Effective date: 14 May 2026 · Last updated: 14 May 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Black Salt Kft., trading as AgentHeaven ("AgentHeaven", "processor", "we", "us"), and the customer using the AgentHeaven managed AI digital-employee service ("Customer", "controller", "you").
This DPA applies where AgentHeaven processes personal data on behalf of the Customer in connection with the Service, including operational data processed by the digital employee, session and activity logs, connected-tool data, and customer-specific memory/wiki content.
Plain English summary: You decide what business data and tools your digital employee may access. We process that data only to operate, secure, support, and improve your own digital employee. We do not use your data for cross-customer training, shared datasets, or unrelated AgentHeaven purposes.
For account, billing, website, consultation, and marketing data, AgentHeaven may act as an independent data controller as described in the Privacy Policy. For operational data that your digital employee processes under your instructions, the Customer is the controller and AgentHeaven is the processor.
| Subject matter | Provision of a managed AI digital employee, including agent hosting, tool connection, session execution, logging, customer memory/wiki, support, and tuning. |
|---|---|
| Duration | For the subscription term plus the post-cancellation retention/export period stated in the Privacy Policy, unless a longer period is required by law or agreed in writing. |
| Nature and purpose | Processing business communications, records, prompts, tool outputs, logs, and customer-specific memory/wiki to perform work selected by the Customer. |
| Data categories | Identity, contact, business, operational, source-system, session, activity-log, support, and customer memory/wiki data. |
| Data subjects | Customer personnel, customers' customers, leads, prospects, vendors, email correspondents, ticket submitters, and other persons whose data appears in connected systems. |
| Special-category data | Not intentionally requested by AgentHeaven, but may be incidentally processed if present in Customer-connected systems. Customer remains responsible for the lawful basis and suitability of connected data sources. |
AgentHeaven will process Customer personal data only on documented instructions from the Customer, including the Terms, onboarding instructions, runbooks, connected-tool permissions, support requests, and written configuration changes. If we believe an instruction violates applicable data protection law, we will inform you unless legally prohibited.
AgentHeaven will ensure that personnel authorised to process Customer personal data are bound by confidentiality obligations and access Customer data only where needed to provide, secure, support, or troubleshoot the Service.
AgentHeaven will implement appropriate technical and organisational measures as described in the Security Measures page, including VPS-level hardening, per-customer isolation, credential protection, activity logging, and restricted access. Customer is responsible for permissions and data quality in connected tools.
Customer provides general written authorisation for AgentHeaven to engage the sub-processors listed on the Sub-processors page. AgentHeaven will impose data-protection obligations on each sub-processor that are materially no less protective than this DPA.
Change notice: AgentHeaven will give Customer at least 30 days' prior notice (by email to the billing contact on file, by an update to the Sub-processors page that Customer can subscribe to, or by both) before a new sub-processor begins processing Customer personal data, except where a faster change is required to address a security risk, legal requirement, or provider outage, in which case notice will be given as soon as reasonably practicable.
Objection: Customer may object on reasonable data-protection grounds within the 30-day notice period. AgentHeaven will use commercially reasonable efforts to make the affected processing available without the new sub-processor or to propose an alternative routing or self-hosted option. If AgentHeaven cannot accommodate the objection, Customer may terminate the affected portion of the Service for cause, with a pro-rata refund of pre-paid fees attributable to the unused remaining subscription period.
Where AgentHeaven transfers Customer personal data outside the EEA to a country without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), which are deemed incorporated into this DPA by reference: Module Two (Controller-to-Processor) where AgentHeaven acts as a non-EEA data importer, and Module Three (Processor-to-Sub-Processor) where Customer personal data is transferred onward to a non-EEA sub-processor. Where applicable, AgentHeaven may also rely on the EU-US Data Privacy Framework or its successor mechanisms for transfers to certified US sub-processors. UK and Swiss transfers are covered by the corresponding UK International Data Transfer Addendum and Swiss FDPIC-recognised SCC variant respectively.
Customers may choose self-hosted or EU-only routing for sensitive workloads where technically available, in which case the transfer scenarios above will not arise for the routed traffic.
AgentHeaven will reasonably assist the Customer in responding to access, deletion, correction, portability, objection, and restriction requests relating to Customer operational data. Requests sent directly to AgentHeaven that clearly relate to Customer-controlled data may be forwarded to the Customer where appropriate.
AgentHeaven will notify the Customer without undue delay, and in any event within 48 hours of confirming a personal data breach affecting Customer personal data. The notice will include the information available at that point about the nature of the incident, affected data categories and (where known) data subjects, likely consequences, mitigation and containment steps, and a contact point. Where the full picture is not yet known, AgentHeaven will provide an initial notice within the 48-hour window and follow up with further information as the investigation progresses.
On termination, AgentHeaven will delete or return Customer operational data, customer memory/wiki, and credentials according to the Privacy Policy retention periods, unless EU or Member State law requires retention. Source documents are not stored by default. Session logs may be retained for security, dispute, legal, or compliance reasons for the periods stated in the Privacy Policy.
On reasonable written request, and no more than once per twelve-month period unless a personal data breach or a regulator-directed enquiry justifies an additional review, AgentHeaven will provide information necessary to demonstrate compliance with this DPA and Article 28 GDPR. The parties will first seek to satisfy the audit through written security summaries, policies, logs, completed security questionnaires, and any third-party audit reports AgentHeaven holds.
Where these materials are not sufficient to demonstrate compliance, Customer (or an independent third-party auditor mandated by Customer and not a competitor of AgentHeaven, bound by appropriate confidentiality obligations) may conduct an on-site or remote inspection on reasonable advance written notice, during business hours, and in a manner that does not compromise the confidentiality, security, or service continuity of other customers. Customer bears its own audit costs unless the audit reveals material non-compliance, in which case AgentHeaven bears reasonable audit costs and remediates without undue delay.
If there is a conflict between this DPA and the Terms regarding processor obligations for Customer personal data, this DPA controls. The Terms continue to apply to commercial, payment, liability, and service terms.
Data processing questions should be sent to info@agentheaven.ai.
This DPA is intended as a baseline Article 28 processor addendum and should be reviewed by counsel before enterprise use.