GDPR, EU data residency & your data
AgentWorks is built for European teams that treat GDPR, the EU AI Act and data residency as requirements, not nice-to-haves. Here is exactly how we handle your data — and who we work with.
EU data residency
Core infrastructure runs in EU regions — Supabase in Frankfurt/Amsterdam and Vercel in the EU. LLM calls use EU endpoints where the provider offers them.
PII redacted before the model
Personal data is detected and redacted at the gateway before any third-party LLM call — designed so personal data does not reach external models.
No training on your data
Our LLM providers are contractually bound to no-training and zero-retention terms, so your prompts and content are not used to train their models.
Audit trail + human oversight
Every state-mutating action is written to an append-only audit log, and high-risk actions require human-in-the-loop approval before they run.
Sub-processors
The third parties that process data on our behalf. We maintain a Data Processing Agreement with each and inform customers of material changes.
| Sub-processor | Purpose | Region | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication & file storage | EU (Frankfurt / Amsterdam) | EU region · GDPR DPA |
| Vercel | Application hosting & content delivery | EU regions | GDPR DPA · SCCs where applicable |
| Anthropic (Claude) | Large language model inference | EU endpoints where available | No training on your data · zero retention · DPA |
| OpenAI (GPT) | Large language model inference | EU endpoints where available | No training on your data · zero retention · DPA · SCCs |
| Google (Gemini) | Large language model inference | EU endpoints where available | No training on your data · DPA · SCCs |
| Mistral | Large language model inference | EU (France) | EU-based provider · DPA |
| Stripe | Payment & subscription processing | EU + US | PCI-DSS · GDPR DPA · SCCs |
GDPR commitments
Data Processing Agreement (Art. 28)
AgentWorks acts as processor and your organisation as controller. A DPA is available on request for every business customer.
Data subject rights
We support access, export and deletion of personal data on request, so you can meet your obligations to your own users.
Records of processing (Art. 30)
We maintain a record of processing activities, available to supervisory authorities and to customers under their DPA.
Breach notification
Our procedure is to notify affected customers without undue delay and within 72 hours of becoming aware of a personal-data breach.
International transfers
Where a sub-processor processes data outside the EU, Standard Contractual Clauses (SCCs) are in place via the provider DPAs.
Privacy policy & cookie consent
Our website carries a privacy policy and cookie consent; see the privacy policy for the full detail.
EU AI Act: ready, not a blanket claim
No platform is automatically "EU AI Act compliant" — the Act classifies risk by use case, so whether a given agent is high-risk depends on how you deploy it (for example, HR screening or credit scoring can be high-risk). AgentWorks gives you the controls the Act expects, so you can deploy responsibly:
- Per-agent risk classification
- Append-only audit trail of every action
- Human-in-the-loop approval on high-risk actions
- PII redaction before third-party model calls
Certifications roadmap
Today we operate on a DPA, a published sub-processor list, a privacy policy and EU hosting. As we grow into larger enterprise and agency deployments, SOC 2 Type II and/or ISO 27001 are on our roadmap. Talk to us about your specific assurance requirements.
Frequently asked questions
Where is my data stored?
Core infrastructure runs in EU regions: Supabase (database, authentication and storage) in Frankfurt/Amsterdam and Vercel (hosting) in the EU. Large language model calls use EU endpoints where the provider offers them. Personal data is redacted before any third-party LLM call.
Do you train AI models on my data?
No. Our LLM providers (Anthropic, OpenAI, Google, Mistral) are contractually bound to no-training and zero-retention terms, so your prompts and content are not used to train their models. In addition, personal data is redacted at the gateway before any model call.
Do you sign a Data Processing Agreement (DPA)?
Yes. Under GDPR Article 28, AgentWorks acts as processor and your organisation as controller. A DPA is available on request for every business customer, with Standard Contractual Clauses covering any non-EU sub-processor transfers.
Is AgentWorks EU AI Act compliant?
AgentWorks is AI Act-ready rather than blanket "compliant" — whether a specific use case is high-risk depends on how you deploy the agent. We provide the building blocks the Act expects: per-agent risk classification, an append-only audit trail, and human-in-the-loop oversight for high-risk actions.
Who are your sub-processors?
Our current sub-processors are Supabase (database/auth/storage, EU), Vercel (hosting, EU), Anthropic, OpenAI, Google and Mistral (LLM inference, with no-training/zero-retention terms), and Stripe (payments). We maintain a DPA with each and inform customers of material changes.
How do I exercise GDPR data subject rights?
Contact us to request access, export or deletion of personal data. We support these rights so you can meet your own obligations to your users, and we respond within the timelines GDPR requires.