ShackleAIShackleAI

Data Processing Agreement

Effective date: March 11, 2026 · Last updated: March 11, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between ShackleAI (“Processor”) and you (“Controller”), pursuant to Article 28 of the General Data Protection Regulation (GDPR).

1. Definitions

  • Personal Data — any data relating to an identified or identifiable natural person processed through the Platform.
  • Processing — any operation on Personal Data, including collection, storage, retrieval, and deletion.
  • Sub-processor — a third party engaged by ShackleAI to process Personal Data.

2. Scope of Processing

2.1 Categories of Data Subjects

  • Platform users (developers, operators)
  • End users whose data is processed by agents via the Platform

2.2 Types of Personal Data

  • Account data: GitHub username, email, user ID
  • Usage data: API logs, tool call metadata, timestamps
  • Vault data: encrypted OAuth tokens and API keys
  • Memory data: text embeddings and metadata

2.3 Purpose

Personal Data is processed solely to provide the Platform services as described in the Terms of Service.

3. Processor Obligations

ShackleAI shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational security measures (see Section 5)
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
  • Notify the Controller of any data breach without undue delay (within 72 hours)
  • Delete or return all Personal Data upon termination of services, at the Controller’s choice
  • Make available all information necessary to demonstrate compliance and allow audits

4. Sub-processors

ShackleAI uses the following sub-processors:

  • Amazon Web Services (AWS) — infrastructure hosting (ap-south-1, Mumbai). Processes: all Platform data.
  • Stripe — payment processing. Processes: billing information.
  • GitHub — authentication provider. Processes: OAuth tokens, user identity.
  • AWS SES — email delivery. Processes: email addresses, notification content.

We will notify you of any new sub-processor at least 14 days before engagement. You may object within that period. If the objection cannot be resolved, you may terminate the agreement.

5. Security Measures

ShackleAI implements the following technical measures:

  • AES-256 encryption for credentials at rest (Vault)
  • TLS 1.2+ encryption for all data in transit
  • Per-user data isolation (no cross-account data access)
  • JWT-based session authentication with configurable expiry
  • Rate limiting per API key (sliding window, tier-based)
  • Governance policy engine (default deny — agents have zero access until explicitly granted)
  • Full audit logging of all agent actions (Observatory)
  • Automated SQL migration system with schema versioning

6. Data Breach Notification

In the event of a personal data breach, ShackleAI will:

  • Notify the Controller within 72 hours of becoming aware
  • Provide: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken
  • Cooperate with the Controller’s breach response

7. International Transfers

Platform data is stored in AWS ap-south-1 (Mumbai, India). For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

8. Data Retention

  • Account data: retained while the account is active
  • API logs: 90 days, then automatically purged
  • Vault data: deleted within 24 hours of connection removal
  • On account deletion: all data removed within 30 days, except where legal retention applies

9. Audit Rights

The Controller may audit ShackleAI’s compliance with this DPA upon reasonable notice. ShackleAI will cooperate and provide access to relevant documentation and systems.

10. Term & Termination

This DPA remains in effect for as long as ShackleAI processes Personal Data on behalf of the Controller. Upon termination, ShackleAI will delete all Personal Data within 30 days and certify deletion in writing upon request.

11. Contact

For DPA-related inquiries, contact useshackleai@gmail.com.

To request a signed copy of this DPA for your records, email us with your organization name and billing email.