DATA PROCESSING AGREEMENT (DPA)

xAgentNXXT
OpenAutonomyX OPC Private Limited
Last Updated: [Insert Date]

  1. INTRODUCTION

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between OpenAutonomyX OPC Private Limited (“Company”, “Processor”, “we”, “our”, or “us”) and the user or organization using the AgentNXXT platform (“Customer”, “Controller”).

This DPA governs the processing of personal data in connection with the use of the AgentNXXT platform and related services.

This agreement is intended to support compliance with applicable data protection laws including:

• General Data Protection Regulation (GDPR)
• India Digital Personal Data Protection Act (DPDP)
• Other applicable data protection regulations

  1. DEFINITIONS

For the purposes of this Agreement:

Personal Data
Means any information relating to an identified or identifiable individual.

Processing
Means any operation performed on personal data including collection, storage, analysis, or deletion.

Controller
Means the entity that determines the purposes and means of processing personal data.

Processor
Means the entity that processes personal data on behalf of the Controller.

Sub-processor
Means any third party engaged by the Processor to process personal data.

  1. ROLES OF THE PARTIES

Customer acts as the Data Controller with respect to personal data submitted to the AgentNXXT platform.

OpenAutonomyX OPC Private Limited acts as the Data Processor and processes personal data solely for the purpose of providing the AgentNXXT services.

  1. PURPOSE OF DATA PROCESSING

The Processor may process personal data only for the following purposes:

• Providing the AgentNXXT platform services
• Enabling AI agent development and execution
• Supporting marketplace operations
• Managing platform security and reliability
• Providing customer support
• Complying with legal obligations

The Processor will not process personal data for unrelated purposes.

  1. TYPES OF PERSONAL DATA

Depending on platform usage, the following types of personal data may be processed:

• Account information (name, email address)
• Authentication data
• User-generated inputs and uploaded files
• Platform usage information
• Technical identifiers (IP address, device information)

The categories of data subjects may include:

• Platform users
• Customers of the Customer
• Developers and administrators

  1. PROCESSOR OBLIGATIONS

The Processor agrees to:

• Process personal data only on documented instructions from the Controller
• Implement appropriate technical and organizational security measures
• Ensure personnel handling personal data are subject to confidentiality obligations
• Assist the Controller in responding to data subject requests where reasonably possible

  1. SECURITY MEASURES

The Processor shall implement appropriate security measures designed to protect personal data including:

• Secure cloud infrastructure
• Encryption of data in transit where applicable
• Access control mechanisms
• Monitoring systems for security incidents
• Incident response procedures

Security measures may be updated periodically to reflect evolving risks and technologies.

  1. SUB-PROCESSORS

The Processor may engage trusted third-party service providers (“Sub-processors”) to provide infrastructure or services necessary to operate the platform.

Examples may include:

• Cloud infrastructure providers (AWS, GCP, Hostinger)
• Payment processors (Stripe, PayPal, Razorpay)
• Analytics and monitoring services

The Processor will ensure that Sub-processors are bound by data protection obligations comparable to those in this Agreement.

  1. INTERNATIONAL DATA TRANSFERS

Personal data processed through AgentNXXT may be transferred to or stored in jurisdictions outside the Controller’s country.

The Processor will implement reasonable safeguards to ensure that cross-border data transfers comply with applicable data protection laws.

  1. DATA BREACH NOTIFICATION

In the event of a confirmed personal data breach affecting Customer data, the Processor will notify the Customer without undue delay after becoming aware of the breach.

The notification will include available information regarding:

• Nature of the breach
• Categories of data affected
• Measures taken to mitigate the breach

  1. DATA SUBJECT RIGHTS

Where applicable under data protection laws, the Controller may receive requests from individuals to exercise rights such as:

• Access
• Correction
• Deletion
• Data portability
• Restriction of processing

The Processor will provide reasonable assistance to the Controller in fulfilling such requests where technically feasible.

  1. DATA RETENTION AND DELETION

The Processor will retain personal data only for as long as necessary to provide the services or comply with legal obligations.

Upon termination of services or request from the Controller, personal data may be deleted or anonymized unless retention is required by law.

  1. AUDIT RIGHTS

Where required by applicable law or contractual obligations, the Controller may request information necessary to demonstrate the Processor’s compliance with this Agreement.

Reasonable documentation regarding data protection measures may be provided upon request.

  1. LIABILITY

Each party remains responsible for its obligations under applicable data protection laws.

Nothing in this Agreement limits or excludes liability where such limitation is prohibited by law.

  1. TERM AND TERMINATION

This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller in connection with the AgentNXXT platform.

Termination of the underlying service agreement will result in termination of this DPA, subject to applicable data retention obligations.

  1. GOVERNING LAW

This Agreement shall be governed by the laws of India, unless otherwise required by applicable data protection laws.