Data Processing Agreement
Our standard GDPR DPA. EU SCCs are incorporated by reference and we sign without redlines for the vast majority of customers.
Effective: 2026-05-16 · v1.0
Between: itligt, operating the Solvgent platform ("Processor", "Solvgent"), and the Customer entity identified in the underlying Solvgent subscription, order form, or pilot agreement ("Controller", "Customer"). Each a "Party" and together the "Parties".
This Data Processing Agreement ("DPA") forms part of the Solvgent Terms of Service (the "Main Agreement") between the Parties and governs Solvgent's processing of personal data on behalf of the Customer in connection with the Solvgent service (the "Service"). If there is any conflict between this DPA and the Main Agreement with respect to the processing of personal data, this DPA controls.
1. Subject Matter and Roles
1.1 Subject Matter. This DPA sets out the rights and obligations of the Parties when Solvgent processes personal data on behalf of the Customer in the course of providing the Service.
1.2 Roles. The Customer is the controller of personal data submitted to the Service. Solvgent is the processor. For Solvgent's own collection of Customer account, billing, and usage data, Solvgent acts as an independent controller; this DPA does not apply to that processing.
1.3 Definitions. Capitalized terms not defined herein have the meaning given in the Main Agreement or in the GDPR, UK GDPR, or comparable laws (collectively, "Data Protection Laws").
2. Duration
This DPA is effective from the Effective Date and remains in force for as long as Solvgent processes personal data on behalf of the Customer. It is coterminous with the Main Agreement and terminates automatically upon termination of the Main Agreement, subject to the deletion and return obligations in Section 11.
3. Scope and Details of Processing
3.1 Subject Matter of Processing. Solvgent processes personal data to provide the Service to the Customer, including AI-assisted content generation, brand-brain learning within the Customer's tenant, scheduling and publishing to Third-Party Platforms, analytics rendering, and related operations.
3.2 Duration of Processing. For the term of the Main Agreement and, with respect to deletion or return of personal data, the period described in Section 11.
3.3 Nature and Purpose of Processing. Storage and hosting of Customer Content; AI inference (text/image/video generation) using sub-processed model providers; approval workflow, scheduling, and publishing; analytics aggregation; backup and disaster-recovery copies; security monitoring and abuse prevention.
3.4 Types of Personal Data. Names, usernames, handles, email addresses; brand voice samples that may incidentally contain personal data; audience metrics with platform identifiers; comments, replies, and inbox content where the Customer enables those integrations; photographs, videos, or audio uploaded for repurposing. The Customer determines what categories of personal data it submits. Solvgent does not represent the Service as suitable for processing health, biometric, or other special-category data.
3.5 Categories of Data Subjects. Customer's personnel and authorized users; Customer's end clients and their personnel (for agency-tier Customers); audience members and followers of brands managed via the Service; subjects depicted in Customer-uploaded media; authors of comments, replies, or DMs ingested via Third-Party Platform integrations.
4. Obligations of the Processor
4.1 Documented Instructions. Solvgent will process personal data only on documented instructions from the Customer. The Main Agreement, this DPA, Service configuration made by the Customer, and explicit support tickets constitute the Customer's documented instructions. If Solvgent believes an instruction violates Data Protection Laws, it will inform the Customer promptly.
4.2 Confidentiality. Solvgent ensures personnel authorized to process personal data are bound by appropriate written confidentiality obligations or are under a statutory duty of confidentiality.
4.3 Security Measures. Solvgent implements the technical and organizational measures in Annex II below, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.
4.4 Sub-processor Authorization. Customer grants Solvgent general written authorization to engage sub-processors. The current list is published at solvgent.com/legal/sub-processors. Solvgent will notify Customer at least 30 days in advance of any intended addition or replacement. Customer may object on reasonable data-protection grounds within 30 days. Solvgent imposes equivalent obligations on each sub-processor and remains fully liable for their performance.
4.5 Assistance with Data Subject Requests. Solvgent assists the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Articles 15–22 GDPR requests, routing requests to the Customer.
4.6 Assistance with Other Controller Obligations. Solvgent assists the Customer in compliance with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation).
4.7 Personal Data Breach Notification. Solvgent will notify the Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a personal data breach affecting Customer's personal data, with the information available at the time of notification.
4.8 Deletion and Return. See Section 11.
4.9 Audit Records. Solvgent makes available information necessary to demonstrate compliance with Article 28 GDPR and contributes to audits on the terms in Section 5.
5. Audits
5.1 Standard Reporting. Solvgent provides on request: a summary of its technical and organizational measures (Annex II); summary results of audits / penetration tests / certifications it has obtained (SOC 2 when available); responses to a customer security questionnaire of reasonable length (e.g., CAIQ-Lite).
5.2 On-site Audits. Where standard reporting is insufficient for a Customer's documented compliance need, the Customer may request an on-site or remote audit not more than once per twelve (12) months at Customer's expense, with at least 30 days' written notice, during business hours, subject to confidentiality. The auditor must not be a competitor of Solvgent.
6. International Data Transfers
6.1 Transfers Outside the EEA, UK, and Switzerland. Where Solvgent processes personal data outside the EEA, UK, or Switzerland, it does so under one or more of the following mechanisms:
- EU–US Data Privacy Framework, UK Extension, and Swiss–US DPF, where the recipient is DPF-certified;
- EU SCCs approved by Commission Decision (EU) 2021/914 of 4 June 2021, Module 2 (controller-to-processor) for transfers from Customer to Solvgent, and Module 3 (processor-to-sub-processor) for transfers from Solvgent to its sub-processors;
- UK International Data Transfer Addendum to the EU SCCs for UK-origin transfers;
- Swiss-specific SCC modifications for Swiss-origin transfers.
6.2 Incorporation of SCCs. The EU SCCs are hereby incorporated by reference with the following selections:
- Clause 7 (Docking clause): applies
- Clause 9(a) (Sub-processors): Option 2 (general written authorization) with 30-day notice per Section 4.4
- Clause 11(a) (Independent dispute resolution): optional language not selected
- Clause 17 (Governing law): the law of Ireland
- Clause 18(b) (Competent jurisdiction): the courts of Ireland
- Annex I.A — Parties: Customer is data exporter, Solvgent is data importer
- Annex I.B — Description of Transfer: as set out in Section 3
- Annex I.C — Competent supervisory authority: the supervisory authority of the Member State in which the data exporter is established
- Annex II — Technical and Organizational Measures: as set out below
- Annex III — Sub-processors: solvgent.com/legal/sub-processors
6.3 Transfer Impact Assessment. Solvgent has performed a TIA and concluded that, taking into account the supplementary technical (encryption in transit and at rest, access controls), contractual (this DPA, SCCs), and organizational measures, personal data transferred to Solvgent and its US sub-processors benefits from an essentially equivalent level of protection. The TIA is available on request.
7. Liability and Indemnity
7.1 Allocation of Liability. Each Party's liability under this DPA is subject to the limitations and exclusions in the Main Agreement, except where such limitation is not permitted under Article 82 GDPR or other mandatory law.
7.2 Article 82 GDPR. Notwithstanding Section 7.1, where a data subject brings a claim under Article 82 GDPR against either Party, allocation of liability follows Article 82.
7.3 Indemnity. Each Party indemnifies the other against losses arising from regulatory fines or third-party claims to the extent caused by the indemnifying Party's breach of this DPA, subject to the procedural conditions in the Main Agreement.
8. Confidentiality of Personal Data
Solvgent treats all personal data processed on behalf of the Customer as Customer Confidential Information under the Main Agreement.
9. Order of Precedence
Highest to lowest: (a) the SCCs, where incorporated; (b) this DPA; (c) the Main Agreement; (d) any order form or pilot agreement; (e) the Documentation.
10. Governing Law
This DPA is governed by the laws of the State of Utah, USA, except that the SCCs are governed by the law of Ireland as specified in Section 6.2, and nothing in this DPA limits any mandatory protections afforded to data subjects under their applicable Data Protection Laws.
11. Deletion and Return of Personal Data
Upon termination of the Main Agreement or upon written request by the Customer:
- Solvgent makes available to the Customer for ninety (90) days the ability to export Customer Content via the in-app export tool or by API.
- Within 90 days of termination, Solvgent deletes or returns all personal data and deletes copies, except where retention is required by law.
- Backups containing residual copies are deleted in the 30-day backup-rotation cycle. Backup data is not actively accessed during that window.
- On Customer's written request, Solvgent provides written confirmation of deletion.
12. Notices and Contact
Solvgent (Processor): privacy [at] solvgent [dot] com . Customer (Controller): the primary contact in the Account.
13. Miscellaneous
13.1 Severability. If any provision is held unenforceable, the remaining provisions remain in effect.
13.2 Amendment. Material changes will be communicated by email at least 30 days in advance.
13.3 Counterparts. Clickwrap acceptance, signed counterparts, or DocuSign all have equal legal effect.
Annex I — Description of the Processing
I.A — List of Parties
Data exporter (Controller): the Customer entity identified in the Account / order form / pilot agreement. Data importer (Processor): itligt d/b/a Solvgent, based in West Jordan, Utah, USA. Contact: privacy [at] solvgent [dot] com .
I.B — Description of Transfer
- Categories of data subjects: as listed in Section 3.5.
- Categories of personal data: as listed in Section 3.4.
- Special categories: none required by Solvgent.
- Frequency: continuous, during the term of the Main Agreement.
- Nature: SaaS hosting, AI inference, scheduling and publishing, analytics, security monitoring.
- Purpose: to provide the Solvgent Service.
- Retention: as set out in Section 11.
I.C — Competent Supervisory Authority
The supervisory authority of the Member State in which the data exporter (Customer) is established. Solvgent's EU Article 27 Representative (when appointed) will be published at solvgent.com/legal/eu-representative.
Annex II — Technical and Organizational Measures
Solvgent maintains the following measures to protect personal data. Measures are kept up to date and may be improved provided that no change reduces the overall security level.
1. Access Control
- Role-based access control with least-privilege defaults.
- MFA required for all administrative and engineering access.
- SSO with hardware-key support available on higher tiers.
- Annual access reviews; prompt revocation on personnel changes.
2. Encryption
- TLS 1.2+ in transit.
- AES-256 at rest for the primary database, object storage, and backups.
- Secrets encrypted via envelope encryption with rotating master keys.
3. Network and Application Security
- WAF and DDoS protection at the edge.
- Rate limiting and bot mitigation on public endpoints.
- Dependency vulnerability scanning in CI/CD; critical findings remediated within 7 days.
- Periodic third-party penetration tests (annual once production warrants).
4. Logical Tenant Isolation
- Multi-tenant data separated by tenant ID at the database row-level security layer and at the application layer.
- AI inference contexts scoped per tenant; no cross-tenant prompt or training data leakage.
5. Sub-processor Management
- All sub-processors reviewed for security and privacy before onboarding.
- Equivalent contractual obligations imposed.
- Changes logged and notified per Section 4.4.
6. Personnel Security
- Background checks where legally permissible.
- Confidentiality obligations in employment and contractor agreements.
- Annual security and privacy awareness training.
7. Operational Security
- Production access via bastion + audited session recording.
- Configuration as code with peer-reviewed pull requests.
- Immutable infrastructure where feasible.
- Centralized log aggregation.
8. Logging, Monitoring, and Incident Response
- Audit logging for sensitive operations.
- 24/7 alerting on critical security and availability signals.
- Documented incident response plan with 72-hour breach notification commitment.
- Post-incident reviews with root-cause analysis.
9. Business Continuity and Disaster Recovery
- Encrypted daily backups with 30-day rolling retention.
- Backup restoration tested at least quarterly.
- RPO: 24 hours; RTO: 24 hours.
10. Physical Security
Solvgent does not operate its own physical infrastructure. Hosting is provided by sub-processors (see sub-processor list) that maintain ISO 27001 or equivalent certifications.
11. Data Minimization and Retention
- Default retention periods as in the Privacy Policy.
- Customer-controlled deletion via in-app tools.
- Backup data deleted in normal 30-day rotation post-termination.
12. Pseudonymization and Anonymization
- PII scrubbing in error reports where feasible.
- Anonymized aggregates for product analytics (PostHog EU instance).
Annex III — List of Sub-processors
Maintained and updated at solvgent.com/legal/sub-processors. The current list as of the Effective Date is included by reference and is identical to the version at that URL on that date.
Acknowledged and accepted by the Customer through acceptance of the Solvgent Terms of Service or signature of an order form referring to this DPA.