Skip to main content

Data Processing Agreement

Last updated: March 11, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Fleece AI ("Processor") and the Customer ("Controller") and governs the processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.

1. Definitions

  • Controller The Customer who determines the purposes and means of processing personal data through the use of Fleece AI.
  • Processor Fleece AI, which processes personal data on behalf of the Controller to provide the Service.
  • Data Subject An identified or identifiable natural person whose personal data is processed.
  • Personal Data Any information relating to a Data Subject that is processed through the Service.
  • Sub-processor A third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope & Purpose of Processing

The Processor shall process personal data only as necessary to provide the Service as described in the Terms of Service:

  • Subject Matter Provision of the Fleece AI delegative AI workspace, including AI agent execution, workflow automation, and third-party app integrations.
  • Duration For the term of the Customer's subscription, plus any data retention period specified in the Privacy Policy (maximum 30 days after account deletion).
  • Nature of Processing Collection, storage, retrieval, use, transmission to AI model providers for inference, and deletion upon request.
  • Purpose To execute AI agent tasks, automate workflows, manage user accounts, process payments, and deliver transactional communications.
  • Types of Personal Data Name, email address, profile image URL, OAuth tokens (managed by providers), billing information (managed by Stripe), AI conversation content, workflow configurations, and usage analytics.
  • Categories of Data Subjects Customer's end users, including employees and authorized agents who access the Service.

3. Processor Obligations

  • Process personal data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process personal data have committed to confidentiality or are under a statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6).
  • Respect the conditions for engaging sub-processors as set out in Section 4.
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection).
  • Assist the Controller in ensuring compliance with data breach notification obligations (see Section 7).
  • At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless storage is required by law.

4. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. All sub-processors are bound by data protection obligations no less onerous than those in this DPA.

View the current list of sub-processors: Sub-processor List

5. Data Subject Rights

The Processor provides the following technical measures to assist the Controller in fulfilling data subject requests:

  • Right of Access Data export via GET /api/user/export provides a complete JSON download of all personal data (GDPR Article 15/20).
  • Right to Erasure Account deletion via DELETE /api/user/delete cascades to all associated data. Audit logs are anonymized (userId set to null) to preserve compliance records.
  • Right to Portability The data export provides a machine-readable JSON format suitable for transfer to another service provider.
  • Right to Object Marketing communications can be disabled via account settings or RFC 8058 one-click unsubscribe. Analytics cookies require explicit opt-in consent.

6. Technical & Organizational Measures

The Processor implements the following security measures to protect personal data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256 via Neon PostgreSQL).
  • OAuth 2.0 authentication with four providers, JWT session management, and API key hashing (SHA-256).
  • Immutable audit logging (SOC 2 CC7) with 25+ event types covering authentication, data access, and administrative actions.
  • Rate limiting on all API endpoints to prevent abuse and denial-of-service attacks.
  • Content Security Policy (CSP), HSTS, and additional security headers to prevent XSS, clickjacking, and MIME-type attacks.
  • Tenant data isolation enforced at the database query level. All queries are scoped by authenticated user ID.

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
  • Provide sufficient information for the Controller to meet its notification obligations to supervisory authorities within the GDPR 72-hour window.
  • Include in the notification: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8. International Data Transfers

Personal data is primarily processed in the United States. For transfers of personal data from the European Economic Area (EEA) to the United States, the Processor relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914). All sub-processors processing EU personal data are bound by equivalent transfer safeguards.

9. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or an independent third-party auditor, upon reasonable notice and during normal business hours. The Processor shall provide reasonable cooperation and access to relevant documentation. Audit frequency shall not exceed once per calendar year unless a data breach has occurred.

10. Term & Termination

This DPA is effective for the duration of the Customer's subscription. Upon termination, the Processor shall delete all personal data within 30 days, except where retention is required by applicable law. The Controller may request a data export prior to termination. Provisions of this DPA that by their nature should survive termination (including confidentiality obligations, limitation of liability, and audit rights) shall survive.

Contact

For questions about this Data Processing Agreement or to exercise your rights, contact us at contact@fleeceai.appPrivacy Policy