GDPR Compliance
You choose where your data lives. Your rights are protected.
Choose Your Data Region
When you create your account, you select where your data is hosted. EU customers can keep all data in our Hetzner data centers in Germany for full GDPR compliance. US and other regions are served from our US infrastructure.
What is GDPR?
The General Data Protection Regulation (GDPR) is the EU's data protection law that gives individuals control over their personal data. As a hosting provider operating in the EU, Agento fully complies with GDPR requirements.
Data Controller vs. Data Processor
Agento as Processor
For data your AI agents process on our infrastructure, Agento acts as a Data Processor. You remain the Data Controller and determine how that data is used.
Agento as Controller
For your account information (email, billing, usage logs), Agento acts as Data Controller and is directly responsible for protecting this data.
Your GDPR Rights
Right to Access
Request a copy of all personal data we hold about you and your agents.
Right to Rectification
Correct any inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data and agent data.
Right to Restrict Processing
Limit how we use your data while disputes are resolved.
Additional rights include data portability (export your data), objection to processing, and the right to withdraw consent at any time.
Legal Basis for Processing
We process your data under the following legal bases:
- β’Contract: To provide the hosting services you signed up for
- β’Legitimate Interest: Security monitoring, fraud prevention, service improvement
- β’Legal Obligation: Tax records, compliance with law enforcement requests
- β’Consent: Marketing communications (opt-in only)
Where Your Data Lives
Your data location depends on the region you select during account creation.
πͺπΊ EU Region
- β’ Agent runtime: Hetzner, Germany
- β’ Database: Supabase EU
- β’ Logs & storage: Germany
πΊπΈ US Region
- β’ Agent runtime: US data center
- β’ Database: Supabase US
- β’ Logs & storage: United States
Shared Services (All Regions)
- β’ Payment processing: Stripe (processes in your region where available)
- β’ Email communications: US-based provider
For cross-border services, we rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.
Data Processing Agreement
Enterprise customers who need a formal Data Processing Agreement (DPA) can request one by contacting us. Our DPA covers Article 28 requirements including sub-processor lists, security measures, and audit rights.
Data Retention
We follow data minimization principles:
- β’Agent logs: 30 days by default (configurable)
- β’Account data: Until account deletion + 30 days
- β’Billing records: 7 years (legal requirement)
Security Measures
We implement technical and organizational measures required by Article 32:
- β’Encryption in transit (TLS 1.3) and at rest (AES-256)
- β’Isolated container environments for each customer
- β’Access controls with audit logging
- β’Regular security assessments
- β’Incident response procedures
How to Exercise Your Rights
To make a GDPR request (access, deletion, portability, etc.):
Email us at [email protected] with:
- β’ Your account email address
- β’ The specific right you wish to exercise
- β’ Any details that help us locate the data
We will respond within 30 days as required by GDPR.
Supervisory Authority
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. For EU residents, this is typically the authority in your country of residence.
Contact
Data Protection Contact
Remsys, Inc.
1606 Headway Cir STE 9078
Austin, TX 78754, USA
Email: [email protected]