii) provide Customer a reasonable opportunity to object or seek legal redress.

Compliance Assistance

AgentRunner will reasonably assist the Customer, at Customer’s cost, with data protection impact assessments, responding to Data Subject access or rights requests, and other GDPR compliance measures, given that AgentRunner is in Beta and does not promise full compliance tooling.

CONFIDENTIALITY 

Personnel Confidentiality

AgentRunner ensures that employees or contractors authorized to process Personal Data are subject to binding confidentiality obligations in their employment or service contracts.

Exceptions

AgentRunner may disclose Personal Data confidentially to its legal or professional advisers, or if required by law, court order, or regulatory authority, adhering to obligations in Section 6.2.

SUB-PROCESSING 

Authorized Sub-Processors

AgentRunner uses third-party providers (“Sub-processors”) such as:

  1. Amazon Web Services (AWS) for hosting;
  2. Google Analytics for usage analytics;
  3. SAAS First for AI-based support and CRM.

Notice of Changes

During Beta, AgentRunner may add or replace Sub-processors without individual notice. Updated information may be communicated in the Privacy Policy.

No Right to Object in Beta

Customer acknowledges that no objection mechanism is currently offered for Sub-processor additions or changes. If Customer does not agree with a new Sub-processor, its recourse is to cease using the Service.

DATA SUBJECT RIGHTS

Assistance

AgentRunner shall redirect Data Subject requests (e.g., access, rectification, erasure) to the Customer. Where feasible, AgentRunner will assist the Customer in fulfilling such requests if the Personal Data is stored on AgentRunner’s systems, provided that Customer covers any reasonable costs.

Timing

AgentRunner will use best efforts to comply with data subject rights requests within the period specified by GDPR or other laws, but the Customer remains responsible for overall compliance and direct communication with Data Subjects.

SECURITY MEASURES

Technical & Organizational Measures

AgentRunner commits to:

  1. Encrypted HTTPS connections;
  2. Role-Based Access Controls;
  3. Confidentiality agreements for employees and contractors;
  4. Routine server logging and monitoring.

Beta Limitations

AgentRunner is not yet certified to any particular security standard (e.g., SOC 2) but aims to move toward recognized certifications. Customer acknowledges certain security measures may evolve during Beta.

PERSONAL DATA BREACH NOTIFICATION 

Notification Requirement

In the event of a verified breach of Personal Data under this DPA, AgentRunner will notify Customer without undue delay, and in any case within forty-eight (48) hours of becoming aware.

Contents of Notification

Such notification shall include: (i) the nature of the breach; (ii) the categories and approximate number of Data Subjects affected; (iii) likely consequences of the breach; and (iv) measures taken or proposed to address the breach.

INTERNATIONAL DATA TRANSFERS 

Scope

AgentRunner or its Sub-processors may process Personal Data outside the European Economic Area (EEA). Currently, certain Sub-processors (e.g., Google, LinkedIn, SAAS First) may store or access data from non-EEA jurisdictions.

Transfer Mechanisms

AgentRunner intends to implement Standard Contractual Clauses (SCCs) or other lawful bases for any such transfers. Full compliance is in progress during Beta.

AUDITS & CERTIFICATIONS

Logs and Access

Customer can review run logs for the Agents under its account at any time. Currently, AgentRunner does not provide on-site facility audits or external compliance reports.

Beta Constraints

Comprehensive audit rights or certifications may not be available until after Beta. Customer acknowledges that acceptance of these Terms implies acceptance of Beta-phase limitations.

RETURN OR DELETION OF PERSONAL DATA 

Automatic Deletion

Upon termination or expiry of the Customer’s account, AgentRunner will automatically delete or anonymize relevant Personal Data within around thirty (30) days, barring any legal obligation to retain it.

No Data Export

AgentRunner does not guarantee any data export feature for personal data stored in logs or Agents. Customer should maintain adequate backups.

LIABILITY & INDEMNIFICATION 

Liability under the DPA

AgentRunner’s liability is limited or disclaimed to the fullest extent permissible under applicable law, as described in the main ToS. Customer remains wholly liable for any unlawful data processing or breach of its obligations under this DPA or relevant laws.

Indemnification

Unless explicitly provided otherwise in the main ToS, a general indemnification applies. Customer shall indemnify AgentRunner for actions resulting from Customer’s breach of data protection obligations, including costs and legal fees.

GOVERNING LAW & JURISDICTION 

Governing Law

This DPA is governed by and construed in accordance with Hungarian law, subject to any overriding obligations under EU data protection law.

Dispute Resolution

All disputes arising from or relating to this DPA shall be subject to the same dispute resolution mechanisms as set forth in the ToS, with venue in the competent courts of Hungary.

ACCEPTANCE & ANNEXES

Acceptance by Using the Service

The Customer accepts this DPA by continuing to use or deploying Agents within the AgentRunner platform, including uploading Personal Data for automated processing.

Annexes

No annexes are attached at this stage. AgentRunner may introduce an annex or update references to Sub-processors in the Privacy Policy.