cdoagent.ai

Data Processing Agreement (DPA)

Last updated: 2026-05-03

When we process personal data as a processor under GDPR Art. 28, this framework binds you (controller) and Dan Burian (Czech sole trader, Business ID 03537099, VAT ID CZ8905214076, place of business Cyrilská 508/7, Trnitá, 602 00 Brno) as processor. Acceptance via the in-app `accept_dpa` tool (timestamp recorded) has the effect of a signature for Art. 28(3) purposes; we issue a unilaterally signed PDF on request.

1. Roles

You = controller of personal data (employees, customers, business contacts you send the agent or that exist in your connected systems). cdoagent.ai (operated by Dan Burian, Business ID 03537099, VAT ID CZ8905214076) = processor.

2. Subject, nature, and purpose

Subject: providing the AI agent for e-commerce delivery / fulfillment / returns / supply chain, including optional connectors into your source systems (Shopify, ERP, monitoring).
Nature: reading + caching from authorized sources; storing your conversations with the agent; generating answers via Anthropic API; storing in your private Postgres schema `tenant_<id>`.
Purpose: solely to deliver the service to you; never for secondary purposes (model training, profiling, data resale).

3. Duration

For the contract duration + max. 90 days for rollback, then deletion. Clicking "Erase all my data" performs deletion including `DROP SCHEMA tenant_<id> CASCADE` within 60 seconds. Accounting records (`credit_transactions`, invoices) stay 10 years per Czech accounting law but anonymized.

4. Categories of data subjects and personal data

Subjects: your employees (admin signing up + team users), customers in connected systems (names, emails, shipping addresses in orders), business contacts in documents you forward.
Categories: identification, contact, transactional (orders/payments - if you connect a shop), operational (logs, telemetry). No special categories per Art. 9 GDPR (health, biometric, etc.) - if you're sending those, contact us first.

5. Read-only invariant on connectors

We contractually commit to never write back to your source systems. Three layers enforce this:
1. TypeScript types: HTTP method is `'GET' | 'HEAD'` literal - non-GET fails compile.
2. Database trigger: rejects `write_*`/`manage_*`/`modify_*`/`admin` scope on `connections.scopes`.
3. Runtime guard + CI test: every fetch routes through `connectorHttp` which records `connector_runs.status = 'invariant_violation'` for any non-GET. CI grep gate fails the build if a literal `'POST'`/`'PUT'`/`'DELETE'` appears in connector code outside `http.ts`.

If you find a single `INSERT`/`UPDATE`/`DELETE`/`POST` back into your system in our code, you're entitled to a year free + Art. 82 GDPR damages where applicable.

6. Sub-processors

Current sub-processor list (May 3, 2026):

| Entity | Purpose | Region | SCC |
|---|---|---|---|
| Anthropic, PBC | LLM inference (Claude API) | US | EU SCC module 2 + "no training on customer data" in MSA |
| Google LLC | Google Workspace for the production mailbox `[email protected]` (support correspondence) | EU servers | EU SCC + Workspace DPA |
| DigitalOcean LLC | Hosting + Postgres | EU region (Frankfurt) | EU SCC |

We give 30 days notice before adding/changing a sub-processor. You may object; if we don't resolve the objection in 30 days you can terminate without penalty.

7. Security measures (Art. 32 GDPR)

  • TLS 1.2+ in transit; AES-256 at rest (DigitalOcean disk encryption).
  • Connector credentials: pgcrypto symmetric encryption with key in env, separate from DB.
  • MCP API keys: SHA-256 hash; plaintext shown once.
  • User passwords: scrypt hash (`users.password_hash`); never plaintext.
  • Rate limiting per IP + per company (5/h on login + signup).
  • Cross-tenant isolation: private Postgres schema `tenant_<id>` with per-session `SET search_path`.
  • Audit log: `connector_runs` table, immutable, CSV-exportable.
  • Incident response: notification within 72 h of detection (Art. 33).
  • Backup: 7-day daily snapshots on DO; annual restore drill.

8. Your rights as controller

  • Audit / inspection: once a year by appointment (≥14 days notice); we provide documentation, security review, audit log export. More frequent audits at requestor's expense.
  • Data export: conversations, documents, audit log → CSV/JSON anytime.
  • Erasure (Art. 17): `/account → Erase all my data` (60 s) or by email request (within 30 days).
  • Subject access requests from your data subjects: we help per Art. 28(3)(e) - we'll provide relevant records within 14 days.
  • Subject deletion requests: the agent can delete a specific record from `tenant_<id>` - contact us with the Subject ID.
  • Breach notification (Art. 33): within 72 h of our detection.

9. Transfers outside EU/EEA

Anthropic, Google, and DigitalOcean (corporate) are in the US. Transfers are covered by EU Standard Contractual Clauses module 2 (controller-to-processor, Decision (EU) 2021/914) plus supplementary measures (TLS in transit, no-training contractual at Anthropic, audit logs).

10. Confidentiality

Our employees and contractors are bound by confidentiality (NDA / employment contract). Access to customer data is need-to-know.

11. Acceptance / signed version

This online DPA is binding from the moment you accept it via the in-app `accept_dpa` tool (recorded in `companies.metadata.dpa_accepted_at`). For a signed PDF for your compliance officer, request at [email protected] - issued within 5 business days.

Privacy (GDPR) →Terms of service →Cookies →[email protected]