Effective date: 2026-04-15
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Molecule AI, Inc. ("Processor") and the Customer that agreed to the Terms of Service ("Controller"). It governs the processing of Personal Data by Processor on behalf of Controller under the EU General Data Protection Regulation 2016/679 ("GDPR") and UK GDPR.
Terms used in this DPA have the meanings given in the GDPR. "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller in connection with the Service.
Processor processes Personal Data to provide the multi-tenant AI agent orchestration service described in the Terms of Service. Processing continues for the duration of the Service agreement and any retention period described below.
Processor performs the following processing activities on behalf of Controller:
- Storage and transmission of agent configurations, prompts, and memory - Authentication and session management via WorkOS - Billing via Stripe - Error monitoring via Sentry - Metrics aggregation via Grafana Cloud - Forwarding of prompts to third-party LLM providers (Anthropic, OpenAI) when Controller's agents invoke them
- Controller's end users who sign up for and use the Service - Any individual whose personal data appears in prompts, documents, or memory uploaded by Controller
- Contact information: name, email, organisation - Authentication metadata: session tokens, IP addresses - Billing data: Stripe customer ID, subscription status - Tenant content: agent configurations, prompts, memory, A2A logs
Controller represents and warrants that:
- It has a lawful basis for processing the Personal Data it uploads - It has obtained any necessary consents from data subjects - Its instructions to Processor comply with applicable law
Processor shall:
- Process Personal Data only on documented instructions from Controller - Ensure persons authorised to process Personal Data are bound by confidentiality - Implement appropriate technical and organisational security measures (see Annex) - Assist Controller in responding to data subject rights requests - Notify Controller without undue delay of any personal data breach affecting the Service - Make available information necessary to demonstrate compliance with this DPA
Controller authorises Processor to engage the sub-processors listed at /legal/subprocessors. Processor shall notify Controller at least 30 days before adding or replacing a sub-processor. Controller may object within 15 days of notification.
Personal Data may be transferred outside the European Economic Area only where an adequacy decision exists or where appropriate safeguards under Article 46 GDPR are in place. For transfers to the United States, the parties agree to be bound by the EU Standard Contractual Clauses (module 3 — Processor to Processor) incorporated by reference.
Processor shall assist Controller in fulfilling data subject requests for access, rectification, erasure, restriction, objection, and portability. Requests made directly to Processor by a data subject shall be forwarded to Controller without action.
Processor shall notify Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
Upon termination of the Service, Processor shall, at Controller's choice, delete or return all Personal Data. Controller may export Personal Data at any time via the platform's bundle export API. Backups containing Personal Data shall be deleted within 30 days of service termination, subject to legal retention obligations.
Processor shall make available information necessary to demonstrate compliance with this DPA and shall allow audits, including inspections, by Controller or an auditor mandated by Controller, at reasonable intervals and after reasonable notice.
The liability cap in the Terms of Service applies to this DPA. Nothing in this DPA excludes liability where such exclusion is prohibited by law.
- **Encryption at rest:** AES-256-GCM via AWS KMS envelope encryption - **Encryption in transit:** TLS 1.2 or higher on all API endpoints - **Access control:** role-based access with per-workspace bearer tokens - **Tenant isolation:** dedicated database branches, compute instances, and key namespace prefixes per tenant - **Audit logging:** all administrative actions logged to immutable append-only log - **Backup:** daily automated backups with 30-day retention - **Monitoring:** Sentry error tracking, Grafana metrics, Betterstack uptime monitoring - **Incident response:** documented runbook at /docs/runbooks/ with 72-hour breach notification SLA