Data processing addendum

Where you, the subscriber, deploy a catalog workflow inside a client's customer-facing assistant, you are the data controller for any customer data the workflow collects. agorá is a data processor acting on your instructions, in the sense given by GDPR article 28 and the comparable provisions in UK GDPR, CCPA, and the LGPD.

Within agorá, the operator (Diego Marono) is the controller for subscriber-account data — your email, billing, and configuration. The privacy document covers that role separately.

Run records and the provisioned-URL configuration are stored in the runtime region selected at provisioning time. The default region is us-east. EU residency is available on request and is configured per workflow.

Once a region is selected for a workflow, run records for that workflow do not leave the region except for two operational purposes: (a) one-way replication of operational telemetry that is aggregated and not tied to subscriber identity, and (b) limited access by the operator for debugging when you have asked for help with a specific run.

Practice-scale subscribers can pin all workflows to one region by default. Email diego@agora.* to set the default.

Retention follows the windows in the privacy document: ninety days rolling for run records on Pro, forty-five with BYO keys.

On cancellation, all subscriber-scoped data — account, MCP URLs, run records — is deleted within seven days, with one weekly export window so you can pull a JSONL archive first. Aggregated operational telemetry that is not tied to your identity is retained.

Re-subscribing within thirty days of cancellation restores access to data that has not yet been deleted. After thirty days, the deletion is irrevocable.

agorá uses a limited set of subprocessors: a hosting provider for the runtime regions, a payment processor, an email-delivery provider, and Anthropic and OpenAI for inference when BYO keys are not supplied. The current subprocessor list is published at this address and updated when it changes; material additions are emailed to active subscribers fourteen days before they take effect.

All subprocessors are bound by their own DPAs with the operator, which mirror the obligations in this document.

Erasure requests originating from your client's customer reach you, the controller, first. When a request reaches agorá through you, identifying data tied to the customer in the matching run records is purged within thirty days.

agorá does not, on its own, identify which run records belong to which end-customer of your client. Erasure requires either an identifier present in the run records or a workflow-and-time-window scope provided by you.

Practice-scale subscribers can request an annual audit of agorá's data-handling practices. Audits are conducted via written exchange — the questions, the operator's answers, the operator's evidence — and not via on-site visits, given the operator is one person.

Pro subscribers without a practice-scale agreement receive the answers to the audit by reading the SOC-style summary published at this address once per year.

If a security incident affecting your data occurs, agorá notifies you within seventy-two hours of becoming aware of it. The notification includes the nature of the incident, the data categories affected, the likely consequences, and the remediation taken or planned.

Where the incident requires you to notify your client's customers, the notification gives you what you need to do so without further investigation on your end.

On termination of your subscription, this DPA continues to govern data still held by agorá until that data has been deleted under the retention windows above. After deletion, the DPA terminates with the subscription.

If your client requires a counter-signed copy of this DPA on letterhead, email diego@agora.* with the request and the legal entity to name; a counter-signed PDF lands within two business days.