AgentDog

Data Processing Addendum

Last updated: April 24, 2026 · Version 2026-04-24-v1

This Data Processing Addendum ("DPA") supplements the AgentDog Terms of Service. It governs AgentDog's processing of personal data on behalf of customers (the "Controller") under the EU/UK GDPR, the California Consumer Privacy Act (CCPA), and substantively equivalent laws.

1. Definitions

  • Controller: the customer (you) determining the purposes and means of processing.
  • Processor: AgentDog, Inc., processing personal data on the Controller's behalf.
  • Personal Data: any data relating to an identifiable natural person processed by AgentDog because the Controller's agents emitted it as telemetry.
  • Sub-processor: a third-party engaged by AgentDog to process personal data (see §6).

2. Roles

The Controller is the controller of personal data its agents emit to AgentDog. AgentDog is the processor for that data. AgentDog is the controller of its own account-level metadata (your email, login events, billing info).

3. Scope & instructions

AgentDog processes personal data only:

  • To deliver the Service per the Terms.
  • On the Controller's documented instructions (the agent settings panel + API are documented instructions).
  • As required by applicable law (with notice to the Controller unless prohibited).

4. Security measures

AgentDog implements technical and organizational measures including:

  • AES-256-GCM encryption at rest for stored secrets (GitHub PATs, BYOK Anthropic keys).
  • SHA-256 hashing of API keys; raw keys are never persisted after the one-time issue display.
  • Postgres row-level security (RLS) enforcing tenant isolation on every read/write.
  • TLS 1.2+ for all network traffic.
  • Structured audit logging for sensitive operations (settings changes, key issuance, fix-PR drafting).
  • Pre-LLM PII redaction (regex-level for cards, SSNs, emails, phones, IPs, API key formats).
  • Defense-in-depth: explicit tenant-id checks on every query in addition to RLS.

5. Personnel & access

AgentDog limits access to personal data to personnel with a need to know. Personnel are bound by confidentiality. We rotate KEKs on personnel changes.

6. Sub-processors

AgentDog uses the sub-processors listed in our sub-processor disclosure (the "List"), incorporated by reference.

We notify Controllers of new sub-processors via email and via the in-app disclosure version banner. The Controller has 30 days to object on reasonable grounds (security, regulatory compliance); if AgentDog cannot accommodate the objection, the Controller may terminate the affected portion of the Service.

Material changes to the disclosure bump the version string (currently 2026-04-24-anthropic-v1). The backend refuses to enable auto-remediation until the new version is acknowledged in the dashboard.

7. Data subject rights

AgentDog assists the Controller in responding to data subject requests. We provide tooling to:

  • Export all data we hold for a given user_id or api_key_id.
  • Delete data on Controller request, propagating to sub-processors where supported.
  • Correct inaccurate data via the dashboard or API.

8. International transfers

AgentDog hosts in us-east by default. EU-region provisioning is available on request. For cross-border transfers, the parties rely on the Standard Contractual Clauses (Module 2: Controller → Processor) and any applicable supplementary measures, including encryption in transit and at rest.

9. Audit

Annual audit reports (SOC 2 Type II once attained) will be made available under NDA. The Controller may request additional information or third-party audits at the Controller's expense once per year, with reasonable notice and during business hours, in a manner that does not disrupt the Service.

10. Breach notification

AgentDog notifies the Controller of any personal-data breach affecting Controller data within 72 hours of becoming aware, with available facts: nature, categories of data, approximate records affected, mitigations underway, and a security contact.

11. Return / deletion

On termination of the Service, AgentDog deletes Controller personal data within 30 days unless retention is required by law. The Controller may request earlier deletion or a one-time export at any time.

12. Liability

Liability under this DPA is subject to the limitation-of-liability provisions in the Terms. Where applicable law overrides, the applicable law applies.

13. Conflict

Where this DPA conflicts with the Terms regarding personal data processing, this DPA controls.

14. Contact

DPA-specific requests: yash@tryagentdog.com.

This DPA is offered under our Terms. Enterprises with custom DPA requirements should contact us before signing — we accept reasonable redlines.