Data Processing Agreement

Governs how Agencies AS processes personal data on behalf of its customers. Last updated 26 June 2026.

This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service between the customer (the “Controller”) and Agencies AS(org. nr. 937 604 408), Frydenlundgata 6 A, 0169 Oslo, Norway(the “Processor”). It applies where the Processor processes personal data on the Controller's behalf in the course of providing Dagny. By accepting the Terms of Service, the Controller accepts this DPA. Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679).

1. Roles & scope

The Controller determines the purposes and means of processing personal data. The Processor processes personal data only on the Controller's documented instructions (including via the normal use of the service) and as described in Annex 1, and not for any other purpose. If the Processor believes an instruction infringes applicable data-protection law, it will inform the Controller.

2. Processor obligations

  • process personal data only on documented instructions, including for international transfers, unless required otherwise by law;
  • ensure persons authorised to process personal data are bound by confidentiality;
  • implement the technical and organisational measures in Annex 2;
  • respect the conditions for engaging sub-processors in Section 3;
  • assist the Controller, taking into account the nature of processing, in responding to data-subject requests;
  • assist the Controller with security, breach notification, data protection impact assessments, and prior consultation under Articles 32–36 GDPR; and
  • make available information necessary to demonstrate compliance and allow for audits as set out in Section 8.

3. Sub-processors

The Controller gives general authorisation for the Processor to engage the sub-processors listed in Annex 3 to process personal data. The Processor imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains liable for their performance. The Processor will give the Controller reasonable prior notice of any intended addition or replacement of a sub-processor (by updating Annex 3 and/or by email), giving the Controller the opportunity to object on reasonable data-protection grounds. If the Controller objects and the Processor cannot reasonably accommodate the objection, the Controller may terminate the affected part of the service as its sole remedy.

4. AI processing

The service uses AI model providers (identified in Annex 3) to generate content, automate workflows, and perform tasks requested by the Controller. To do this, personal data contained in the Controller's instructions, business context, prompts, and the resulting outputs may be transmitted to and processed by those providers solely to provide the service to the Controller. The Processor engages such providers under contractual terms that (a) restrict their use of personal data to providing the service, (b) prohibit using the Controller's data to train their models, and (c) provide for transient processing, without retention beyond what is needed to return the output and operate the service. The categories of personal data involved and the providers used are set out in Annex 1 and Annex 3.

5. Data-subject rights & breaches

The Processor will, where legally permitted, promptly forward any request it receives directly from a data subject and assist the Controller in fulfilling its obligation to respond. The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and provide the information reasonably needed for the Controller to meet its own notification obligations.

6. Government & law-enforcement requests

If the Processor receives a legally binding request from a public authority for disclosure of personal data processed on the Controller's behalf, it will, unless legally prohibited, notify the Controller without undue delay, challenge requests that appear unlawful or overbroad, and disclose only the minimum personal data legally required.

7. International transfers

Where the Processor or a sub-processor carries out a restricted transfer of personal data outside the EEA, the parties agree that the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), together with any applicable UK or Swiss addendum and any supplementary measures required, are incorporated by reference and apply automatically to that transfer. On request, the Processor will provide details of the safeguards relied on for each sub-processor.

8. Audits

On reasonable prior written request, and no more than once per year (unless required by a supervisory authority or following a personal data breach), the Processor will make available the information necessary to demonstrate compliance with this DPA. The Processor may satisfy audit requests by providing independent audit reports, security certifications, completed security questionnaires, or similar documentation where available. Any on-site audit must be agreed in advance, conducted during business hours under reasonable confidentiality terms, must not unreasonably interfere with the Processor's operations, and is at the Controller's cost.

9. Deletion & return

On termination of the service, and at the Controller's choice, the Processor will delete or return all personal data processed on the Controller's behalf and delete existing copies within 90 days, unless applicable law requires continued storage. Personal data held in routine backups is deleted on the normal backup-rotation cycle.

10. Liability & term

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA takes effect when the Controller accepts the Terms of Service and continues for as long as the Processor processes personal data on the Controller's behalf. It is governed by the laws of Norway, with venue at Oslo District Court (Oslo tingrett).

Annex 1 — Details of processing

  • Subject matter: provision of the Dagny service — AI to run and grow the Controller's business: a team of AI agents that builds and maintains the Controller's website and assists with marketing, content, sales, customer support, analytics, and day-to-day operations across the tools the Controller connects.
  • Duration: for the term of the service and until deletion under Section 9.
  • Nature & purpose: to provide, operate, and maintain the service for the Controller.
  • Processing activities: website hosting and maintenance; content generation; CRM assistance; drafting and, where authorised, sending of emails and messages; customer-support drafting; analytics generation; and automation of, and actions within, the tools the Controller connects.
  • Categories of data subjects:the Controller's personnel, customers, contacts, leads, and website visitors.
  • Categories of personal data: identifiers and contact details (names, emails, phone numbers, addresses), business information, content submitted to or generated by the service (including data within prompts and outputs), and usage/technical data such as IP addresses. The service is not intended for special categories of data.

Annex 2 — Security measures

  • encryption of personal data in transit (TLS), and at rest where supported by the underlying infrastructure;
  • multi-factor authentication for access to production systems;
  • role-based access control and least-privilege access, reviewed periodically;
  • logical separation of each customer's data;
  • logging, monitoring, and error tracking to detect and respond to incidents;
  • a documented incident-response process, including personal data breach notification;
  • regular backups and tested recovery procedures;
  • confidentiality obligations binding on personnel with access to personal data;
  • security due diligence on sub-processors before engagement; and
  • periodic review of these measures to maintain confidentiality, integrity, availability, and resilience appropriate to the risk.

Annex 3 — Approved sub-processors

Sub-processorPurposeLocation
Vercel Inc.Application hosting and edge networkUSA
Supabase Inc.Database, authentication, and account storageEU (Frankfurt)
Stripe, Inc.Payment processing and subscription billingUSA / Ireland
Resend (Plus Five Five, Inc.)Transactional and account email deliveryUSA
Anthropic, PBCAI language models accessed via the Vercel AI Gateway to power Dagny's agents, and not used to train their modelsUSA
OpenAI, L.L.C.AI language models accessed via the Vercel AI Gateway to power Dagny's agents, and not used to train their modelsUSA
Google LLCBusiness-data enrichment (Google Places) and embedded mapsUSA
Cloudflare, Inc.Browser-rendering fallback used during site auditingUSA
Mixpanel, Inc.Product analytics (how the app is used)EU
Microsoft Corporation (Clarity)Aggregated session analytics and heatmapsUSA
Functional Software, Inc. (Sentry)Error and performance monitoringEU
Intercom, Inc.In-app customer support messagingUSA / Ireland

Customer-authorised integrations you choose to connect (e.g. Slack, Stripe, a CRM, your inbox, Linear, Attio, Granola, GitHub) act as independent controllers or your own processors under their respective terms, not as sub-processors of Agencies AS. You remain responsible for determining the legal basis for processing personal data through connected systems and for ensuring you have authority to grant the Processor access to them.

Contact

Agencies AS, Frydenlundgata 6 A, 0169 Oslo, Norway. hello@bydagny.com.