Data Processing Agreement

Template per Art. 28 GDPR — Effective: February 20, 2026

To execute this DPA, please contact us at legal@clawy.io. We will provide a countersigned copy for your records.

1. Subject and Duration of Processing

This Data Processing Agreement ("DPA") supplements the Terms of Service between the Customer ("Controller") and Allonsy GmbH ("Processor") and governs the processing of personal data by the Processor on behalf of the Controller.

The duration of processing corresponds to the duration of the service agreement. Processing begins when the Controller's account is activated and ends upon account deletion or termination of the service agreement.

2. Nature and Purpose of Processing

The Processor provides Infrastructure-as-a-Service (IaaS) — dedicated virtual machines with pre-configured AI agents. Processing of personal data occurs solely for the purpose of providing and maintaining the contracted service.

The nature of processing includes:

  • Storage and transmission of data within the virtual machine environment
  • Network traffic routing and TLS termination
  • Collection of VM metadata for operational purposes
  • Automated backups and snapshots (if enabled by the Controller)

3. Types of Personal Data

The following types of personal data may be processed:

  • Any personal data the Controller stores or processes within the virtual machine
  • IP addresses and connection metadata
  • Account data (email, username)

4. Categories of Data Subjects

  • The Controller's employees and contractors
  • The Controller's end users and customers
  • Any other individuals whose data the Controller processes within the VM

5. Controller Obligations

The Controller shall:

  • Ensure that the processing of personal data is lawful and that all necessary consents have been obtained
  • Provide documented instructions for the processing of personal data
  • Notify the Processor promptly of any data subject requests that require the Processor's assistance
  • Ensure compliance with applicable data protection laws within the VM environment

6. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required by EU or Member State law
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR)
  • Not engage another processor without prior specific or general written authorization of the Controller
  • Assist the Controller in fulfilling obligations regarding data subject rights, data breach notifications, and data protection impact assessments
  • Delete or return all personal data to the Controller after the end of the provision of services, at the Controller's choice
  • Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR

7. Sub-processors

The Controller grants general authorization for the use of the following sub-processors:

Sub-processor Purpose Location
Hetzner Online GmbH Dedicated server hosting Germany

The Processor shall inform the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object within 30 days.

8. Technical and Organizational Measures

The Processor implements the following measures:

  • Encryption of data in transit (TLS 1.2+)
  • Encrypted storage volumes for VM data
  • Network isolation between customer VMs
  • Access controls and authentication for management systems
  • Regular security updates for host infrastructure
  • Physical security of data center facilities (provided by Hetzner)
  • Logging and monitoring of administrative access

9. Audit Rights

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall cooperate with such audits.

Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's operations. The Controller shall bear the costs of any audit.

10. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

11. Data Return and Deletion

Upon termination of the service agreement, the Controller may retrieve all data from the VM within 30 days. After this period, the Processor shall permanently delete all personal data, including any copies, unless retention is required by EU or Member State law.

The Processor shall provide written confirmation of deletion upon request.

12. Liability

Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Art. 82 GDPR. The Processor shall be liable for damages caused by processing only where it has not complied with obligations specifically directed to processors under the GDPR, or where it has acted outside of or contrary to lawful instructions of the Controller.

13. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction is Hamburg, Germany.

Contact

For questions about this DPA or to request execution, contact:
Allonsy GmbH
Haldesdorfer Str. 14, 22179 Hamburg, Germany
Email: legal@clawy.io