Effective date: June 4, 2026 — forms part of the AgentCollect Terms of Service
Who is who. Under this Addendum, you (the Customer) are the data controller and AgentCollect is the data processor. You decide whose data is processed and why; AgentCollect processes it only to provide the Platform and only on your documented instructions. This Addendum is your GDPR Article 28 processing agreement and applies whenever AgentCollect processes personal data on your behalf.
This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service between Respaid, Inc. (d/b/a AgentCollect) ("Processor," "we") and the Customer ("Controller," "you"). For personal data processed through the Platform on your behalf, you are the controller and AgentCollect is the processor (or, where you are itself a processor for a third party, AgentCollect is a sub-processor). Where the CCPA/CPRA applies, you are the "business" and AgentCollect is a "service provider." If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls. This DPA is self-executing on your acceptance of the Terms; Customers requiring a counter-signed copy may request one at privacy@agentcollect.com.
"Data Protection Laws" means all laws applicable to the processing of personal data under this DPA, including the EU/UK GDPR, the CCPA/CPRA, and other US state privacy laws. "Personal Data," "controller," "processor," "data subject," and "processing" have the meanings given in the GDPR. "Customer Personal Data" means personal data within Customer Data that AgentCollect processes on your behalf. "Subprocessor" means a third party engaged by AgentCollect to process Customer Personal Data.
| Element | Description |
|---|---|
| Subject matter | Provision of the AgentCollect accounts-receivable software (SaaS) and AI Agents. |
| Duration | The term of the Terms of Service, plus the post-termination export/deletion period. |
| Nature & purpose | Hosting, storage, and automated outreach (phone, email, SMS) configured by you to recover your receivables. |
| Types of personal data | Debtor contact details (name, business/role, email, phone), invoice and balance data, communication records and outcomes, and your users' account data. |
| Categories of data subjects | Your debtors and their representatives; your own personnel and authorized users. |
AgentCollect will: (a) process Customer Personal Data only on your documented instructions, including the configuration you set in the Platform and these Terms, and inform you if an instruction infringes Data Protection Laws; (b) ensure personnel authorized to process Customer Personal Data are bound by confidentiality; (c) implement the technical and organizational security measures in Section 7; (d) respect the conditions in Section 5 for engaging Subprocessors; (e) assist you, taking into account the nature of the processing, in responding to data-subject requests and in your obligations under Articles 32–36 (security, breach notification, impact assessments); and (f) at your choice, delete or return Customer Personal Data at the end of the services as described in Section 9.
You authorize AgentCollect to engage Subprocessors to provide the Platform — for example, cloud hosting and storage, voice and SMS delivery, AI model inference, and email delivery. AgentCollect engages each Subprocessor under a written contract imposing data-protection obligations that meet GDPR Article 28(4) and are no less protective than those in this DPA, and AgentCollect remains responsible for each Subprocessor's performance. A current list of Subprocessors, including their names and locations, is available to customers on request to privacy@agentcollect.com.
AgentCollect will give you at least thirty (30) days' notice (by email or in-product) before adding or replacing a Subprocessor. If you reasonably object on data-protection grounds, we will work in good faith to provide an alternative; if we cannot, you may terminate the affected service. Note that your own payment processor (for example, your Stripe account) is engaged by you, not by AgentCollect, and is not a Subprocessor under this DPA.
AgentCollect processes Customer Personal Data in the United States. Where you transfer personal data subject to the EU or UK GDPR to AgentCollect, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor), and the UK International Data Transfer Addendum where applicable, which are deemed entered into and completed with AgentCollect as "data importer" and you as "data exporter." The SCC annexes are completed with the parties and roles set out in this DPA, the description of processing in Section 3, the security measures in Section 7, and the Subprocessors listed in Section 5; a fully executed copy is available on request to privacy@agentcollect.com. AgentCollect will assist with transfer impact assessments on request.
AgentCollect maintains technical and organizational measures appropriate to the risk, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256); role-based access control on the principle of least privilege; multi-factor authentication for administrative access; network segmentation, logging, and intrusion monitoring; periodic independent security testing; and a documented incident-response program. AgentCollect maintains a SOC 2 Type II report, available to you under NDA on request to security@agentcollect.com.
AgentCollect will notify you without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to help you meet your notification obligations. Notification is not an acknowledgement of fault.
On termination of the services, you may export Customer Personal Data in a common machine-readable format (such as CSV) for thirty (30) days. After that period, AgentCollect will delete Customer Personal Data, including copies and backups in the ordinary backup-rotation cycle, within ninety (90) days, except where retention is required by Union or Member State law, in which case AgentCollect will isolate and protect it from further processing.
AgentCollect will make available information reasonably necessary to demonstrate compliance with Article 28, including its most recent SOC 2 Type II report and security documentation. You, or an independent auditor you mandate, may also inspect AgentCollect's processing to the extent necessary to demonstrate compliance with Article 28, on reasonable prior notice, during business hours, subject to confidentiality and without unreasonably disrupting AgentCollect's operations; the parties will agree the scope and timing in good faith.
AgentCollect acts as a "service provider" and will not sell or share Customer Personal Data, will not retain, use, or disclose it for any purpose other than providing the Platform (or as otherwise permitted by the CCPA), and will not combine it with data from other sources except as permitted. AgentCollect certifies that it understands and will comply with these restrictions.
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. This DPA takes effect on the effective date of the Terms and remains in force while AgentCollect processes Customer Personal Data. Questions: privacy@agentcollect.com.