Data Processing Agreement
Last updated: May 24, 2026
This DPA forms part of the agreement between Safeney (“Processor”) and the client (“Controller”) when Safeney processes personal data on the client’s behalf.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person that is processed under this agreement.
“Processing” means any operation performed on Personal Data, including collection, storage, retrieval, transmission, or deletion.
“Controller” is the client who determines the purposes and means of processing.
“Processor” is Safeney, who processes Personal Data on behalf of the Controller.
2. Roles
You are the Controller. We are the Processor. You retain full control over your data. We process it only to deliver the agreed services. This includes processing customer support tickets, customer inquiries, documents, and any other data you provide for the purpose of building and operating your AI Agent.
3. What Data Is Processed
The specific Personal Data processed depends on the Agent we build for you. It may include:
Customer names, email addresses, and contact information (from support tickets, CRM, etc.)
Communication history (emails, chat messages, support conversations)
Documents and records your organization processes
Any other data you explicitly provide for the Agent to operate on
The scope of processing is defined in the Statement of Work for your project.
4. Subprocessors
We use the following subprocessors to deliver our services. Each is contractually bound to the same data protection standards:
| Subprocessor | Service | Certifications |
|---|---|---|
| OpenAI | LLM inference | SOC 2 Type II |
| Anthropic | LLM inference | SOC 2 Type II |
| Google Cloud | LLM inference (Gemini) | SOC 2 Type II, ISO 27001, HIPAA |
| DeepSeek | LLM inference | — |
| Novita AI | LLM inference (open-source models) | SOC 2 Type II |
| Hetzner | Server hosting | ISO 27001, SOC 2 Type II |
| Zoho (Zoho Mail / SMTP) | Email communication | SOC 2 Type II |
| Cal.com | Consultation booking (cal.com/safeney) | SOC 2 Type II |
| Redis (self-hosted) | Session cache (no persistent data) | — |
We will notify you at least 30 days before adding or replacing any subprocessor. You may object in writing, and we will work with you to find an acceptable alternative.
5. Data Residency
By default, data is processed on our Hetzner server in Helsinki, Finland (EU). LLM API calls may be processed by providers in the US or other regions depending on the provider’s infrastructure. If you require data to remain within a specific jurisdiction, we can deploy entirely on your infrastructure — no data leaves your environment. For full air-gapped isolation, we can deploy with an on-premise LLM (Ollama or vLLM on your GPU) so no data is sent to any third-party API. This must be specified in the Statement of Work.
6. Data Security Measures
We maintain the following technical and organizational security measures:
Encryption in transit (TLS 1.3) for all API and database connections
Encryption at rest for all stored data (PostgreSQL, Redis)
Access control with unique credentials and least-privilege principle
Regular security updates and patch management
PII scanning at input and output for enterprise agents
Audit logging of all system access and data processing (enterprise tier)
Background checks for team members handling client data
7. Data Deletion
Upon termination of the agreement:
We will delete all Personal Data within 90 days, unless retention is required by law
You receive a full export of all your data and code before deletion
LLM providers (OpenAI, Anthropic, etc.) have their own deletion timelines per their policies — we will coordinate deletion requests on your behalf
You may request earlier deletion at any time by emailing support@safeney.com.
8. Data Breach Notification
If we become aware of a data breach affecting your Personal Data, we will notify you within 48 hours. We will provide details of the breach, steps taken to mitigate it, and recommendations for your response. We will cooperate fully with any investigation.
9. Your Instructions
We process Personal Data only on your documented instructions. If we are required by law to process data beyond your instructions, we will inform you unless prohibited by law. You agree that your instructions comply with applicable data protection laws.
10. Contact
For DPA-related inquiries: support@safeney.com