Skip to main content

Data Processing Agreement

Effective Date: March 28, 2026 Last Updated: March 28, 2026 This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between the entity identified as the customer in the Agreement (“Controller” or “Customer”) and Anima Labs Ltd, including its affiliates (“Processor” or “Anima”), and supplements the Agreement with respect to Anima’s processing of Personal Data on behalf of the Customer. This DPA applies where and only to the extent that Anima processes Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to the European General Data Protection Regulation (EU 2016/679) (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), or other applicable data protection laws.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. “Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, FADP, and the California Consumer Privacy Act (“CCPA”). “Controller” means the entity that determines the purposes and means of the processing of Personal Data, as defined in Applicable Data Protection Law. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates. “EEA” means the European Economic Area. “Personal Data” means any information relating to a Data Subject that is processed by Anima on behalf of the Customer in connection with the Service, as defined in Applicable Data Protection Law. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. “Processor” means the entity that processes Personal Data on behalf of the Controller, as defined in Applicable Data Protection Law. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission Decision 2021/914 of 4 June 2021, and as may be amended or replaced from time to time. “Sub-processor” means any third party appointed by Anima to process Personal Data on behalf of the Customer.

2. Scope and Purpose of Processing

2.1 Scope

This DPA applies to the processing of Personal Data as described in Annex I (Details of Processing) attached hereto. The categories of Data Subjects, types of Personal Data, and purposes of processing are specified in Annex I.

2.2 Customer Instructions

Anima shall process Personal Data only on documented instructions from the Customer, including with respect to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such a case, Anima shall inform the Customer of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

2.3 Purpose Limitation

Anima shall process Personal Data solely for the purpose of providing the Service in accordance with the Agreement and this DPA, and shall not process Personal Data for any other purpose unless instructed by the Customer in writing or required by applicable law.

3. Obligations of the Processor

Anima shall:

3.1 Compliance

Process Personal Data in compliance with Applicable Data Protection Law and the terms of this DPA.

3.2 Confidentiality

Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security

Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II (Security Measures) attached hereto. These measures include, at a minimum:
  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+).
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

3.4 Assistance

Taking into account the nature of processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law.

3.5 Deletion and Return

At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data. Anima will provide the Customer with a 30-day period following termination to export or request return of Personal Data.

4. Sub-processors

4.1 Authorization

The Customer provides general written authorization for Anima to engage Sub-processors for the processing of Personal Data under this DPA. The current list of approved Sub-processors is set forth in Annex III and is available at https://useanima.sh/subprocessors.

4.2 Notification of Changes

Anima shall notify the Customer at least 30 days in advance of any intended addition or replacement of a Sub-processor, providing the Customer with an opportunity to object to the change.

4.3 Objection Right

If the Customer reasonably objects to a new Sub-processor within 15 days of receiving notice, Anima shall use commercially reasonable efforts to: (a) make available to the Customer a change in the Service that avoids the use of the objected-to Sub-processor; or (b) recommend a commercially reasonable alternative. If Anima is unable to provide an alternative within 30 days, either party may terminate the affected portion of the Service without penalty.

4.4 Sub-processor Obligations

Anima shall: (a) impose data protection obligations on each Sub-processor that are no less protective than those in this DPA; (b) remain fully liable to the Customer for the performance of each Sub-processor’s obligations; and (c) ensure that each Sub-processor agreement provides for termination and data deletion/return provisions consistent with this DPA.

5. Data Subject Rights

5.1 Assistance

Anima shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures for the fulfillment of the Customer’s obligation to respond to Data Subject requests under Applicable Data Protection Law, including requests for access, rectification, erasure, restriction, data portability, and objection.

5.2 Notification

If Anima receives a request from a Data Subject regarding Personal Data processed on behalf of the Customer, Anima shall promptly notify the Customer and shall not respond to the request directly unless instructed by the Customer or required by applicable law.

5.3 Cost

Anima shall provide reasonable assistance at no additional charge. If a Data Subject request requires significant effort beyond routine assistance, Anima may charge a reasonable fee based on the administrative cost of responding, provided Anima notifies the Customer of the fee in advance.

6. Security Measures

6.1 Technical Measures

Anima implements and maintains the technical security measures described in Annex II, including:
  • Encryption: AES-256 encryption at rest for all Personal Data; TLS 1.2+ encryption in transit.
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for all administrative access, principle of least privilege.
  • Network Security: Network segmentation, firewalls, intrusion detection and prevention systems, DDoS protection.
  • Audit Logging: Comprehensive logging of all access to Personal Data, with tamper-evident log storage.
  • Vulnerability Management: Regular vulnerability scanning, annual penetration testing by qualified third parties, and a responsible disclosure program.

6.2 Organizational Measures

  • Personnel Security: Background checks for employees with access to Personal Data, mandatory security awareness training, and binding confidentiality obligations.
  • Incident Response: Documented incident response plan with defined roles, escalation procedures, and post-incident review processes.
  • Business Continuity: Redundant infrastructure, automated backups, and documented disaster recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO).
  • Vendor Management: Due diligence and ongoing monitoring of Sub-processors’ security practices.

7. Personal Data Breach Notification

7.1 Notification to Customer

Anima shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.

7.2 Content of Notification

The notification shall include, to the extent available:
  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.
  • The name and contact details of Anima’s point of contact for further information.
  • A description of the likely consequences of the Personal Data Breach.
  • A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

7.3 Ongoing Cooperation

Anima shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach. Anima shall provide the Customer with timely updates as additional information becomes available.

7.4 Documentation

Anima shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

8. Audit Rights

8.1 Information and Audit

Anima shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

8.2 Audit Procedure

Audits shall be conducted subject to the following conditions:
  • The Customer shall provide at least 30 days’ written notice of an audit request.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt Anima’s operations.
  • The Customer and its auditors shall comply with Anima’s reasonable security and confidentiality requirements.
  • Audits shall be limited to once per year unless a Personal Data Breach has occurred or a supervisory authority requires an additional audit.

8.3 Third-Party Certifications

Anima may satisfy audit requests by providing: (a) relevant third-party audit reports or certifications (e.g., SOC 2 Type II); (b) responses to reasonable written questions; or (c) facilitating an on-site audit if the foregoing are insufficient to demonstrate compliance.

8.4 Cost

Each party shall bear its own costs in connection with audits, except that if an audit reveals a material breach of this DPA by Anima, Anima shall bear the reasonable costs of the audit.

9. Data Deletion and Return

9.1 Upon Termination

Upon termination or expiration of the Agreement, Anima shall, at the Customer’s election:
  • Return all Personal Data to the Customer in a structured, commonly used, and machine-readable format; or
  • Delete all Personal Data and certify such deletion in writing.

9.2 Retention Period

Anima will provide the Customer with a 30-day period following termination to export or request return of Personal Data. After this period, Anima shall delete all remaining Personal Data within 30 additional days, unless applicable law requires continued storage.

9.3 Sub-processor Data

Anima shall ensure that all Sub-processors delete or return Personal Data in accordance with the timelines set forth in this Section 9.

10. International Data Transfers

10.1 Transfer Mechanism

To the extent that the performance of the Service involves the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, the parties agree that such transfers shall be governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference.

10.2 Module Application

The SCCs shall apply as follows:
  • Module Two (Controller to Processor): Where the Customer is a Controller and Anima processes Personal Data as a Processor.
  • Module Three (Processor to Processor): Where the Customer is a Processor acting on behalf of its own controller, and Anima processes Personal Data as a Sub-processor.

10.3 UK International Data Transfer Addendum

For transfers of Personal Data subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) shall apply and is incorporated into this DPA by reference.

10.4 Swiss Addendum

For transfers of Personal Data subject to the Swiss FADP, the SCCs shall apply with the modifications necessary to comply with the FADP, including treating the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the competent supervisory authority.

10.5 Supplementary Measures

In addition to the SCCs, Anima implements the following supplementary measures to protect transferred Personal Data:
  • Encryption at rest and in transit as described in Annex II.
  • Strict access controls limiting access to Personal Data to authorized personnel.
  • Policies and procedures to handle government access requests in accordance with applicable law, including transparency reporting where permitted.

11. Duration and Termination

11.1 Term

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to Section 9 (Data Deletion and Return).

11.2 Survival

The obligations of Anima under this DPA with respect to the processing of Personal Data shall continue for as long as Anima retains Personal Data processed on behalf of the Customer.

12. Liability

The liability of each party under this DPA is subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, the aggregate liability of Anima under the Agreement and this DPA combined shall not exceed the limitations set forth in the Agreement.

13. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, except that: (a) where the SCCs apply, the governing law of the SCCs shall be as specified therein; and (b) where required by Applicable Data Protection Law, the relevant data protection law shall govern.

14. Contact

For questions regarding this DPA, please contact: Anima Labs Ltd Data Protection Officer Email: legal@useanima.sh Website: https://useanima.sh

Annex I: Details of Processing

A. List of Parties

Data Exporter (Controller): The Customer, as identified in the Agreement. Data Importer (Processor): Anima Labs Ltd, registered in England and Wales, and its affiliates.

B. Description of Processing

ElementDescription
Categories of Data SubjectsCustomer’s employees, contractors, end users, and the natural persons whose data is processed by Customer’s Agents (e.g., email recipients, phone call participants).
Categories of Personal DataAccount data (name, email, company); email data (addresses, content, metadata); phone/SMS data (numbers, content, metadata); vault entries (encrypted credentials); identity data (DIDs, verifiable credential metadata); usage data (API logs, dashboard activity); technical data (IP addresses, device information).
Sensitive DataNone intentionally processed. If Customer submits sensitive data to the Service, Customer is responsible for ensuring a lawful basis and appropriate safeguards.
Frequency of TransferContinuous, for the duration of the Service.
Nature and Purpose of ProcessingProcessing is necessary to provide the Service, including: email routing and delivery; phone/SMS communication services; encrypted credential storage; cryptographic identity management; API request handling; usage metering and billing.
Retention PeriodAs specified in Anima’s Privacy Policy (Section 5) and subject to Customer configuration, except as required by applicable law.

C. Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs. For UK-based Data Exporters, the competent supervisory authority is the UK Information Commissioner’s Office (ICO).

Annex II: Security Measures

Anima implements and maintains the following technical and organizational security measures:

Technical Measures

MeasureDescription
Encryption at RestAES-256 encryption for all stored Personal Data, including database fields, vault entries, and backups.
Encryption in TransitTLS 1.2 or higher for all data in transit. Certificate pinning for critical internal services.
Access ControlRole-based access control (RBAC) with principle of least privilege. Multi-factor authentication (MFA) required for all administrative access.
Network SecurityVirtual private cloud (VPC) isolation, network segmentation, Web Application Firewall (WAF), DDoS protection, and intrusion detection/prevention systems (IDS/IPS).
Audit LoggingImmutable, tamper-evident audit logs for all access to Personal Data and administrative actions. Logs retained for a minimum of 2 years.
Vulnerability ManagementAutomated vulnerability scanning (weekly), annual third-party penetration testing, and a responsible disclosure/bug bounty program.
Data IsolationLogical separation of Customer data through tenant isolation at the application and database layers.
Backup and RecoveryAutomated daily backups with encryption, geo-redundant storage, and tested disaster recovery procedures. RTO: 4 hours. RPO: 1 hour.

Organizational Measures

MeasureDescription
Personnel SecurityBackground checks for all employees with access to Personal Data. Mandatory security awareness training upon onboarding and annually thereafter.
ConfidentialityAll employees and contractors bound by written confidentiality agreements.
Incident ResponseDocumented incident response plan with 24/7 on-call rotation, defined escalation procedures, and mandatory post-incident reviews.
Vendor ManagementSecurity assessment and due diligence for all Sub-processors prior to engagement. Ongoing monitoring of Sub-processor compliance.
Physical SecurityInfrastructure hosted on SOC 2 Type II and ISO 27001 certified Google Cloud Platform data centers with physical access controls, surveillance, and environmental protections.
Change ManagementFormal change management process with peer review, testing, and approval requirements for all changes to production systems.

Annex III: List of Sub-processors

Sub-processorProcessing ActivityLocationData Processed
Google Cloud PlatformCloud infrastructure and hostingUnited States, EUAll categories (encrypted)
StripePayment processingUnited StatesBilling data, payment methods
TelnyxTelephony and SMS servicesUnited States, EUPhone numbers, call/SMS data
ClerkAuthentication and identityUnited StatesAccount data, auth events
ResendEmail deliveryUnited StatesEmail addresses, email content
This list is current as of the Effective Date. Updated lists are maintained at https://useanima.sh/subprocessors.