Data Processing Agreement (DPA)
Last updated: March 26, 2026
1. Purpose
This Data Processing Agreement (hereinafter, "DPA") supplements the Terms of Service and the Privacy Policy of hablo.es, and sets out the conditions under which WEB3 AND MARKETING CONSULTING LTD (hereinafter, the "Processor") processes personal data on behalf of the user (hereinafter, the "Controller").
2. Scope of the processing
The Processor shall process personal data solely for the provision of the personal AI agent service contracted by the Controller, in accordance with the Controller's documented instructions and the provisions of the Terms of Service.
- Categories of data: identifying data (name, email), usage metadata, agent workspace files.
- Categories of data subjects: users of the service.
- Duration: for the duration of the contractual relationship.
- Purpose: provision of the personal AI agent service.
3. Obligations of the Processor
The Processor undertakes to:
- Process the data solely in accordance with the Controller's documented instructions.
- Ensure that the persons authorised to process personal data have committed themselves to respecting confidentiality.
- Implement appropriate technical and organisational security measures (Article 32 GDPR).
- Not engage another processor without the prior written authorisation of the Controller, except for the sub-processors listed in the Privacy Policy.
- Assist the Controller in fulfilling its obligations (data subjects' rights, impact assessments, breach notifications).
- At the Controller's choice, delete or return all personal data once the provision of the service has ended, within a maximum period of 30 days.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA.
4. Notification of security breaches
In the event of a personal data security breach, the Processor shall notify the Controller without undue delay and, in any event, within a maximum period of 72 hours from becoming aware of it, providing the information required by Article 33.3 of the GDPR.
5. Sub-processors
The Controller expressly authorises the use of the sub-processors listed in the Privacy Policy. The Processor shall give notice of any change to the list of sub-processors at least 30 days in advance, allowing the Controller to object.
6. International transfers
Transfers outside the EEA are carried out in accordance with the provisions of Section 8 of the Privacy Policy, with the appropriate safeguards under Chapter V of the GDPR.
7. Governing law
This DPA shall be governed by the laws of Cyprus and the General Data Protection Regulation (EU) 2016/679.
8. Contact
For any matter relating to this DPA: gdpr@hablo.es