Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Customer”, the data controller) and HuzAgent.ai (“HuzAgent”, the data processor) for use of the HuzAgent.ai service (the “Service”). It applies to the extent HuzAgent processes personal data on the Customer’s behalf that is subject to the EU GDPR, the UK GDPR, or similar data-protection laws.

1. Roles

For personal data the Customer submits or collects through the Service about its own leads, customers, and contacts, the Customer is the controller and HuzAgent is the processor. For personal data about the Customer’s own account (account holder name, email, billing, usage), HuzAgent is the controller, as described in our Privacy Policy.

2. Subject Matter, Duration, Nature and Purpose

HuzAgent processes personal data only to provide the Service — capturing and storing leads, bookings, support requests, and quote requests; running automations; generating AI summaries and reply drafts; sending notifications; and supporting integrations configured by the Customer. Processing continues for the duration of the Customer’s use of the Service.

3. Categories of Data Subjects and Personal Data

Data subjects: the Customer’s leads, customers, prospects, and contacts. Personal data: identifiers and contact details (name, email, phone), the content of messages and requests submitted to the Customer, booking and scheduling details, and any other data the Customer chooses to collect through its forms and automations. The Customer must not submit special-category data unless strictly necessary and lawful.

4. Customer Instructions

HuzAgent processes personal data only on the Customer’s documented instructions, including those given through the Service’s configuration, and as required by applicable law (in which case HuzAgent will inform the Customer unless legally prohibited).

5. Confidentiality

HuzAgent ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations.

6. Security

HuzAgent implements appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls, and segregation of customer workspaces, taking into account the state of the art and the risks of processing.

7. Sub-processors

The Customer authorizes HuzAgent to engage sub-processors to provide the Service. Current sub-processors include:

• DigitalOcean — application hosting, managed PostgreSQL database, and file/object storage
• Paddle — payments and Merchant of Record
• Google (Gemini API) — AI processing; and Google Calendar / Google Sheets when the Customer connects them
• The Customer’s configured email/SMTP provider for transactional and reply emails

Where a workspace enables bring-your-own-key (BYOK), AI processing is performed directly by the Customer’s chosen provider (e.g. OpenAI or OpenRouter) under that provider’s terms. HuzAgent imposes data-protection obligations on its sub-processors and remains responsible for their performance. We will give notice of new sub-processors and the Customer may object on reasonable data-protection grounds.

8. Assistance to the Controller

Taking into account the nature of processing, HuzAgent assists the Customer, by appropriate measures, in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection) and in meeting the Customer’s security, breach-notification, and impact-assessment obligations. The Service provides self-service data export and deletion tools for account holders.

9. Personal Data Breaches

HuzAgent notifies the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, with information reasonably available to assist the Customer’s own notification duties.

10. International Transfers

Personal data may be processed in countries outside the EEA/UK, including the United States. Where required, transfers are made under appropriate safeguards such as the Standard Contractual Clauses.

11. Audits

HuzAgent makes available information necessary to demonstrate compliance with this DPA and allows for and contributes to reasonable audits, subject to confidentiality and security constraints.

12. Deletion or Return of Data

On termination of the Service, or on the Customer’s request, HuzAgent deletes or returns the Customer’s personal data, except where retention is required by law. Deleting a workspace or account removes the associated personal data from the live Service.

13. How to Accept

This DPA is incorporated into and forms part of the Customer’s agreement for the Service; using the Service constitutes acceptance. If your organization requires a signed copy or has specific contractual requirements, contact us through the contact page.

This document is a template provided for transparency and should be reviewed by your own legal counsel before relying on it.