Skip to content
Postcept
Legal

Data Processing Agreement

This DPA describes how Postcept processes personal data on your behalf. It forms part of our Terms of Service and applies whenever Postcept processes personal data you control. A countersigned copy is available on request.

Last updated: June 27, 2026

1. Roles and scope

For personal data processed through the Services, you are the controller and Postcept is the processor (as those terms are defined under the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data-protection law). Postcept processes personal data only to provide and support the Services, and only on your documented instructions, which include your configuration of the product and this Agreement. Postcept will tell you if, in its opinion, an instruction infringes applicable data-protection law.

2. Details of the processing (Annex I)

Subject matter and duration: verification of AI-agent actions against your systems of record, for the term of the Agreement and until deletion or return of the data as set out below.

Nature and purpose: providing Proof-of-Completion, checking claimed actions against systems of record, classifying the result, and issuing signed receipts.

Types of personal data: account and contact details of your users (name, email); and the operational data you submit or that a verification reads from a connected system of record (for example, a customer identifier, email, or amount tied to a refund or ticket). Postcept does not require special-category data and asks that you not send it.

Categories of data subjects: your personnel and authorized users, and your own customers whose records are involved in a verified action.

3. Postcept's obligations

As your processor, Postcept will:

  • process personal data only on your documented instructions;
  • ensure that personnel authorized to process the data are bound by confidentiality;
  • implement and maintain the technical and organizational measures in Annex II (section 7);
  • respect the conditions for engaging sub-processors in section 4;
  • taking into account the nature of the processing, assist you by appropriate measures in responding to requests from data subjects exercising their rights;
  • assist you in ensuring compliance with your security, breach-notification, and data-protection-impact-assessment obligations, taking into account the information available to Postcept;
  • at your choice, delete or return all personal data at the end of the Services, and delete existing copies unless storage is required by law (see section 9);
  • make available the information necessary to demonstrate compliance with these obligations and allow for and contribute to audits as described in section 10.

4. Sub-processors

You give Postcept general authorization to engage the sub-processors listed at postcept.com/subprocessors. Postcept imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. Postcept updates the sub-processor page and gives at least 30 days’ notice before a new sub-processor starts processing personal data, during which you may object on reasonable data-protection grounds.

5. International transfers

Where Postcept transfers personal data outside the European Economic Area or the United Kingdom, it does so under an approved transfer mechanism, the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), which are incorporated into this DPA by reference, or under another lawful mechanism such as an adequacy decision.

6. Security

Postcept is built to verify, not to execute, and processes data with the least access possible. Connections to your systems of record are read-only and scoped; credentials are encrypted at rest and revocable; data is encrypted in transit (TLS 1.2+) and at rest; and every verification result is a signed, tamper-evident receipt. Our current measures are described at postcept.com/security and form Annex II to this DPA.

7. Personal data breaches

Postcept notifies you without undue delay after becoming aware of a personal-data breach affecting personal data it processes for you, and provides the information reasonably available to help you meet your own notification obligations.

8. Data-subject requests

If Postcept receives a request from one of your data subjects, it will not respond directly (except to confirm the request relates to you) and will, taking into account the nature of the processing, assist you in responding.

9. Return and deletion

On termination of the Services, or earlier at your written request, Postcept deletes or returns the personal data it processes for you and deletes existing copies within 30 days, unless applicable law requires continued storage.

10. Audits

Postcept makes available the information necessary to demonstrate compliance with this DPA, through its documentation, security page, and reasonable responses to security questionnaires, and allows for audits on reasonable prior notice, no more than once a year (or following a personal-data breach), subject to confidentiality and to not compromising other customers’ data.

11. General

This DPA is part of, and subject to, the Terms of Service, including its limitations of liability. If there is a conflict between this DPA and the Terms on the processing of personal data, this DPA controls. It remains in effect for as long as Postcept processes personal data on your behalf. To request a countersigned copy, contact security@postcept.com.

Need this for a security review?

Our sub-processors, security posture, and signed-receipt model are all documented, and we'll answer a questionnaire.