Data Processing Agreement

Future AGI's DPA covering GDPR, UK GDPR, and CCPA data processing obligations.

Applicability

A Data Processing Agreement (DPA) is available for all Future AGI Cloud customers, regardless of plan tier. The DPA governs how Future AGI processes personal data on your behalf and covers obligations under the GDPR, UK GDPR, and CCPA.

You do not need to be on an Enterprise plan to execute a DPA. Any customer who processes personal data through Future AGI can request one.

Key Provisions

The Future AGI DPA includes the following provisions:

Roles and Scope

  • Future AGI acts as the Processor; you, the customer, are the Controller
  • Processing is performed only on your documented instructions
  • The scope of processing is limited to providing the contracted observability and evaluation services

Sub-Processor Management

  • A current list of sub-processors is published on our Subprocessors page
  • 30-day advance written notice is provided before any new sub-processor is engaged or an existing one is replaced
  • You have the right to object to a new sub-processor within the notice period

Security Measures

  • Future AGI implements technical and organizational measures appropriate to the risk of processing
  • Details of these measures are described in our Encryption and Technical & Organizational Measures documentation
  • Measures are reviewed and updated on at least an annual basis

Data Subject Rights

  • Future AGI will assist you in responding to data subject access requests (DSARs)
  • Requests are processed within 30 calendar days of receipt

Breach Notification

  • Future AGI will notify you of a confirmed personal data breach within 72 hours of becoming aware of it
  • Notification will include the nature of the breach, categories of data affected, approximate number of records, and remediation steps taken

Data Deletion

  • Upon termination of the agreement, all customer personal data is deleted within 30 days
  • A certificate of deletion is available on request

International Data Transfers

For transfers of personal data outside the European Economic Area, the United Kingdom, or Switzerland, the DPA incorporates the following transfer mechanisms:

  • EU Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) and Module 3 (Processor to Processor), as adopted by the European Commission
  • UK International Data Transfer Addendum (IDTA) — Appended to the SCCs for transfers subject to UK GDPR
  • Swiss Data Protection Addendum — Covering transfers governed by the Swiss Federal Act on Data Protection

Transfer impact assessments are conducted and documented for each relevant data flow.

CCPA Compliance

Under the California Consumer Privacy Act (CCPA), Future AGI acts as a “Service Provider”. This means:

  • We process personal information only for the business purposes specified in the agreement
  • We do not sell personal information
  • We do not share personal information for cross-context behavioral advertising
  • We do not retain, use, or disclose personal information for any purpose other than performing the contracted services

Requesting a DPA

The full DPA text is available on request. To obtain a copy or execute a DPA:

  • Email legal@futureagi.com with your organization name and Future AGI account details
  • Standard turnaround for DPA execution is 5 business days
  • Custom modifications to the DPA are available for Enterprise customers

Questions?

Reach out to our security team.

security@futureagi.com

Request documents

SOC 2 report, DPA, pen test summary.

Request documents →