Legal

Data Processing Agreement

Last updated: 3 May 2026

This is Bobs Company's standard Data Processing Agreement ("DPA"). It governs how we handle personal data when providing managed agent infrastructure to our clients, and is incorporated by reference into each engagement agreement where we act as processor.

Background

Our service can run in two contexts:

On infrastructure provided and operated by Bobs Company — always-on, maintained by us, the agent operates under its own service accounts (its own source-control identity, its own API keys, its own bot tokens). This is the "production" deployment. This DPA applies here.
On the Client's own infrastructure — the Client runs the software locally under their own identity and accounts. We have no access to this environment. This DPA does not apply to local deployments.

The agent on the VPS has full local autonomy (no permission prompts, runs unattended) but limited external authority — it can only do what the Client has explicitly delegated to the agent's own service accounts (e.g. source-control permissions, API scopes). The Client running locally uses their own identity with full business authority.

The Client brings their own inference provider account (their choice of provider, including local models). We maintain the VPS infrastructure. All data on the Instance belongs to the Client.

Our position: we are a processor under GDPR Art. 28. The Client is the controller. We don't choose what data to process, we don't use Client data for our own purposes, and we don't control the inference provider relationship.

1. Definitions

"Service" — the managed Instance, the software deployed on it, and associated provisioning, maintenance, monitoring, security updates, and support provided by Bobs Company.
"Software" — the software Bobs Company builds and maintains and that runs on the Instance.
"Client" / "Controller" — the entity that contracts with Bobs Company for the Service and determines the purposes and means of personal data processing on the Instance.
"Processor" — Bobs Company (Berget Industries AB, Swedish org. no. 559025-2564), acting on the Controller's instructions.
"Instance" — the VPS allocated to the Client, including all data, files, logs, and agent state on it.
"Agent Identity" — the dedicated service accounts (source control, API keys, bot tokens, etc.) under which the agent operates on the Instance, separate from the Client's personal accounts.
"Personal Data" — as defined in GDPR Art. 4(1).
"Processing" — as defined in GDPR Art. 4(2).

2. Scope of Processing

2.1 What we process and why

Purpose	Data types	Lawful basis (ours as processor)
Provisioning the Instance	Client account info, SSH keys	Controller's instructions (Art. 28)
Maintenance & security updates	System logs, process state	Controller's instructions (Art. 28)
Monitoring & uptime	System metrics, health checks	Controller's instructions (Art. 28)
Support & troubleshooting	Whatever is visible during support access	Controller's instructions (Art. 28)

2.2 What we do NOT process

Inference data — flows directly between the Instance and the Client's chosen inference provider. We are not party to that relationship.
Client application data — files, scripts, conversation logs, agent state created by the Client or their AI agents. This is the Client's data. We do not access, read, copy, or extract it except as required for the purposes in 2.1.
API keys or credentials the Client stores on the Instance.
Any data processed by the Client running the Software on their own infrastructure — that environment is entirely outside the scope of this DPA.

2.3 Data subjects

Depends entirely on the Client's use case. May include the Client's employees, customers, leads, end-users, or other categories. The Client determines this as Controller. Specific categories are documented per engagement in Annex A.

2.4 Client-controlled platforms

Where the Service operates within Client-controlled platforms (e.g. the Client's messaging servers, communication tools, or third-party services), the Client is solely responsible for the data processing relationship with such platforms. Our processing in these contexts is limited to executing the agent's functions as instructed by the Client.

3. Our Obligations as Processor

Per GDPR Art. 28(3):

3.1 Instructions

We process Personal Data only on the Client's documented instructions, including with regard to transfers of Personal Data to a third country or international organization. If EU or Member State law requires us to process Personal Data beyond the Controller's instructions, we will inform the Client before such processing unless that law prohibits notification on grounds of public interest. If we believe an instruction violates GDPR or other EU/Member State data protection law, we will inform the Client before acting on it.

3.2 Confidentiality

All Bobs Company personnel with access to Client Instances are bound by confidentiality obligations.

3.3 Security (Art. 32)

We implement appropriate technical and organizational measures, including:

Encrypted storage (full-disk encryption on all instances)
SSH key-based access only (no password authentication)
Infrastructure hosted on dedicated servers within the EEA (specific location documented in Annex B per engagement)
Access limited to personnel who require it for operational purposes
System and access logging
The agent operates under its own dedicated service accounts (Agent Identity), separate from the Client's personal credentials — the Client controls what authority is delegated to the Agent Identity via external service permissions (e.g. org roles, API scopes)

3.4 Sub-processors

The Client provides general written authorization for sub-processors per Art. 28(2). Current sub-processors are listed in Annex C. Before adding or replacing a sub-processor, we notify the Client at least 30 days in advance. The Client may object within that period; if the objection is not resolved, the Client may terminate the affected Service.

All sub-processors are bound by data protection obligations no less protective than those in this DPA.

The Client's inference provider is not our sub-processor — the Client contracts with them directly.

3.5 Data subject rights

We assist the Controller with technical and organizational measures necessary to fulfill data subject requests under Articles 15–22, including access, rectification, erasure, restriction, portability, and objection. This includes providing data exports in machine-readable format upon request.

3.6 DPIA and prior consultation

We assist the Controller with Data Protection Impact Assessments (Art. 35) and prior consultations with supervisory authorities (Art. 36) upon the Controller's request, to the extent reasonably possible given our role and the information available to us.

3.7 Breach notification

If we become aware of a personal data breach affecting the Client's Instance, we notify the Client within 24 hours of becoming aware. We provide:

Description of the breach
What data was affected (to the extent we can determine)
What we've done to contain it

The Client, as Controller, is responsible for notifying the supervisory authority (IMY) within 72 hours per Art. 33 and data subjects per Art. 34 where required.

3.8 Deletion / return on termination

When the Service ends:

The Client has 14 days to retrieve their data from the Instance
After the retrieval window, we wipe the Instance (full disk wipe)
The Client chooses: retrieval, deletion, or both
Upon the Controller's request, we provide a written certificate of deletion

3.9 Audit

The Client may audit our compliance with this DPA. We make available all information necessary to demonstrate compliance and allow for audits/inspections. Reasonable notice required.

4. Client's Obligations as Controller

4.1 Lawful basis

The Client warrants that all processing of Personal Data on the Instance has a valid lawful basis under GDPR Art. 6 (and Art. 9 where applicable).

4.2 Data subject information

The Client is responsible for providing appropriate privacy notices to data subjects whose data is processed on the Instance.

4.3 Inference provider relationship

The Client is solely responsible for their relationship with their chosen inference provider, including any data processing terms, data residency, and compliance obligations arising from that relationship.

4.4 Compliance

The Client warrants that their use of the Service complies with all applicable data protection law, including GDPR.

5. Acceptable Use

The Client shall not use the Service for:

Processing Personal Data without a lawful basis
Activities that violate applicable law (EU, Swedish, or the Client's jurisdiction)
Processing special category data (Art. 9) or criminal conviction data (Art. 10) without appropriate legal safeguards
Any activity that would make Bobs Company an accessory to unlawful processing

6. Suspension and Termination for Cause

6.1 Suspension

We may suspend access to the Instance immediately if we become aware of a violation of Section 5. We will notify the Client and provide an opportunity to respond.

6.2 Termination

If the violation is confirmed and not remediated within a reasonable period, we may terminate the Service. Termination for cause means no refund for the remaining service period.

6.3 Data preservation

On suspension or termination for cause, we preserve (not delete) Instance data for 14 days unless law enforcement directs otherwise. The Client may retrieve their data during this window.

6.4 Cooperation with authorities

If required by law, we cooperate with competent authorities. We inform the Client of any such request unless legally prohibited from doing so.

7. Liability

7.1 Processor liability

Bobs Company is liable only for damage caused by processing that violates our specific obligations under this DPA or GDPR Art. 28, per GDPR Art. 82(2).

7.2 Controller liability

The Client is liable for damage caused by processing that violates GDPR or the Client's obligations under this DPA.

7.3 Liability cap

Bobs Company's total aggregate liability under this DPA shall not exceed the fees paid by the Client for the Service in the 12 months preceding the event giving rise to the claim.

7.4 Indemnification

The Client indemnifies Bobs Company against claims, damages, and costs arising from the Client's processing activities on the Instance, including but not limited to claims by data subjects or supervisory authorities resulting from the Client's processing decisions.

8. Jurisdiction and Governing Law

This DPA is governed by Swedish law. The competent supervisory authority is Integritetsskyddsmyndigheten (IMY). Disputes are resolved in Swedish courts.

9. Duration

This DPA applies for the duration of the Service agreement. Sections 3.7 (breach notification), 3.8 (deletion/return), and 7 (liability) survive termination.

Annexes

Annexes are completed for each engagement and form an integral part of this DPA:

Annex A — Description of Processing. Client name, purpose of processing, categories of data subjects, categories of personal data, and duration.
Annex B — Technical and Organizational Measures. In addition to the general measures in 3.3 — for example specific data-center location within the EEA for the engagement.
Annex C — Sub-processors. Current list of sub-processors for the engagement, their purpose, and location. The Client is notified 30 days before changes.

Contact

Bobs Company
Get in touch via the booking page.