PureAgentive

Legal

Data Processing Agreement

The date below reflects the latest published version. Updates are reviewed before they appear here.

Effective Date: January 1, 2026

1. INTRODUCTION

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PureAgentive ("Processor") and each tenant organization ("Controller") that uses the PureAgentive platform (the "Service").

This DPA is required by Art. 28 of EU Regulation 2016/679 (GDPR) and sets out the terms under which PureAgentive, as Processor, processes personal data on behalf of the Controller for the purpose of providing the Service.

By using the Service, the Controller accepts the terms of this DPA. For enterprise customers requiring a separately executed DPA, please contact legal@pureagentive.com.

2. DEFINITIONS

Terms used in this DPA have the meanings given to them in GDPR (EU 2016/679), including:

  • "Personal Data": any information relating to an identified or identifiable natural person
  • "Processing": any operation performed on Personal Data
  • "Data Subject": the natural person to whom Personal Data relates
  • "Supervisory Authority": the competent data protection authority (in Belgium: APD/GBA)
  • "Standard Contractual Clauses (SCCs)": EU Commission Decision 2021/914 controller-to-processor clauses

3. SUBJECT MATTER AND DURATION

PureAgentive processes Personal Data on behalf of the Controller solely to provide the Service as described in the Terms of Service. Processing begins when the Controller activates their tenant account and continues for the duration of the active subscription. Upon termination, the obligations of this DPA survive for 30 days pending deletion or return of Personal Data (see Section 11).

4. NATURE AND PURPOSE OF PROCESSING

PureAgentive processes Personal Data to:

  • Host and operate AI agents configured by the Controller
  • Store and retrieve conversation history and knowledge base content
  • Perform RAG (Retrieval-Augmented Generation) for AI agent responses
  • Provide analytics and usage reporting to the Controller
  • Enforce platform safety and content policies
  • Process payments on behalf of the Controller's end-users (token purchases)

5. TYPES OF PERSONAL DATA PROCESSED

The categories of Personal Data processed may include:

  • End-user names and email addresses
  • Conversation content (text, voice transcriptions)
  • Documents and files uploaded to knowledge bases
  • Usage metadata (session timestamps, feature usage, IP addresses)
  • Payment information (processed by Stripe; PureAgentive does not store full card data)

6. CATEGORIES OF DATA SUBJECTS

Personal Data processed under this DPA relates to:

  • The Controller's end-users (members of the public or employees interacting with AI agents)
  • The Controller's team members and administrators

7. PROCESSOR OBLIGATIONS (GDPR ART. 28(3))

PureAgentive, as Processor, undertakes to:

(a) Process only on documented instructions: PureAgentive will process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA), unless required to do so by EU or Belgian law, in which case PureAgentive will inform the Controller unless prohibited from doing so.

(b) Confidentiality: PureAgentive ensures that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

(c) Technical and Organisational Measures (Art. 32): PureAgentive implements and maintains appropriate security measures including:

  • Encryption at rest: AES-256-GCM for all stored Personal Data and credentials
  • Encryption in transit: TLS 1.2+ for all data in transmission
  • Access controls: Role-Based Access Control (RBAC) and Row-Level Security (RLS) in the database
  • Credential security: AI provider credentials stored in encrypted form with per-tenant isolation
  • Regular security reviews and vulnerability assessments

(d) Sub-processors: PureAgentive will not engage new sub-processors without prior written authorisation from the Controller (general authorisation is granted by acceptance of this DPA for the sub-processors listed in Section 8). PureAgentive will impose the same data protection obligations on sub-processors as set out in this DPA. PureAgentive remains liable for the acts and omissions of its sub-processors. The Controller may object to new sub-processors by contacting legal@pureagentive.com within 30 days of notification.

(e) Data Subject Rights: PureAgentive will assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under GDPR Arts. 15–22, taking into account the nature of the processing.

(f) Security, Breach, DPIA, Prior Consultation: PureAgentive will assist the Controller in ensuring compliance with Arts. 32–36, including security obligations, data breach notification, data protection impact assessments (DPIAs), and prior consultation with supervisory authorities.

(g) Deletion or Return: Upon termination of the Service or on request by the Controller, PureAgentive will delete or return all Personal Data to the Controller (at the Controller's choice) within 30 days, and delete existing copies unless EU or Belgian law requires storage.

(h) Audit Cooperation: PureAgentive will make available to the Controller all information necessary to demonstrate compliance with Art. 28 and will allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, on reasonable written notice.

8. CURRENT SUB-PROCESSORS

PureAgentive engages the following sub-processors in the provision of the Service:

Supabase Inc. (United States)

  • Role: Database infrastructure, authentication, real-time subscriptions
  • Transfer mechanism: Standard Contractual Clauses (SCCs, Decision 2021/914)

Stripe Inc. (United States)

  • Role: Payment processing for subscriptions and end-user token purchases
  • Transfer mechanism: Standard Contractual Clauses (SCCs, Decision 2021/914)

OpenAI (United States)

  • Role: AI language model provider (if configured by Controller)
  • Transfer mechanism: Standard Contractual Clauses (SCCs, Decision 2021/914)

Anthropic PBC (United States)

  • Role: AI language model provider (if configured by Controller)
  • Transfer mechanism: Standard Contractual Clauses (SCCs, Decision 2021/914)

ElevenLabs (United States)

  • Role: Text-to-speech voice synthesis (if configured by Controller)
  • Transfer mechanism: Standard Contractual Clauses (SCCs, Decision 2021/914)

fal.ai / HeyGen (United States)

  • Role: Video avatar generation (if configured by Controller)
  • Transfer mechanism: Standard Contractual Clauses (SCCs, Decision 2021/914)

PureAgentive will notify Controllers of any intended changes to this sub-processor list (additions or replacements) via platform notification or email at least 30 days in advance.

9. INTERNATIONAL TRANSFERS

All transfers of Personal Data to third countries (including the United States) are made subject to Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) or another lawful transfer mechanism under Chapter V of GDPR. Copies of applicable SCCs are available on request from legal@pureagentive.com.

10. DATA BREACH NOTIFICATION

In the event of a personal data breach affecting Personal Data processed under this DPA, PureAgentive will notify the Controller without undue delay and, where possible, within 24 hours of becoming aware of the breach. The notification will include, to the extent available: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.

11. TERM AND TERMINATION

This DPA is effective for the duration of the Controller's subscription to the Service. On expiry or termination of the subscription, PureAgentive will, at the Controller's election, delete or return all Personal Data within 30 days. Processor obligations of confidentiality and security survive termination.

12. GOVERNING LAW

This DPA is governed by Belgian law. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Brussels, Belgium.

13. CONTACT AND DPA REQUESTS

For DPA-related enquiries, separately executed DPA requests, sub-processor information, or SCC copies: Email: legal@pureagentive.com Postal: Lyne Systems & Consultancy (LSC), Groeneweg 17, 9320 Aalst, Belgium