Versatl — Data Processing Agreement
Effective Date: March 9, 2026
Last Updated: June 12, 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy and applies when Mfini Inc. ("Mfini"), operating the Versatl platform ("Platform" or "Service") at versatl.ai, processes personal data on behalf of a customer ("Controller") in the context of providing the Service. This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.
1. Definitions
- "Controller": The customer who determines the purposes and means of processing personal data by using the Service.
- "Processor": Mfini Inc., operating as Versatl, which processes personal data on behalf of the Controller.
- "Data Subject": An identified or identifiable individual whose personal data is processed.
- "Personal Data": Any information relating to a Data Subject, as defined by applicable data protection law.
- "Sub-Processor": A third party engaged by Mfini Inc. to process personal data on behalf of the Controller.
- "Processing": Any operation performed on personal data (collection, storage, use, transmission, deletion, etc.).
2. Scope and Roles
2.1 When This DPA Applies
This DPA applies when you use the Service to process personal data of third parties (e.g., your customers, employees, or contacts). For example:
- An agent drafts emails to your customers using data you provide in task instructions
- A service processes reports containing employee information
- User context data includes personal data about third parties
2.2 Controller Responsibilities
As the Controller, you are responsible for:
- Ensuring you have a lawful basis to process the personal data you submit to the Service
- Obtaining any necessary consents from Data Subjects
- Determining which personal data to include in task instructions, user context, and agent configurations
- Reviewing agent outputs for accuracy and compliance before use
2.3 Processor Obligations
As the Processor, Mfini Inc.:
- Processes personal data only on your documented instructions (i.e., the tasks and services you configure)
- Does not use personal data for its own purposes beyond providing the Service
- Implements appropriate technical and organizational security measures
- Assists you in fulfilling your obligations to Data Subjects
3. Data Processing Details
3.1 Categories of Data Subjects
Data Subjects whose personal data may be processed through the Service include:
- The Controller's customers or clients
- The Controller's employees or contractors
- Other individuals referenced in task instructions or user context
3.2 Types of Personal Data Processed
The categories below are illustrative; the full inventory of integrations and their categories is maintained in the Connected Services Appendix at docs/legal/connected-services-appendix.md, which is incorporated by reference.
| Data Type | Where It Appears | Processing Purpose |
|---|---|---|
| Names, email addresses | Task instructions, email drafts | Agent task execution |
| Business information | User context, task inputs | Agent personalization |
| Social media content | Tool adapter responses (Twitter/X, LinkedIn, Instagram, Facebook) | Social media management |
| Email content | Gmail adapter (Composio-brokered by default), task outputs | Email drafting, sending, and reading |
| Calendar event content | Google Calendar adapter (Composio-brokered by default) | Event creation, reading, and scheduling |
| File metadata and content | Google Drive adapter (Composio-brokered by default), Dropbox, YouTube | Document retrieval, search, and updates |
| Project-tracking and developer content | MCP-brokered vendors (Atlassian/Jira/Confluence, Linear, GitHub, Notion, Salesforce) | Issue creation, file commits, ticket reads, code search |
| Sales and CRM content | HubSpot, Salesforce, Shopify, QuickBooks adapters | CRM updates, order processing, accounting reads |
| Messaging-channel content | Slack, Telegram (platform-managed bot), Discord (platform-managed bot) | Multi-channel chat with the orchestrator and notifications |
| Any data in task instructions | Task input_text | Whatever the Controller instructs |
3.3 Processing Activities
| Activity | Description |
|---|---|
| Task execution | Processing task instructions through AI models and tools |
| Memory storage | Storing episodic and semantic memories of task outcomes |
| Distillation | AI-based extraction of patterns from task history |
| Tool execution | Transmitting data to third-party services on Controller's instruction |
| Webhook delivery | Sending task results to Controller's configured endpoints |
3.4 Duration of Processing
Processing continues for the duration of the Controller's use of the Service. Upon account deletion, all personal data is deleted through cascade deletion (see Section 7).
4. Sub-Processors
4.1 Current Sub-Processors
Mfini Inc. engages the following sub-processors:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Anthropic | AI model processing | Task content, user context, memories | United States |
| OpenAI | AI model processing; embeddings | Task content, user context, memories | United States |
| AI model processing | Task content, user context, memories | United States | |
| OpenRouter | AI routing/aggregation across upstream model hosts (when selected as a route) | Task content, user context, memories | United States |
| Composio | Managed OAuth and tool execution for Google services (Gmail, Calendar, Drive) | OAuth tokens; tool-call inputs and outputs | United States |
| Clerk | Authentication | Email, name | United States |
| Stripe | Payment processing | Email, billing data | United States |
| Sentry | Error tracking | Technical error context | United States |
| Render | Hosting | All data at rest and in transit | United States |
The specific upstream LLMs in use change over time as the Platform's self-healing model catalog is refreshed from each provider's official /v1/models feed. The Controller may view the current model selection from Settings → AI Models. An outage or deprecation of a selected upstream model may cause a per-request substitution within the same tier and provider family; substitutions are recorded in the run metadata and surface on the corresponding task detail page (see Terms of Service § 8.4 for the substitution policy and how to disable it per agent).
4.2 Notification of Changes
We will notify you of any new sub-processors at least 30 days before they begin processing personal data. You may object to a new sub-processor by contacting us within that period. If we cannot accommodate your objection, you may terminate the Service.
4.3 Sub-Processor Obligations
Each sub-processor is bound by contractual obligations substantially similar to those in this DPA, including obligations regarding data security, confidentiality, and data deletion.
5. Security Measures
5.1 Technical Measures
Mfini Inc. implements the following technical security measures:
| Measure | Implementation |
|---|---|
| Encryption at rest | Fernet symmetric encryption for third-party credentials; database encryption |
| Encryption in transit | TLS/HTTPS for all communications |
| Access control | PostgreSQL row-level security (RLS) with FORCE policies for tenant isolation |
| Authentication | Clerk JWT validation; SHA-256 hashed API keys |
| Credential isolation | Credentials encrypted and never exposed to AI models or logs |
| Input validation | Pydantic schema validation on all API inputs |
| Output guardrails | PII detection/redaction, content safety checks, budget enforcement |
| Audit logging | Tamper-evident audit trail with actor, action, resource, IP, timestamp |
| Rate limiting | Per-user request rate limiting |
5.2 Organizational Measures
| Measure | Description |
|---|---|
| Least privilege | Agents can only access tools declared in their configuration |
| Security by design | Row-level security as defense-in-depth beyond application logic |
| Structured logging | No credentials or personal data in log output |
| Incident response | Monitoring via OpenTelemetry and Sentry for rapid detection |
6. Data Subject Rights
6.1 Assistance
Mfini Inc. will assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent technically feasible.
6.2 Self-Service
Many Data Subject rights can be fulfilled through the Controller's own use of the Service:
- Access: Export task history and data via API
- Rectification: Update user context and preferences via API or Dashboard
- Erasure: Delete account to cascade-delete all associated data
- Portability: API endpoints return data in JSON format
6.3 Response Time
Mfini Inc. will respond to Controller requests for assistance with Data Subject rights within 10 business days.
7. Data Deletion and Return
7.1 Account Deletion
Upon account deletion (DELETE /auth/me), all personal data is permanently deleted through database cascade deletion, including:
- Tasks, services, and execution data
- Episodic and semantic memories (including vector embeddings)
- Stored credentials (encrypted), including any Bring-Your-Own-Model (BYOM) LLM provider keys that were previously marked revoked but retained for billing-reconciliation purposes (see the next paragraph). Account deletion takes precedence over the BYOM retention window.
- API keys, notifications, webhook configurations
- Agent subscriptions and ratings
- Workspace memberships
Disconnect (without account deletion) of BYOM LLM keys. When the Controller disconnects a BYOM LLM provider key without deleting the account, the credential row is marked revoked rather than hard-deleted, and the encrypted key blob is retained for up to eighteen (18) months. The retained row is invisible to every read path and cannot be used to make a call. It is preserved solely so that the Platform's daily billing reconciliation can determine, at the close of each accounting period, whether usage events tagged as BYOM in fact correspond to a credential that was active at the time the call was made. All other disconnect operations (OAuth-based services, Composio-brokered services, MCP-brokered services) hard-delete the credential row immediately and additionally call the vendor's published revoke endpoint where one exists.
7.2 Data Retained
The following data may be retained after deletion:
- Audit logs: Retained for security compliance (actor identity may be anonymized)
- Billing records: Retained as required by tax and accounting law
- Aggregated statistics: De-identified data that cannot be linked to an individual
7.3 Deletion Verification
The Controller may request written confirmation that deletion has been completed.
8. Data Breach Notification
8.1 Notification
In the event of a personal data breach, Mfini Inc. will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
8.2 Breach Notice Content
Notification will include:
- Nature of the breach (categories of data, approximate number of Data Subjects)
- Contact point for further information
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8.3 Cooperation
Mfini Inc. will cooperate with the Controller in investigating the breach and notifying Data Subjects and supervisory authorities as required by applicable law.
9. International Data Transfers
9.1 Transfer Mechanisms
When personal data is transferred outside the EEA/UK, Mfini Inc. relies on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions where applicable
- Other lawful transfer mechanisms as required
9.2 Sub-Processor Transfers
Sub-processors located outside the EEA/UK are bound by SCCs or equivalent safeguards.
10. Audits
10.1 Right to Audit
The Controller has the right to audit Mfini Inc.'s compliance with this DPA. Audits may be conducted by the Controller or an independent third-party auditor, with reasonable notice (at least 30 days) and during business hours.
10.2 Audit Reports
Mfini Inc. may provide existing audit reports, certifications, or third-party assessments as an alternative to on-site audits where possible.
10.3 Costs
The Controller bears the costs of any audit, unless the audit reveals material non-compliance by Mfini Inc.
11. Term and Termination
11.1 Duration
This DPA remains in effect for the duration of the Controller's use of the Service and for as long as Mfini Inc. retains any personal data processed on behalf of the Controller.
11.2 Survival
Sections 7 (Data Deletion), 8 (Breach Notification), and 10 (Audits) survive termination.
12. Contact
For DPA-related inquiries:
Mfini Inc.
Email: dpo@versatl.ai
Data Protection Officer: dpo@versatl.ai
Address: 1401 Lavaca St, Ste 558, Austin, TX 78701