Data Processing Agreement

Version 1.6 · Last updated 2026-06-05
Between TUARA KURI LIMITED (Processor) and Customer (Controller).
Effective: upon execution of a paid AgenticRail subscription.

1. Definitions

"Controller" means the Customer — the entity that determines the purposes and means of processing personal data through the AgenticRail service.

"Processor" means TUARA KURI LIMITED, a New Zealand registered company (NZBN: 9429052428098) trading as AgenticRail, 431 Omanaia Road, RD 3, Kaikohe 0473, New Zealand.

"Subprocessor" means any third party engaged by the Processor to process personal data on behalf of the Controller. Current subprocessors are listed in Section 8.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

"Service" means the AgenticRail API (sequence enforcement, receipt generation, compliance reporting).

"GDPR" means Regulation (EU) 2016/679.

2. Scope and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the Service:

Receiving API requests at the Wrapper endpoint
Authenticating API keys against the Processor's database
Evaluating enforcement decisions via the Core Worker + Durable Object
Writing cryptographic receipts to R2 immutable storage
Generating compliance reports on request

The Controller determines what data is sent in API request payloads. The Processor does not inspect, retain, or use payload data beyond what is necessary for enforcement evaluation.

3. Duration

This DPA is effective for the duration of the Controller's paid AgenticRail subscription. Upon termination, at the Controller's choice, the Processor will delete or return all personal data within 90 days and delete existing copies, unless retention is required by applicable law, in accordance with the retention schedule in Section 7. The Controller may exercise this choice by written notice to hello@agenticrail.nz prior to or at termination; absent such notice, the Processor will delete the personal data.

4. Processor Obligations

The Processor shall:

Process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do otherwise by applicable law (in which case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such notice)
Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable data protection law
Ensure persons authorised to process personal data are committed to confidentiality
Implement appropriate technical and organisational measures as described in Section 6
Assist the Controller in fulfilling data subject requests (access, rectification, erasure) where possible
Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, including conducting data protection impact assessments and prior consultation with a supervisory authority where relevant
Notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a personal data breach
Make available to the Controller all information necessary to demonstrate compliance

5. Controller Obligations

The Controller shall:

Ensure a lawful basis exists for processing personal data through the Service
Not include special categories of personal data in API request payloads unless a specific derogation applies
Provide necessary notices to data subjects regarding the processing
Ensure API keys are stored securely and not exposed in client-side code or public repositories

6. Technical and Organisational Measures

The Processor implements the following measures:

Measure	Implementation
Encryption in transit	TLS 1.3 for all API endpoints
Access control	Bearer token authentication per API key. Timing-safe comparison on all credential checks.
Infrastructure isolation	Enforcement core is air-gapped (no public URL). Accessible only via authenticated service bindings between Cloudflare Workers.
Audit trail	HMAC-signed cryptographic receipts on every enforcement decision. Immutable R2 storage.
Availability	Deployed on Cloudflare's global network (330+ data centers). Durable Objects provide consistent state.
Incident response	Personal data breaches notified to the Controller without undue delay and within 48 hours of detection (Section 4).

7. Data Retention and Deletion

Data	Retention	Automatic Deletion
API request payloads	Duration of enforcement evaluation only (not persisted)	N/A — not stored
Enforcement receipts	Per plan: Free 7 days, Growth 30 days, Scale 1 year, Enterprise multi-year	R2 lifecycle policy
API keys (hashed)	Duration of subscription + 30 days	D1 record deletion
Usage logs	90 days	Wrapper cron job (daily)
Client account data	Duration of subscription + 30 days	D1 record deletion

The 90-day deletion commitment in Section 3 applies to personal data. Enforcement receipts retained beyond that period (per plan) contain only enforcement metadata — cryptographic hashes, nonces, step labels, decision codes, and timestamps — and do not contain personal data from Controller payloads, which are never persisted. Where a Controller's chosen identifiers (for example, a sequence_id) could themselves constitute personal data, the Controller is responsible for avoiding the inclusion of personal data in such identifiers.

8. Subprocessors

Subprocessor	Service	Location	Processing
Cloudflare, Inc.	Workers, Durable Objects, R2, KV, D1	Global (data processed at edge)	Hosts the Service infrastructure. All enforcement execution, receipt storage, and API authentication.
AI Provider — current: Google (Gemini API)	Compliance narrative generation	API endpoint (regional, per provider)	Generates AI compliance narratives for reports. Receives only enforcement summary statistics (no personal data from payloads, no receipt content). The AI Provider operates exclusively in the report worker; it has no role in enforcement decisions and never receives customer agent payloads.
Stripe, Inc.	Payment processing	Global	Processes subscription payments. Receives customer email and payment details.
Resend, Inc.	Transactional email	Global	Delivers API key welcome emails. Receives customer email address only.

AI Provider category. The "AI Provider" is treated as a category, not a fixed vendor. The current provider is Google (Gemini API). Previous providers used by the Processor have included DeepSeek and Anthropic (Claude). The Processor may change the AI Provider with at least 14 days' notice under the standard subprocessor change process below. Enterprise Controllers may specify an alternative AI Provider (or opt out of AI-generated narratives entirely) under their enterprise contract.

The Processor will notify the Controller of any intended changes to subprocessors at least 14 days in advance. The Controller may object on reasonable data protection grounds. The current authoritative subprocessor list is the version of this DPA in force at the time of any given enforcement decision; the document fingerprint at the bottom of this page identifies that version cryptographically.

Subprocessor obligations and liability. The Processor shall impose, by written contract, data protection obligations on each subprocessor that are no less protective than those set out in this DPA, in particular the obligation to implement appropriate technical and organisational measures meeting the requirements of the GDPR. Where a subprocessor fails to fulfil its data protection obligations, the Processor remains fully liable to the Controller for the performance of that subprocessor's obligations.

9. International Data Transfers

The Processor is established in New Zealand, which has been recognised by the European Commission as providing an adequate level of data protection (Adequacy Decision, 2012, reaffirmed 2024). Cloudflare processes data at the edge — the data center closest to the Controller's users. For EU-based Controllers, data is processed within the EU where possible. Where data is transferred internationally, it is protected under Cloudflare's Data Processing Addendum, which incorporates the EU Standard Contractual Clauses (SCCs) where applicable.

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA by:

Requesting the Processor's most recent security documentation
Verifying enforcement receipts independently through the public verification portal at report.agenticrail.nz
Requesting a remote audit (no more than once per 12-month period, at the Controller's expense)

The Processor will provide reasonable cooperation for any audit required under Article 28(3)(h) of the GDPR.

11. Governing Law

This DPA is governed by the laws of New Zealand. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of New Zealand.

12. Execution

This DPA is incorporated into the AgenticRail Terms of Service and takes effect upon the Controller's first paid API call to the Service. No separate signature is required.

TUARA KURI LIMITED — trading as AgenticRail

431 Omanaia Road, RD 3, Kaikohe 0473, New Zealand · NZBN 9429052428098

hello@agenticrail.nz

Incorporated by reference into the AgenticRail Terms of Service (v1.5) and API Terms of Use (v2.5). Read alongside the Privacy Policy (v2.4).

Document Fingerprint — SHA-256 — v1.6

58dfb2117b818d272af3645a9b3359e59ef4967231725b355562cc60467593b3

Reproducible independently using any SHA-256 implementation over the pipe-delimited canonical string below.

Canonical string (UTF-8, no trailing newline):

Data Processing Agreement|1.6|2026-06-05|TUARA KURI LIMITED|GDPR|Cloudflare,Google Gemini,Stripe,Resend|7days/30days/1year/multiyear|HMAC-SHA256|k1_2026-02-22_01|NZBN 9429052428098|New Zealand|automatic on first paid API call|AgenticRail Terms of Service v1.5

Version: 1.6 · Effective date: 2026-06-05 · Operator: TUARA KURI LIMITED · NZBN 9429052428098