Data Processing Addendum
Effective July 1, 2026. This public DPA summary describes AgentDraft's processor commitments for teams that connect business calendars or mailboxes.
Updated
Roles
For workspace data submitted by a business customer, the customer is the controller or business and AgentDraft is the processor or service provider, except where AgentDraft processes limited account, billing, security, and legal-compliance data as an independent controller.
Processing instructions
AgentDraft processes scheduling, calendar, mailbox, webhook, billing, and audit data to provide the service, secure accounts, deliver support, comply with law, and follow the customer's documented instructions, including these public terms and the product configuration selected by the customer.
Security
AgentDraft uses TLS in transit, encryption at rest, application-layer encryption for Google OAuth tokens, argon2id hashing for agent API keys, least-privilege production access, managed secrets, and append-only audit events for state-changing operations.
Subprocessors
AgentDraft uses cloud infrastructure, payment, email, calendar, mailbox, and operational providers under contractual confidentiality and security obligations. Customers may contact hello@agentdraft.io for the current subprocessor list.
Assistance
AgentDraft will provide reasonable assistance for data-subject requests, security inquiries, incident investigation, deletion/export requests, and information needed for customer compliance assessments, taking into account the nature of the service and available account data.
Retention
Retention follows the active plan unless a signed agreement says otherwise: Developer audit data 7 days, Individual 30 days, Team 1 year, and Enterprise 7 years. Some records may be retained longer where needed for security, legal obligations, billing, dispute resolution, backups, or abuse prevention.
Deletion and return
After account termination or a verified deletion request, AgentDraft will delete or return customer data within a commercially reasonable period, subject to legal, security, billing, backup, and audit-retention limits.
International transfers
AgentDraft is operated from the United States and uses United States infrastructure. Customers with regulated cross-border transfer requirements should request a signed DPA before production use.
Signed agreements
This page is a public summary, not a negotiated enterprise DPA. Enterprise customers that need SCCs, custom audit rights, subprocessor notice terms, or jurisdiction-specific addenda should contact hello@agentdraft.io.