Last Updated: May 20, 2026
This Data Processing Agreement (“DPA”) forms part of the contract between Sofily Software (“Processor”) and the Managed service client (“Controller”). It applies exclusively to the Managed service package and governs the processing of personal data carried out by Sofily Software on behalf of the Controller in connection with running the AI agent.
This DPA is entered into automatically upon purchase of the Managed service and does not require a separate signature. It is governed by EU Regulation 2016/679 (GDPR), Article 28.
1. Roles
Controller: The Managed service client — the person or business that instructs the AI agent and whose data is being processed.
Processor: Sofily Software (Varga Martin Zsolt, Hermann-Köhl-Str. 4, 89340 Leipheim, Germany) — who operates the server and processes the data on the Controller’s behalf.
2. Subject Matter and Duration
The Processor operates an AI agent on a dedicated server provisioned exclusively for the Controller’s account — no data is shared with or accessible to other clients. The agent processes data received through the Controller’s connected tools (e.g. Gmail, WordPress, Shopify) and via the Discord interface, solely for the purpose of executing tasks as instructed by the Controller.
Processing begins when the Managed service is activated and continues until the service is cancelled. Upon cancellation, all data is deleted from the Processor’s server within 30 days.
3. Nature and Purpose of Processing
The Processor processes personal data solely to operate and maintain the AI agent as instructed by the Controller. This includes:
— Receiving and processing task instructions sent via Discord.
— Accessing connected accounts (Gmail, WordPress, Shopify, etc.) to carry out tasks.
— Passing task content to the Claude AI model (operated by Anthropic) for processing.
— Returning results to the Controller via Discord.
— Storing conversation context on the server to maintain continuity between sessions.
The Processor does not use the Controller’s data for any other purpose, including marketing, analytics, or model training.
4. Types of Personal Data Processed
The categories of personal data processed depend on the tools connected and tasks assigned by the Controller. They may include:
— Email content and contact details (if Gmail is connected).
— Customer data, order information, and product details (if Shopify or WooCommerce is connected).
— Website content and visitor data (if WordPress is connected).
— Social media content and audience data (if Pinterest, Facebook, or Instagram is connected).
— Any other personal data contained in task instructions or tool outputs.
5. Categories of Data Subjects
Data subjects may include the Controller themselves, the Controller’s customers, subscribers, email contacts, or any other individuals whose data is contained in the connected tools or task instructions.
6. Obligations of the Processor
The Processor shall:
— Process personal data only on documented instructions from the Controller.
— Ensure that persons authorised to process the data are bound by confidentiality.
— Implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction.
— Not engage any new sub-processor without informing the Controller in advance.
— Assist the Controller in fulfilling obligations to data subjects (access requests, deletion, etc.) to the extent reasonably possible.
— Delete all personal data from the server within 30 days of service termination.
— Provide the Controller with all information necessary to demonstrate compliance with this DPA upon reasonable request.
7. Sub-processors
The Processor uses the following sub-processors to deliver the Managed service:
— Anthropic (USA) — Claude AI model. Task content is processed via the Controller’s own Claude subscription (Claude Pro or Max). Anthropic’s data use is governed by their own terms and privacy policy.
— Hetzner (Germany/EU) — Server hosting. Each client’s dedicated server is hosted by Hetzner Online GmbH, based in Germany. Data center locations are within the EU (Germany/Finland). Hetzner is GDPR-compliant and provides a Data Processing Agreement.
— Discord (USA) — Communication interface. Task instructions and results pass through Discord’s platform.
Data transfers to sub-processors located outside the EU are governed by Standard Contractual Clauses or equivalent safeguards.
8. Security Measures
The Processor applies the following technical and organisational measures:
— Access to the server is restricted and protected by SSH key authentication.
— API keys and credentials are stored in encrypted environment files, not in plain text logs.
— The server is kept up to date with security patches.
— Access logs are monitored and retained for a limited period for security purposes.
9. Controller Obligations
The Controller is responsible for ensuring they have a lawful basis for any personal data they instruct the agent to process. The Controller must not instruct the agent to process special categories of personal data (Article 9 GDPR) without appropriate safeguards in place.
10. Governing Law
This DPA is governed by the laws of the Federal Republic of Germany and the applicable provisions of the GDPR.
11. Contact
For questions about this DPA or data processing, contact us at contact@sofilysoftware.com.