Data Processing Agreement (DPA) — Set My Agents

1. Parties

This Data Processing Agreement ("DPA") is entered into between Arvex Global LLC ("Processor"), a company registered in the State of Wyoming, USA, and the Client ("Controller"), who subscribes to and uses the Set My Agents platform. This DPA supplements the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller.

2. Scope

This DPA applies to all personal data processed by Arvex Global LLC through the Set My Agents platform on behalf of the Controller. It covers any data collected, stored, transmitted, or otherwise handled in connection with the services provided, including data processed by AI agents configured by the Controller.

3. Roles & Responsibilities

• Controller (Client): Determines the purposes and means of processing personal data. The Controller is responsible for ensuring lawful basis for processing and providing appropriate notices to data subjects.
• Processor (Arvex Global LLC): Processes personal data solely on behalf of and in accordance with the documented instructions of the Controller, as outlined in this DPA and the Terms of Service.

4. Processing Details

• Categories of data: As determined by the Controller's agent configuration, which may include names, email addresses, phone numbers, conversation content, and other data collected by AI agents.
• Data subjects: The Controller's end users and customers who interact with the AI agents deployed through the Platform.
• Duration: Processing shall continue for the duration of the Controller's active service term with Set My Agents.

5. Processor Obligations

Arvex Global LLC, as the Processor, commits to the following obligations:

• Process personal data only on documented instructions from the Controller, unless required by applicable law
• Ensure that all personnel authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures to protect personal data
• Assist the Controller in fulfilling data subject access requests and other rights requests
• Upon termination of services, delete or return all personal data to the Controller, at the Controller's election
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits

6. Sub-processors

The Processor engages the following sub-processors to deliver the Service:

• Stripe, Inc. — payment processing (PCI-DSS Level 1)
• Cloud hosting providers — infrastructure and data storage
• OpenClaw — AI agent infrastructure and execution

7. International Data Transfers

Personal data processed under this DPA is stored and processed in the United States of America. Where personal data originates from jurisdictions outside the USA (including the EU/EEA and Brazil), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and encryption in transit and at rest, to ensure an adequate level of data protection in compliance with applicable regulations.

8. Security Measures

The Processor implements and maintains the following technical and organizational measures to protect personal data:

• Encryption: TLS encryption in transit; AES-256 encryption at rest
• Access controls: Role-based access with least-privilege policies and multi-factor authentication
• Audits: Regular security audits and vulnerability assessments
• Incident response: Documented incident response plan with defined escalation procedures
• Agent logging: Comprehensive logging of all AI agent interactions for security monitoring and audit purposes

9. Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

10. GDPR Compliance

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (GDPR). Where the Controller is established in the EU/EEA, or where personal data of EU/EEA residents is processed, Standard Contractual Clauses (SCCs) as adopted by the European Commission shall apply and are incorporated into this DPA by reference.

11. LGPD Compliance

Where personal data of Brazilian residents is processed, this DPA serves as the data processing instrument required under Article 39 of the Lei Geral de Proteção de Dados (LGPD). The Processor will cooperate with the Controller to ensure compliance with all applicable LGPD requirements, including responding to requests from the Autoridade Nacional de Proteção de Dados (ANPD).

12. Term & Termination

This DPA becomes effective when the Controller begins using the Set My Agents platform and remains in effect for the duration of the service term. The obligations of the Processor under this DPA shall survive termination of the service agreement until all personal data has been deleted or returned to the Controller in accordance with Section 5.

Contact