Versatl

Versatl — Data Processing Agreement

Effective Date: March 9, 2026 Last Updated: March 9, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy and applies when Mfini Inc. ("Mfini"), operating the Versatl platform ("Platform" or "Service") at versatl.ai, processes personal data on behalf of a customer ("Controller") in the context of providing the Service. This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.

1. Definitions

  • "Controller": The customer who determines the purposes and means of processing personal data by using the Service.
  • "Processor": Mfini Inc., operating as Versatl, which processes personal data on behalf of the Controller.
  • "Data Subject": An identified or identifiable individual whose personal data is processed.
  • "Personal Data": Any information relating to a Data Subject, as defined by applicable data protection law.
  • "Sub-Processor": A third party engaged by Mfini Inc. to process personal data on behalf of the Controller.
  • "Processing": Any operation performed on personal data (collection, storage, use, transmission, deletion, etc.).

2. Scope and Roles

2.1 When This DPA Applies

This DPA applies when you use the Service to process personal data of third parties (e.g., your customers, employees, or contacts). For example:

  • An agent drafts emails to your customers using data you provide in task instructions
  • A service processes reports containing employee information
  • User context data includes personal data about third parties

2.2 Controller Responsibilities

As the Controller, you are responsible for:

  • Ensuring you have a lawful basis to process the personal data you submit to the Service
  • Obtaining any necessary consents from Data Subjects
  • Determining which personal data to include in task instructions, user context, and agent configurations
  • Reviewing agent outputs for accuracy and compliance before use

2.3 Processor Obligations

As the Processor, Mfini Inc.:

  • Processes personal data only on your documented instructions (i.e., the tasks and services you configure)
  • Does not use personal data for its own purposes beyond providing the Service
  • Implements appropriate technical and organizational security measures
  • Assists you in fulfilling your obligations to Data Subjects

3. Data Processing Details

3.1 Categories of Data Subjects

Data Subjects whose personal data may be processed through the Service include:

  • The Controller's customers or clients
  • The Controller's employees or contractors
  • Other individuals referenced in task instructions or user context

3.2 Types of Personal Data Processed

| Data Type | Where It Appears | Processing Purpose | |-----------|-----------------|-------------------| | Names, email addresses | Task instructions, email drafts | Agent task execution | | Business information | User context, task inputs | Agent personalization | | Social media content | Tool adapter responses | Social media management | | Communication content | Gmail adapter, task outputs | Email drafting/sending | | Any data in task instructions | Task input_text | Whatever the Controller instructs |

3.3 Processing Activities

| Activity | Description | |----------|-------------| | Task execution | Processing task instructions through AI models and tools | | Memory storage | Storing episodic and semantic memories of task outcomes | | Distillation | AI-based extraction of patterns from task history | | Tool execution | Transmitting data to third-party services on Controller's instruction | | Webhook delivery | Sending task results to Controller's configured endpoints |

3.4 Duration of Processing

Processing continues for the duration of the Controller's use of the Service. Upon account deletion, all personal data is deleted through cascade deletion (see Section 7).

4. Sub-Processors

4.1 Current Sub-Processors

Mfini Inc. engages the following sub-processors:

| Sub-Processor | Purpose | Data Processed | Location | |---------------|---------|---------------|----------| | Anthropic | AI model processing (primary) | Task content, user context, memories | United States | | OpenAI | AI model processing (fallback), embeddings | Task content, user context, memories | United States | | Google | AI model processing (fallback) | Task content, user context, memories | United States | | Clerk | Authentication | Email, name | United States | | Stripe | Payment processing | Email, billing data | United States | | Sentry | Error tracking | Technical error context | United States | | Infrastructure Provider | Hosting | All data at rest and in transit | [Region TBD] |

4.2 Notification of Changes

We will notify you of any new sub-processors at least 30 days before they begin processing personal data. You may object to a new sub-processor by contacting us within that period. If we cannot accommodate your objection, you may terminate the Service.

4.3 Sub-Processor Obligations

Each sub-processor is bound by contractual obligations substantially similar to those in this DPA, including obligations regarding data security, confidentiality, and data deletion.

5. Security Measures

5.1 Technical Measures

Mfini Inc. implements the following technical security measures:

| Measure | Implementation | |---------|---------------| | Encryption at rest | Fernet symmetric encryption for third-party credentials; database encryption | | Encryption in transit | TLS/HTTPS for all communications | | Access control | PostgreSQL row-level security (RLS) with FORCE policies for tenant isolation | | Authentication | Clerk JWT validation; SHA-256 hashed API keys | | Credential isolation | Credentials encrypted and never exposed to AI models or logs | | Input validation | Pydantic schema validation on all API inputs | | Output guardrails | PII detection/redaction, content safety checks, budget enforcement | | Audit logging | Tamper-evident audit trail with actor, action, resource, IP, timestamp | | Rate limiting | Per-user request rate limiting |

5.2 Organizational Measures

| Measure | Description | |---------|-------------| | Least privilege | Agents can only access tools declared in their configuration | | Security by design | Row-level security as defense-in-depth beyond application logic | | Structured logging | No credentials or personal data in log output | | Incident response | Monitoring via OpenTelemetry and Sentry for rapid detection |

6. Data Subject Rights

6.1 Assistance

Mfini Inc. will assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent technically feasible.

6.2 Self-Service

Many Data Subject rights can be fulfilled through the Controller's own use of the Service:

  • Access: Export task history and data via API
  • Rectification: Update user context and preferences via API or Dashboard
  • Erasure: Delete account to cascade-delete all associated data
  • Portability: API endpoints return data in JSON format

6.3 Response Time

Mfini Inc. will respond to Controller requests for assistance with Data Subject rights within 10 business days.

7. Data Deletion and Return

7.1 Account Deletion

Upon account deletion (DELETE /auth/me), all personal data is permanently deleted through database cascade deletion, including:

  • Tasks, services, and execution data
  • Episodic and semantic memories (including vector embeddings)
  • Stored credentials (encrypted)
  • API keys, notifications, webhook configurations
  • Agent subscriptions and ratings
  • Workspace memberships

7.2 Data Retained

The following data may be retained after deletion:

  • Audit logs: Retained for security compliance (actor identity may be anonymized)
  • Billing records: Retained as required by tax and accounting law
  • Aggregated statistics: De-identified data that cannot be linked to an individual

7.3 Deletion Verification

The Controller may request written confirmation that deletion has been completed.

8. Data Breach Notification

8.1 Notification

In the event of a personal data breach, Mfini Inc. will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.

8.2 Breach Notice Content

Notification will include:

  • Nature of the breach (categories of data, approximate number of Data Subjects)
  • Contact point for further information
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8.3 Cooperation

Mfini Inc. will cooperate with the Controller in investigating the breach and notifying Data Subjects and supervisory authorities as required by applicable law.

9. International Data Transfers

9.1 Transfer Mechanisms

When personal data is transferred outside the EEA/UK, Mfini Inc. relies on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Adequacy decisions where applicable
  • Other lawful transfer mechanisms as required

9.2 Sub-Processor Transfers

Sub-processors located outside the EEA/UK are bound by SCCs or equivalent safeguards.

10. Audits

10.1 Right to Audit

The Controller has the right to audit Mfini Inc.'s compliance with this DPA. Audits may be conducted by the Controller or an independent third-party auditor, with reasonable notice (at least 30 days) and during business hours.

10.2 Audit Reports

Mfini Inc. may provide existing audit reports, certifications, or third-party assessments as an alternative to on-site audits where possible.

10.3 Costs

The Controller bears the costs of any audit, unless the audit reveals material non-compliance by Mfini Inc.

11. Term and Termination

11.1 Duration

This DPA remains in effect for the duration of the Controller's use of the Service and for as long as Mfini Inc. retains any personal data processed on behalf of the Controller.

11.2 Survival

Sections 7 (Data Deletion), 8 (Breach Notification), and 10 (Audits) survive termination.

12. Contact

For DPA-related inquiries:

Email: dpo@versatl.ai Data Protection Officer: dpo@versatl.ai Mfini Inc. Address: [Company Address]