Data Processing Agreement

Name: AgenticNode
Author: VeriduxLabs

Last updated: April 2026

1. Parties and Scope

This Data Processing Agreement (“DPA”) supplements the AgenticNode Terms of Service between you (“Customer”, the data controller) and VeriduxLabs (“AgenticNode”, the data processor) and applies whenever AgenticNode processes personal data on Customer's behalf.

2. Nature and Purpose of Processing

AgenticNode processes the following categories of data on behalf of Customer:

Account identifiers (email, user ID, authentication metadata)
Workflow definitions, prompt templates, and project context entered by the Customer
Execution metadata (timestamps, status, token counts, run history)
Code snippets, file paths, and other content the Customer attaches as project context

Processing is performed solely to deliver the AgenticNode service: composing prompt workflows, persisting projects, generating curated marketplace content, and providing run history.

3. Customer Obligations

Customer warrants that:

It has obtained all necessary consents from data subjects whose information it submits.
It will not submit special category personal data (health, biometric, etc.) into project context.
It is responsible for ensuring code or content it stores does not include third-party secrets.

4. AgenticNode Obligations

Process Customer data only on documented instructions from Customer.
Ensure persons authorized to process data are bound by confidentiality.
Implement appropriate technical and organizational measures (TOMs): TLS 1.2+ in transit, AES-256 at rest, Supabase row-level security, restricted service-role access, audit logging.
Notify Customer without undue delay (within 72 hours) of any personal data breach.
Assist Customer with data subject access, rectification, erasure, and portability requests.

5. Subprocessors

AgenticNode uses the following subprocessors, each bound by data protection terms equivalent to those in this DPA:

Subprocessor	Purpose	Region
Supabase	Database, auth, storage	EU / US
Vercel	Hosting, edge runtime	Global
Anthropic	LLM inference for curator and AI assist	US
Paddle	Payment processing (Merchant of Record)	UK / EU
Sentry	Error tracking	EU / US

We will give Customer at least 30 days' notice via the changelog before adding or replacing a subprocessor. Customer may object in writing to privacy@agenticnode.io.

6. International Transfers

Where personal data is transferred outside the EEA, AgenticNode relies on the European Commission's Standard Contractual Clauses (SCCs, Module Two: Controller-to-Processor) and supplementary measures including encryption in transit and at rest.

7. Data Subject Rights

AgenticNode will assist Customer in fulfilling data subject requests within 30 days. End users may also self-serve via the Editor: export workflows as YAML, delete project context, or delete their entire account from Settings.

8. Retention and Deletion

Personal data is retained for the duration of the Customer's account. Upon account deletion, all personal data is purged within 30 days. Run history older than 90 days is automatically deleted. Backups containing personal data are encrypted and rotated within 35 days.

9. Audits

Customer may request a copy of AgenticNode's most recent SOC 2 report or security whitepaper once per year. Where these are insufficient, Customer may request an audit on 30 days' written notice, conducted at Customer's expense and during normal business hours, subject to confidentiality obligations.

10. Liability and Term

Liability under this DPA is governed by the limitation of liability clause in the Terms of Service. This DPA terminates automatically when the Terms of Service terminate.

11. Contact

Data protection contact: privacy@agenticnode.io

VeriduxLabs