Data Processing Agreement (DPA)
Last updated: 2026-06-23
This Data Processing Agreement (“DPA”) governs the processing of personal data carried out by Annexo on your behalf under Article 28 of Regulation (EU) 2016/679 (“GDPR”). It forms part of, and is incorporated by reference into, the agreement under which you use annexo.eu (the “Agreement”).
Parties
- Processor: Benjamin Hellmich, operator of annexo.eu (“Annexo”, “we”). Full identity and contact details are in our Impressum (data contact: legal@annexo.eu).
- Controller:you, the business customer who has entered into the Agreement (“you”, “Customer”).
1. Acceptance by reference
You accept this DPA when you use any feature through which Annexo processes personal data on your behalf — in particular registering and verifying an AI agent on the Fleet platform and running verification probes. No separate signature is required for this DPA to take effect; a counter-signed copy is available on request to the contact above. Where this DPA conflicts with the rest of the Agreement on data protection, this DPA prevails.
2. Roles and scope
For personal data that you submit, or that is collected through your use of the Service on your instructions, you are the controller and Annexo is the processor. You are responsible for the lawfulness of the data you provide and for having a valid legal basis to instruct the processing described in Annex 1.
Where Annexo determines the purposes and means of processing for its own account operations (for example, security, abuse prevention, and product analytics), Annexo acts as an independent controller for that processing; it is described in our Privacy Policy and is outside the scope of this DPA.
3. Processing only on documented instructions
Annexo processes personal data only on your documented instructions, including for international transfers, unless required to do so by Union or Member State law; in that case Annexo informs you before processing, unless the law prohibits it on important grounds of public interest. Your instructions are constituted by this DPA, the Agreement, and your configuration and use of the product. If Annexo believes an instruction infringes data-protection law, it will inform you without undue delay.
4. Confidentiality
Annexo ensures that persons authorised to process the personal data have committed themselves to confidentiality, and that access is limited to personnel who need it to provide the Service.
5. Security of processing (Art. 32)
Annexo implements appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk. A summary is in Annex 2 and on our security page. Annexo holds no SOC 2, ISO 27001 or comparable certification and does not claim one; Annex 2 describes the measures it actually operates — including the invariant that a customer’s agent API key is held in memory for a single request and never persisted.
6. Sub-processors
You grant Annexo a general written authorisation to engage sub-processors, subject to this clause. The sub-processors engaged at the date of this DPA are listed in Annex 3 and kept current at annexo.eu/subprocessors.
- Annexo imposes on each sub-processor, by contract, data-protection obligations materially the sameas those in this DPA, and remains fully liable to you for each sub-processor’s performance.
- Change notice: Annexo will give you reasonable prior notice of any intended addition or replacement of a sub-processor by updating the /subprocessors page, so you can object on reasonable data-protection grounds.
- Objection: if you object on reasonable grounds and the objection cannot be resolved, you may, as your sole remedy, terminate the affected part of the Service.
7. Assistance with data-subject requests
Taking into account the nature of the processing, Annexo assists you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to data-subject requests under Chapter III GDPR. If a data subject contacts Annexo directly about data processed on your behalf, Annexo forwards the request to you without undue delay and does not respond on your behalf except on your instruction.
8. Personal-data breaches (Art. 33/34)
Annexo notifies you without undue delay after becoming aware of a personal-data breach affecting personal data processed on your behalf, and assists you in meeting your Articles 33 and 34 obligations with the information reasonably available to it.
9. Assistance with DPIAs
Annexo assists you, taking into account the nature of processing and the information available to it, in ensuring compliance with your obligations under Articles 32 to 36 (security, breach notification, data-protection impact assessments and prior consultation).
10. Deletion or return
At your choice, Annexo deletes or returnsall personal data processed on your behalf after the end of the relevant services, and deletes existing copies, unless Union or Member State law requires storage. A customer’s agent API key is never persisted in the first place; registered-agent records can be deleted on request or within the product.
11. Audit and information rights
Annexo makes available to you the information necessary to demonstrate compliance with Article 28, and allows for and contributes to audits. To protect other customers, audits are on reasonable prior written notice, no more than once per year (save where required by a supervisory authority or following a breach), during normal business hours, subject to confidentiality, and primarily by Annexo providing its documentation and security summaries before any on-site inspection.
12. International transfers
Personal data processed on your behalf is hosted in the EU (compute pinned to fra1/Frankfurt; the Fleet store pinned to an EU region). Where a sub-processor processes personal data outside the EU/EEA — principally certain US-based providers in Annex 3 — the transfer is made under the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where certified, the EU–US Data Privacy Framework.
13. Term and liability
This DPA takes effect on acceptance (clause 1) and remains in force for as long as Annexo processes personal data on your behalf under the Agreement. Each party’s liability under this DPA is subject to the limitations in the Agreement. Nothing in this DPA limits liability where such limitation is not permitted by applicable data-protection law.
Annex 1 — Details of the processing
| Subject-matter | Provision of Annexo’s independent AI-agent verification and monitoring service to the Customer. |
|---|---|
| Duration | For the term of the Agreement and until deletion or return under clause 10. |
| Nature & purpose | Storage and analysis of personal data as strictly necessary to: register the Customer’s AI agents; run live verification probes against an endpoint the Customer controls; record the observed results and monitoring/drift state; and operate the platform on the Customer’s instruction. The agent API key used to reach the endpoint is processed transiently in memory and is never persisted. |
| Types of personal data | Account/contact identifiers of the Customer’s authorised users; any personal data incidentally contained in agent prompts, responses or configuration the Customer submits for verification. The Customer must not submit special categories of data (Art. 9) for processing. |
| Categories of data subjects | The Customer’s authorised users and administrators; and individuals whose personal data may appear in the agent interactions the Customer submits for verification. |
Annex 2 — Technical & organisational measures (TOMs)
Summary of the measures Annexo operates under Art. 32. The authoritative description is on the security page.
- Customer agent key never persisted: held in memory for a single request, enforced in the store layer, the API routes and the public serialisation; a store request is rejected.
- Platform access: the Fleet platform and its API are gated behind a session cookie compared in constant time; the access key and session secret are separate server secrets.
- Encryption in transit: TLS for all traffic; HSTS enforced.
- Hosting & residency: compute pinned to the EU (
fra1); the Fleet store pinned to an EU region. - Request hardening: SSRF-guarded outbound fetches with DNS/IP re-validation that block localhost and private/reserved ranges; a global Content-Security-Policy and security headers; per-route execution limits; a constant-time-checked cron secret.
- Secrets management: all secrets live only in environment variables, never in the repository; staged changes scanned for credential patterns before commit.
Annex 3 — Approved sub-processors
The current list is maintained at annexo.eu/subprocessors. As at the date of this DPA:
| Sub-processor | Purpose | Region | Transfer safeguard |
|---|---|---|---|
| Vercel Inc. | Application hosting, content delivery, serverless function logs, and cookieless aggregate usage analytics (Vercel Web Analytics — no cookies, no cross-site profiling) | USA (EU compute region pinned: fra1 / Frankfurt) | EU Standard Contractual Clauses / EU–US Data Privacy Framework where certified |
| Upstash, Inc. | Managed Redis store for the Fleet platform — registered-agent records and monitoring state (the customer's agent API key is never written to it) | EU region (Frankfurt) | EU region pinned; EU Standard Contractual Clauses for any provider-side support access |
| Resend (Plus Five Five, Inc.) | Transactional & lead-notification email delivery | USA | EU Standard Contractual Clauses |
| OpenAI, L.L.C. | LLM evaluation (judging) of agent probe responses in the verification & readiness engines (API; not used to train models) | USA | EU Standard Contractual Clauses |
| ImprovMX SAS | Inbound email forwarding for annexo.eu (hello@ / legal@) | EU / USA | EU Standard Contractual Clauses |
This DPA is accepted by reference when you use Annexo’s processing features. A counter-signed copy is available on request via our Impressum or by email to legal@annexo.eu.