Legal

Data Processing Agreement.

Last updated: June 24, 2026

This Data Processing Agreement ("DPA") is entered into between Airlock BV, having its seat at Colmarstraat 38, 9100 Sint-Niklaas, Belgium, registered with the Crossroad Bank of Enterprises under number 1037836652 (the "Company", "Processor"), and the customer using the airlock Service (the "User", "Controller"). It forms an integral part of the Terms & Conditions or any signed License and Subscription Agreement between the parties (jointly, the "Agreement").

Capitalized terms not defined in this DPA have the meaning given in the Agreement or, if applicable, in the GDPR.

1. Processing activities

1.1 Subject matter

The Company provides a digital platform that acts as a secure proxy and governance layer between AI agents and business applications and APIs, branded "airlock", providing centralized credential management, policy enforcement, audit logging, human-in-the-loop approval workflows, and centralized skill management and distribution for AI agent interactions (the "Platform"). The User uses the Platform as a supporting digital tool for its business processes and workflows.

The Company acts as a Processor in relation to any Personal Data that is submitted through the Platform by the User (the Controller) or its Authorized Representatives, or that is derived from the User's business applications.

When processing Personal Data pursuant to the Agreement, the parties shall comply with the GDPR and any applicable codes of conduct, Standard Contractual Clauses, and other related regulations.

1.2 Overview of processing activities

The Processor will process Personal Data for the purposes of hosting, transmission, consultation, structuring, modification, retrieval, alignment, restriction, erasure, and other operations performed on Personal Data by automated means through the Platform. The processing activities are more specifically set forth in Annex A to this DPA.

Processing carried out by the Company for its own purposes (e.g. invoicing, recovery, complaints handling, defence of legal claims, and the derived data described in Clause 7.4) falls outside the scope of this DPA and is governed by the Privacy Policy.

1.3 Duration

The Company may conduct the processing activities under this DPA for the entire term of the Agreement, plus a 60-day post-termination export window and any retention period imposed on the Company by mandatory law.

2. Undertakings of the Processor

  • Process Personal Data only on documented instructions from the Controller (including with regard to transfers to a third country or international organization), unless required by Union or Member State law to which the Processor is subject. The Controller's instructions are set out in the Agreement, the Privacy Policy, the configuration the Controller maintains in the Control Room, and any further written instructions.
  • Promptly inform the Controller if, in its opinion, any instruction infringes the GDPR or other applicable data protection provisions.
  • Use Personal Data only for the proper execution of the Agreement.
  • Not disclose Personal Data to third parties without the Controller's prior written approval, except as permitted by this DPA or required by law.
  • Ensure that persons authorized to process the Personal Data are committed to confidentiality by agreement or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Clause 3 of this DPA), and provide a detailed written description of those measures upon request.
  • Engage sub-processors only as described in Clause 4 and impose substantially the same data protection obligations on them.
  • Assist the Controller with appropriate technical and organizational measures, insofar as possible, in responding to data subject rights requests and in meeting the Controller's other obligations under the GDPR (including Articles 32 to 36).
  • Take into account the principles of data protection by design and by default when processing Personal Data.
  • Notify the Controller of any Personal Data Breach without undue delay and in any event within 48 hours of becoming aware of the breach, and implement any reasonable instructions in respect of the breach.
  • Not process Personal Data outside the EEA without the Controller's written consent or unless stated otherwise in this DPA, and only subject to the safeguards required under the GDPR.
  • Not keep Personal Data longer than required for the performance of the Agreement, unless another storage period is set forth in the Agreement, instructed by the Controller, or otherwise applies pursuant to applicable law.
  • Delete or return (at the Controller's choice) all Personal Data after the end of the Agreement, in accordance with Clause 6, and delete existing copies unless applicable law requires storage. The Processor may retain aggregated, anonymized, or pseudonymized data as derived data of the Company.
  • Make available all information necessary to demonstrate compliance with this DPA and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable prior notice, during business hours, and subject to appropriate confidentiality obligations.

3. Technical and organizational measures

The Processor implements the following measures, described in more detail in its Information Security Risk Management Framework (available on request):

  • Confidentiality: encryption of credentials and sensitive fields at rest with AES-256-GCM under AWS KMS envelope encryption; TLS 1.2+ in transit; access controls based on least-privilege and role-based access; secrets stored in AWS Secrets Manager.
  • Infrastructure: hosted on AWS in the EU (Frankfurt, eu-central-1); serverless compute (AWS Lambda); managed databases with encryption at rest; runtime application security via Aikido Zen Firewall.
  • Isolation: multi-tenant architecture with logical separation of each organization's data, enforced at the application and database layer.
  • Integrity: tamper-evident audit logs; signed deployment artifacts; code review and CI controls; audit trail of staff access to tenant environments.
  • Data masking: sensitive fields stripped before storage; redacted and truncated copies of request and response bodies; credentials decrypted only at the moment of API execution.
  • Availability: automated backups; AWS multi-AZ deployment; planned maintenance announced in advance.

4. Sub-processors

The Controller grants general authorization for the use of the following sub-processors:

  • Amazon Web Services EMEA SARL (EU regions): hosting, database, authentication (Cognito), serverless compute, transactional email (Amazon SES), and embedding models via AWS Bedrock.
  • Aikido Security NV (Belgium): runtime application security (Zen Firewall).
  • PostHog Inc. (EU project): anonymized product analytics.

The Processor shall inform the Controller of any intended addition or replacement of sub-processors with at least 15 days prior written notice. The Controller may object on reasonable data-protection grounds within that period. Where the Processor engages a sub-processor for processing activities on behalf of the Controller, it imposes substantially the same data protection obligations on that sub-processor.

Connected integrations are not sub-processors. The User's use of its own business applications, tools, MCP servers, or other third-party services through the Platform does not constitute the engagement of those providers as the Company's (sub)processors. They are involved at the User's sole and exclusive responsibility, and the Company is not responsible for their availability, accuracy, security, or behavior.

5. Data subject rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III GDPR, including the right of access (Article 15), the right to rectification (Article 16), the right to erasure / right to be forgotten (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), and the right to object (Article 21).

The Processor shall forward to the Controller, without undue delay, any data subject request received directly by the Processor and shall not respond to such requests without the Controller's prior written authorization, except to acknowledge receipt.

6. Data deletion and return

On termination of the Agreement (and ultimately 60 days after termination), the Processor shall return to the Controller all Personal Data processed on its behalf, in a structured, commonly used, and machine-readable format, or securely delete all Personal Data, and confirm such deletion in writing on the Controller's request.

The Processor may retain aggregated, anonymized, or pseudonymized derived data and any copy of Personal Data whose retention is required by law (such as billing records or compliance logs). On Account deletion, the Processor's workflow ensures the anonymization of the profile.

7. General disclaimers

7.1 Special category data (Art. 9 GDPR)

The Platform is an infrastructure-level service. Whether special category data flows through the Platform depends on the User's deployment (the AI agents, business applications, and APIs the User connects). The Controller must determine, prior to deployment, whether such categories are involved and whether an appropriate exception under Art. 9(2) GDPR applies and is documented. If special category data, or criminal-offence data (Art. 10 GDPR), is processed, the parties shall agree on the additional safeguards required under Art. 32 GDPR.

7.2 DPIA (Art. 35 GDPR)

Use of the Platform may, depending on the deployment context, meet two or more of the EDPB criteria for a likely high-risk processing operation (in particular: innovative use of technology, AI agents acting on behalf of the Controller, systematic monitoring, automated decision-making, large-scale processing). The Controller is responsible for assessing whether a DPIA is required and, where applicable, conducting one before processing begins. The Company shall provide reasonable assistance under Art. 28(3)(f) GDPR.

7.3 Automated decision-making and AI Act

Where requests routed through the Platform result in automated decisions producing legal or similarly significant effects on individuals, the Controller shall implement the safeguards required by Art. 22 GDPR. If the AI agents qualify as a high-risk AI system under Regulation (EU) 2024/1689 (the AI Act), the Controller shall additionally consider the Fundamental Rights Impact Assessment (FRIA) and other transparency obligations applicable to deployers. This is the sole responsibility of the Controller.

7.4 Derived data

Derived data generated by the Platform (such as aggregated usage analytics and model performance metrics) pertains to the Company. To the extent such derived data, after de-identification, no longer constitutes Personal Data, it falls outside the scope of this DPA. To the extent it remains Personal Data, it is processed by the Company on the basis of its own legal basis as Controller in accordance with the Privacy Policy.

Annex A. Processing purposes and categories

The following table sets out the processing activities under this DPA.

Processing purposeData subjects / categories of personal data
1. Hosting and making available Personal Data inserted in or transmitted through the Platform. Storing Customer Data on the Company's infrastructure and rendering it accessible to the User and its Authorized Representatives.Authorized Representatives; the User's customers, suppliers, agents and other persons involved in the User's business; end-users whose data is routed through the User's AI agents. Identification data (name, email, function/role); account identifiers; any content data inserted in Requests; any other Personal Data the User chooses to route through the Platform.
2. Operating the secure proxy and governance layer between AI agents and business applications/APIs. Brokering, transforming, and forwarding requests/responses between the User's AI agents and its business applications/APIs.Persons whose data is contained in the User's business applications/APIs and is accessed by, or communicated to, the User's AI agents through the Platform. Any Personal Data routed through the proxy on the User's instructions, including identification, contact, and content data.
3. Centralized credential management. Storing, transmitting, validating, and rotating authentication credentials for the User's Authorized Representatives and User Accounts.Authorized Representatives; persons authorized on the User's connected systems. Identification data; authentication credentials and secrets (usernames, hashed passwords, API keys, tokens); IP and device information used during authentication.
4. Policy enforcement. Evaluating requests against the User's configured policies and allowing, blocking, or escalating them.Authorized Representatives initiating requests; persons whose data is referenced in requests. Request content and metadata (representative ID, timestamp, request type); policy decision outcome and rationale.
5. Audit logging. Recording AI-agent interactions, requests, approvals, and policy decisions for traceability and accountability.Authorized Representatives; AI agents (where linked to a natural person); third parties whose data is referenced in logged events. Actor identifier, timestamp, action performed, IP, device/session ID, request/response references.
6. Human-in-the-loop approval workflows. Routing requests to designated Authorized Representatives for review and approval or rejection.Authorized Representatives acting as approvers; data subjects referenced in the request being approved. Identification data; approval decision; rationale; timestamp.
7. Centralized skill management and distribution. Managing, versioning, and distributing skills used by AI agents through the Platform.Authorized Representatives configuring or using skills; data subjects whose data is processed when a skill is executed. Skill configurations (where they include Personal Data); usage logs; identification data of the configuring/using Representative.
8. Account and access management. Creating, configuring, modifying, and deactivating User Accounts and Service Accounts; authenticating Authorized Representatives; managing roles and permissions.Authorized Representatives. Name, email, function/role, account status, role/permission attributes.
9. Usage monitoring, metering, and capacity management. Measuring Accounts and Requests consumed; detecting overruns; monitoring fair-use thresholds and abusive use; conducting independent audits of Platform usage.Authorized Representatives; Service Account principals. Account identifier; counters and usage statistics linked to identifiers; timestamps.
10. Service-level monitoring (Uptime / Downtime). Measuring availability of the Platform; managing planned and unplanned downtime; notifying the User in advance of maintenance.Authorized Representatives (where availability incidents reference user activity). Contact details for notifications; technical event logs.
11. Technical support, incident management, and troubleshooting. Receiving, triaging, diagnosing, and responding to support requests sent to support@air-lock.ai; investigating and resolving incidents, including by accessing Customer Data where strictly necessary.Authorized Representatives raising tickets; data subjects whose data is involved in the incident. Contact data; ticket content; incident-specific data accessed for diagnosis.
12. Maintenance, updates, patching, and security. Performing corrective and preventive maintenance; threat detection; backups; encryption; disaster recovery and similar measures necessary for the proper functioning and security of the Platform.All categories of data subjects to the extent affected by the maintenance/security operation. All Customer Data to the extent strictly necessary; security event logs.
13. Beta services testing. Making beta services available to opted-in Authorized Representatives and evaluating their use solely for testing/evaluation purposes.Authorized Representatives who opt in to beta services. Any Personal Data inserted by the User during beta testing; usage logs of beta features.
14. Data export, retention, and deletion at end of service. Making Customer Data available for export during the 60-day period following termination, and deleting/returning Customer Data thereafter.All categories of data subjects represented in the Customer Data still hosted at termination. All Customer Data still hosted at termination.
15. Sub-processor management. Engaging and managing sub-processors (hosting, infrastructure, analytics, billing providers).All categories of data subjects whose data is transmitted to sub-processors. All Customer Data transmitted, strictly limited to what is necessary for the relevant sub-processing activity.
16. International transfers (where applicable). Transferring Personal Data to third countries outside the EEA where required for service delivery, subject to Chapter V GDPR safeguards (Standard Contractual Clauses and supplementary measures such as pseudonymization or encryption).All categories of data subjects whose data is transferred. All Personal Data transferred.
17. Cooperation with the User's GDPR obligations. Assisting the User with data subject rights requests, personal data breach notifications, DPIAs and prior consultations, audits, and demonstration of compliance under Art. 28(3)(e)-(h) GDPR.Data subjects exercising rights or affected by an incident; the User's compliance personnel. Data necessary to identify and locate the data subject's records and to give effect to their rights or to investigate the incident.
18. Defence of legal claims and audit cooperation. Strictly limited processing where necessary to defend the Company against claims arising from the User's use of the Platform, or to perform contractual audits of Subscription Fee compliance.Persons referenced in the dispute or audit. Data strictly relevant to the claim or audit.

Contact

For questions about this DPA or to request a signed copy, contact privacy@air-lock.ai.