Data Processing Agreement | Snaga — AGI Ready

In short: This agreement governs how we handle personal data on your behalf when you use Snaga to process data belonging to your users or customers.

This Data Processing Agreement ("DPA") forms part of the Terms of Use between Gliese LLC ("Processor") and the organization or individual using the Snaga platform ("Controller"). It governs the processing of personal data by the Processor on behalf of the Controller in accordance with GDPR Article 28.

1. Definitions

"Personal Data", "Processing", "Data Subject", "Sub-processor", and "Supervisory Authority" have the meanings given in GDPR Article 4.

"Services" means the Snaga platform, APIs, and related services as described in the Terms of Use.

2. Scope and Purpose

The Processor processes Personal Data solely to provide the Services as instructed by the Controller. This includes:

Storage, retrieval, and computation of data within the Platform;
Processing agent sessions and knowledge base content;
Handling file uploads;
Transmitting data to third-party LLM providers as configured by the Controller.

3. Types of Personal Data

Account data (email address, display name);
Content uploaded to or processed through agents (prompts, files, outputs);
Usage metadata (session logs, API call logs, timestamps);
Any personal data the Controller includes in agent configurations or knowledge bases.

4. Data Subject Categories

Controller's employees, contractors, end users, and any individuals whose personal data the Controller processes through the Platform.

5. Processor Obligations

In short: We only process your data as you instruct, we keep it secure, and we help you meet your own compliance obligations.

The Processor shall:

Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries (GDPR Article 28(3)(a));
Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations (Article 28(3)(b));
Implement appropriate technical and organizational security measures (Article 32), including TLS 1.3 encryption in transit, AES-256 at rest, RBAC, tenant isolation, and audit logging;
Not engage another sub-processor without prior written authorization from the Controller (Article 28(2));
Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection);
Assist the Controller with Data Protection Impact Assessments and prior consultations with supervisory authorities where required;
Delete or return all Personal Data upon termination of Services, within 30 days, at the Controller's choice;
Make available all information necessary to demonstrate compliance and allow for audits by the Controller or a mandated auditor.

6. Sub-processors

The Processor currently uses the following sub-processors:

Sub-processor	Purpose	Location
Gliesereum Ukraine LLC	Development and operational services	Ukraine
DigitalOcean LLC	Cloud infrastructure hosting	United States / EU

LLM providers (OpenAI, Anthropic, Google, Mistral) are engaged only when the Controller configures agents to use them and provides their own API keys. In this case, the Controller has a direct contractual relationship with the LLM provider.

The Processor will notify the Controller at least 30 days in advance of any intended changes to sub-processors, giving the Controller the opportunity to object.

7. International Transfers

Where Personal Data is transferred outside the EEA, the Processor relies on:

The EU-US Data Privacy Framework (where applicable);
Standard Contractual Clauses (SCCs) as approved by European Commission Decision 2021/914;
Supplementary technical measures (encryption, pseudonymization, access controls).

8. Data Breach Notification

In short: If a data breach occurs, we will notify you within 48 hours with all relevant details.

The Processor will notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification will include:

The nature of the breach, including categories and approximate number of affected data subjects;
The likely consequences of the breach;
Measures taken or proposed to address and mitigate the breach.

9. Data Retention and Deletion

Upon termination of the Services or upon Controller request, the Processor will delete all Personal Data within 30 days, unless retention is required by applicable law. The Controller may export their data at any time during the active subscription period.

10. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Use.

11. Duration

This DPA remains in effect for the duration of the Controller's use of the Services and until all Personal Data has been deleted or returned.

12. Contact

To request a signed copy of this DPA or to discuss data processing matters, contact us at privacy@gliesereum.com.

See also: Terms of Use · Privacy Policy