Skip to main content

Legal · GDPR Art. 28 · Last updated 2026-04-24 · Effective 2026-05-01

Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms of Service between ShieldAgent, S.L. (“Processor”) and the customer (“Controller”). It governs ShieldAgent's processing of personal data on the Controller's behalf in accordance with Article 28 of the EU General Data Protection Regulation (GDPR 2016/679).

This DPA is incorporated into and forms part of the Terms of Service. By using the ShieldAgent service you agree to this DPA. Enterprise customers requiring a countersigned DPA may request one at privacy@shieldagent.io.

Annex summary

Nature of processing

Interception, evaluation, logging, and policy enforcement of MCP tool calls.

Purpose

Providing the ShieldAgent security proxy service as contracted by the Controller.

Duration

For the term of the Services Agreement and as required by applicable retention obligations thereafter.

Data subjects

Controller's employees, contractors, and end-users whose personal data may appear in MCP tool-call payloads.

Categories of data

Names, email addresses, user identifiers, and other data incidentally included in agent-routed payloads, after DLP redaction of the 13 EU PII classes.

Special category data

Not intended to be processed. Controller must not route special-category data through the proxy without explicit written agreement.

1. Scope & definitions

Scope and definitions

This DPA applies to all personal data processed by ShieldAgent on behalf of the Controller when delivering the ShieldAgent service. Terms not defined here have the meaning given in the Terms of Service or the GDPR.

"Personal Data"Has the meaning in Art. 4(1) GDPR.
"Processing"Has the meaning in Art. 4(2) GDPR.
"Controller"The Customer entity that determines the purposes and means of processing Personal Data.
"Processor"ShieldAgent, S.L., which processes Personal Data on behalf of and under the instruction of the Controller.
"Sub-processor"Any third party engaged by ShieldAgent to process Personal Data in connection with delivering the service.

2. Roles under GDPR

Controller and Processor roles

The Controller determines the categories of Personal Data routed through the ShieldAgent proxy, the agent identities authorised to connect, and the downstream MCP servers to which traffic is forwarded. ShieldAgent processes that data only on the Controller's documented instructions — which are expressed through policy configuration in the dashboard, API, and this DPA — and does not use it for its own purposes beyond operating and improving the service in aggregate.

3. Permitted processing

Scope of permitted processing

ShieldAgent may process Personal Data only:

  • To intercept, evaluate, and enforce security policies on MCP tool calls.
  • To generate and maintain the cryptographic audit trail.
  • To detect anomalies, compute risk scores, and generate security alerts.
  • To produce compliance reports and Annex IV documentation as configured by the Controller.
  • To operate, monitor, and maintain the service infrastructure.
  • As required by Union or Member State law — in which case ShieldAgent will inform the Controller unless prohibited by law.

ShieldAgent shall not process Personal Data for any other purpose without the Controller's prior written consent.

4. Processor obligations

What ShieldAgent commits to

Follow instructions

Process Personal Data only on the Controller's documented instructions. If ShieldAgent believes an instruction infringes the GDPR, it will inform the Controller.

Confidentiality

Ensure that personnel authorised to process Personal Data are subject to binding confidentiality obligations.

Security

Implement the technical and organisational measures set out in Section 7 of this DPA.

Sub-processors

Engage sub-processors only under Section 5 of this DPA and ensure they are bound by equivalent obligations.

Data subject rights

Assist the Controller with requests from data subjects as set out in Section 6.

DPIA assistance

Assist the Controller where required with Data Protection Impact Assessments (Art. 35 GDPR).

Deletion

Delete or return Personal Data in accordance with Section 11.

Audit

Make available information necessary to demonstrate compliance and permit audits as set out in Section 9.

5. Sub-processors

Use of sub-processors

ShieldAgent has general written authorisation from the Controller to engage sub-processors. ShieldAgent will maintain a current list of sub-processors in the Trust Center.

ShieldAgent will notify the Controller at least 30 days before adding or replacing a sub-processor (“change notice”). The Controller may object to the change within that period by emailing privacy@shieldagent.io with a reasoned written objection. If ShieldAgent cannot address the objection, the Controller may terminate the relevant portion of the service for convenience without penalty.

ShieldAgent ensures every sub-processor is bound by data protection obligations that are at least equivalent to those in this DPA, including appropriate security measures and geographic restrictions.

ShieldAgent remains fully liable to the Controller for the performance of any sub-processor's obligations under this DPA to the extent ShieldAgent would have been liable had it performed the processing itself.

6. Data subject rights

Assisting with data subject requests

ShieldAgent will notify the Controller without undue delay if it receives a request from a data subject exercising rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). ShieldAgent will not respond to such requests on the Controller's behalf without written instruction but will provide the Controller with all technically feasible assistance — including audit export, data lookup, and deletion tooling — to enable the Controller to comply within the statutory time limit. The Controller is responsible for all data subject communications.

7. Security measures

Technical and organisational measures

ShieldAgent implements and maintains the following measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing:

Encryption

TLS 1.3 in transit; AES-256 at rest with per-tenant encryption keys.

Access control

Role-based access control (RBAC) at API and database layers; row-level security (RLS) enforced on all multi-tenant tables.

Integrity

SHA-256 Merkle-tree audit-trail chains with continuous verification. Tampering or gaps are detected automatically.

DLP redaction

Automated redaction of 13 EU PII classes before event persistence.

Availability

99.9% uptime SLA for managed SaaS proxy path. Multi-replica deployment with automatic failover.

Vulnerability management

Continuous dependency scanning, SAST on every merge, quarterly penetration testing, and public responsible disclosure programme.

Personnel

Background checks for personnel with access to production data; annual security awareness training; confidentiality obligations.

Incident response

Documented incident response playbooks with published SLAs. P1 critical incidents acknowledged within 15 minutes 24/7.

Full current security posture is published in the Trust Center.

8. Personal data breach

Breach notification

ShieldAgent will notify the Controller of a Personal Data Breach affecting Customer Data without undue delay and, where feasible, no later than 72 hours after becoming aware of it. The notification will include: (a) a description of the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned; (b) the name and contact details of the data protection contact; (c) the likely consequences of the breach; and (d) measures taken or proposed to address the breach. The Controller remains responsible for notifying the competent supervisory authority and, where required, the affected data subjects.

9. Audit rights

Audit and inspection

ShieldAgent will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. ShieldAgent may satisfy this obligation by providing: (a) up-to-date certifications (SOC 2 Type II report once issued, ISO 42001 alignment evidence); (b) responses to standardised security questionnaires (SIG Lite, CAIQ); or (c) an on-site or remote inspection with at least 30 days' notice, subject to a confidentiality undertaking from the appointed auditor. Inspection costs are borne by the Controller unless the audit reveals a material non-compliance by ShieldAgent, in which case ShieldAgent bears reasonable costs.

10. International transfers

Cross-border data transfers

Personal Data processed under this DPA is stored within the EU/EEA by default. ShieldAgent will not transfer Personal Data outside the EEA without applying an appropriate safeguard. Where a transfer to a third country is necessary (for example, a support engineer based outside the EEA accessing a system for incident response), ShieldAgent applies the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914, Module 3 for Processor-to-Sub-processor transfers). BYOC deployments run entirely within the Controller's own cloud account and region; no data transits ShieldAgent infrastructure.

11. Deletion & return

Deletion and return of Personal Data

Upon termination of the Services Agreement for any reason, ShieldAgent will make Customer Data available for export via the dashboard or API for 30 days. Following that period, or upon the Controller's earlier written request, ShieldAgent will delete Customer Data from production systems and certify deletion in writing. Backup copies are purged within 60 days of the deletion instruction. Exceptions apply where: (a) applicable law requires longer retention (e.g. EU AI Act Art. 18 10-year technical documentation requirement for compliance snapshots); or (b) the data is subject to a legal hold. In those cases ShieldAgent will inform the Controller of the exception and the expected retention period.

12. Duration

Duration of this DPA

This DPA takes effect on the date the Customer first uses the ShieldAgent service and remains in force for the duration of the Services Agreement. Obligations relating to Personal Data already processed under this DPA survive termination of the Services Agreement until all such Personal Data is deleted or returned in accordance with Section 11.

DPA execution

This DPA is accepted electronically by accessing or using the ShieldAgent service. Enterprise customers requiring a wet-signature or electronic countersignature DPA (e.g. for procurement or legal review purposes) may request one at privacy@shieldagent.io. The executed DPA supersedes this page for those customers.

Last updated 2026-04-24. Effective 2026-05-01. ShieldAgent, S.L. — Andorra.