Data Processing Addendum & Subprocessors
Last updated: February 2026
Effective date: February 2026
1. Overview
This Data Processing Addendum ("DPA") supplements the Terms of Service and describes our commitments regarding the processing of personal data on your behalf. For the purposes of this DPA, you are the controller (or business) and we are the processor (or service provider) of personal data processed under this DPA. For a countersigned DPA or questions about data processing, please contact us at privacy@agentactionfirewall.com.
2. Processing Details
- Subject matter: provision of the Service and customer support.
- Duration: for the term of your subscription and as required by law.
- Nature and purpose: hosting, processing, security monitoring, analytics, and support.
- Categories of data: account information, usage data, audit logs, and configuration data.
- Categories of data subjects: your authorized users and end users.
3. Our Obligations
When processing personal data on your behalf, we will:
- Process personal data only on your documented instructions, unless required by applicable law.
- Ensure that persons authorized to process personal data are subject to confidentiality obligations.
- Implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, and security monitoring.
- Notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach that is likely to affect your data.
- Upon termination of the Service, delete or return all personal data within 30 days of your written request, unless retention is required by applicable law. You may export your data at any time during your subscription.
- Make available to you all information necessary to demonstrate compliance with these data processing obligations. Upon reasonable written request (no more than once per year, with at least 30 days' notice), we will cooperate with reasonable audit or assessment activities.
- Provide reasonable assistance to you in responding to data subject access, correction, deletion, or portability requests within 10 business days of your written request. You may also use the Service's data export and deletion features to fulfill such requests directly.
4. Security Measures
We maintain technical and organizational measures designed to protect Customer Data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls with tenant isolation at the database level
- Tamper-evident audit logging with cryptographic hash chaining
- Regular security monitoring and vulnerability assessments
- Multi-factor authentication support
See our Security page and Privacy Policy for additional details.
5. Subprocessors
We use the following subprocessors to provide the Service. We will provide at least 30 days' advance notice before adding a new subprocessor by updating this page. If you object to a new subprocessor, you may notify us within 30 days of the update at privacy@agentactionfirewall.com, and we will work with you to address your concerns. If we are unable to address your concerns within 30 days, you may terminate the affected services without penalty by providing written notice.
| Subprocessor | Purpose | Location | Infrastructure |
|---|---|---|---|
| Supabase | Authentication, database, and hosting | United States | AWS |
| Vercel | Frontend hosting and CDN | United States | AWS |
| Stripe | Payment processing | United States | AWS |
| Resend | Email delivery | United States | AWS |
| Google Analytics | Usage analytics (when consent granted) | United States | Google Cloud |
| PostHog | Product analytics (when consent granted) | United States | AWS |
| Sentry | Error monitoring | United States | Google Cloud |
| Meta (Facebook) | Conversion tracking (when consent granted, specific pages only) | United States | — |
| Conversion tracking (when consent granted, specific pages only) | United States | — |
Note: When NLP policy evaluation is enabled and Bring Your Own API (BYOA) is not configured, action data may be processed by OpenAI (United States) or Anthropic (United States) for policy evaluation purposes. When BYOA is enabled, data is sent to the LLM provider you have selected per your own API key configuration.