Data Processing Addendum

Last Updated: April 16, 2026 | Effective Date: April 16, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated by reference into the Service Agreement, Terms of Service, and any Order Form (collectively, the “Agreement”) between Agentic Tax Solutions LLC (“AgentTax,” “we,” “us,” or “Processor”), a Delaware limited liability company, and the customer entity that has executed the Agreement (“Customer” or “Controller”). This DPA reflects the parties’ agreement with respect to the Processing of Personal Data by AgentTax on behalf of Customer in connection with AgentTax’s provision of the Service.

Where Customer is established in the European Economic Area, the United Kingdom, or Switzerland, or where the Processing of Personal Data is otherwise subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK Data Protection Act 2018, or the Swiss Federal Act on Data Protection, this DPA is intended to comply with the requirements of Article 28 of the GDPR and analogous provisions under applicable data protection law.

In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the Privacy Policy with respect to the Processing of Personal Data on behalf of Customer, this DPA controls.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set forth below. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. Where a term below is drawn from Article 4 of the GDPR, the GDPR definition controls.

• “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Art. 4(1)).
• “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR Art. 4(2)).
• “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (GDPR Art. 4(7)). For purposes of this DPA, Customer is the Controller.
• “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller (GDPR Art. 4(8)). For purposes of this DPA, AgentTax is the Processor.
• “Sub-processor” means any third party engaged by AgentTax to Process Personal Data on behalf of Customer.
• “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed (GDPR Art. 4(12)).
• “Applicable Data Protection Law” means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including the GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other applicable state, federal, or foreign privacy laws.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or superseded.
• “Service” means the AgentTax platform, API, SDKs, and related services as described in the Agreement.

2. Scope, Roles, and Duration

2.1 Scope

AgentTax Processes Personal Data on behalf of Customer only as described in the Agreement, this DPA, and documented instructions from Customer. The subject matter of the Processing is AgentTax’s provision of the Service to Customer.

2.2 Roles of the Parties

With respect to Personal Data Processed under this DPA, the parties acknowledge that Customer acts as the Controller and AgentTax acts as the Processor. Where Customer itself acts as a processor of Personal Data on behalf of a third-party controller, AgentTax shall act as a sub-processor and the obligations of this DPA shall apply accordingly.

2.3 Duration

This DPA shall remain in effect for so long as AgentTax Processes Personal Data on behalf of Customer in connection with the Service, plus the retention period described in Section 10 below (which aligns with the seven (7) year retention period set out in the Privacy Policy and applicable tax record-keeping requirements).

2.4 Nature and Purpose of Processing

The nature and purpose of the Processing is to provide the Service to Customer, which consists of calculating sales tax, use tax, and withholding obligations; tracking capital gains and producing structured data formatted to match Form 1099-DA fields; monitoring economic nexus thresholds; maintaining audit trails; and related compliance and reporting functions, in each case on transaction data submitted by Customer or by Customer’s end users or agent systems through the Service.

2.5 Categories of Data Subjects

Personal Data Processed under this DPA may relate to the following categories of Data Subjects: (a) Customer’s personnel, administrators, and authorized users of the Service; (b) Customer’s end users, including natural persons identified in transactions submitted through the Service; (c) operators, developers, and administrators of AI agent systems integrated with the Service; and (d) such other Data Subjects as Customer may submit to the Service from time to time.

2.6 Categories of Personal Data

Personal Data Processed under this DPA may include the following categories:

• Email addresses and account credentials of Customer’s personnel and end users;
• Entity identifiers, organization names, and role information submitted by Customer;
• Transaction metadata submitted through the Service, including transaction amounts, jurisdictions, asset details, trade information, withholding parameters, and agent identifiers;
• Technical and usage data, including API call counts, request timestamps, endpoint usage patterns, error logs, and request metadata (including IP addresses and user agents);
• Payment metadata (limited to data received from Stripe, such as last-four digits of payment method and billing address, for record-keeping and support);
• Employer Identification Numbers (EINs) where Customer voluntarily provides them for nexus registration or 1099-DA reporting purposes; and
• Content of communications with AgentTax’s support channels.

AgentTax does not knowingly Process special categories of Personal Data (GDPR Art. 9) or sensitive personal information (as defined by the CCPA/CPRA) through the Service, and Customer shall not knowingly submit such data to the Service except as expressly permitted by the Agreement.

3. Controller Instructions

AgentTax shall Process Personal Data only on documented instructions from Customer (including with regard to transfers of Personal Data to a third country or an international organisation), unless required to do so by applicable law to which AgentTax is subject. In such a case, AgentTax shall inform Customer of that legal requirement before Processing, unless the applicable law prohibits such notice on important grounds of public interest.

The Agreement (including the Service’s documentation, configuration options exercised by Customer, and this DPA) constitutes Customer’s complete and final instructions to AgentTax regarding the Processing of Personal Data. Additional instructions outside the scope of the Agreement require prior written agreement between the parties and may be subject to additional fees.

If AgentTax, acting reasonably, is of the opinion that an instruction from Customer infringes Applicable Data Protection Law, AgentTax shall inform Customer thereof in writing and may suspend execution of the relevant Processing until the instruction has been confirmed or modified.

4. Confidentiality of Processing

AgentTax shall ensure that any person authorized to Process the Personal Data (including AgentTax employees, contractors, and Sub-processors) is bound by written or statutory obligations of confidentiality with respect to the Personal Data and has received appropriate training on their data protection responsibilities. AgentTax shall limit access to Personal Data to those personnel who reasonably require such access to perform their duties under the Agreement.

5. Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AgentTax shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (GDPR Art. 32). These measures include, without limitation:

• Encryption of Personal Data in transit using TLS 1.2 or higher for all API communications and web traffic;
• Encryption at rest of sensitive identifiers, including AES-256-GCM encryption of Employer Identification Numbers with keys managed in the hosting platform’s secrets store separate from the database (see the Security page for details);
• Password hashing using argon2id or an equivalent modern, memory-hard key-derivation function, together with constant-time comparison of authentication tokens;
• API key hashing prior to storage using SHA-256 such that raw keys cannot be reconstructed from the database;
• Rate limiting, burst throttling, and account lockout after repeated authentication failures;
• Role-based access controls and principle-of-least-privilege access provisioning;
• Routine vulnerability scanning, dependency monitoring, and secure software development practices;
• Logging and monitoring of administrative and production-system access, with alerting on anomalous patterns; and
• Regular review and testing of the effectiveness of technical and organizational measures.

Customer acknowledges that the security measures are subject to technical progress and development and that AgentTax may update or modify security measures from time to time, provided that such updates and modifications do not result in a material degradation of the overall security of the Service.

6. Sub-processors

6.1 General Authorization

Customer grants AgentTax a general authorization to engage Sub-processors to Process Personal Data on Customer’s behalf, subject to the requirements of this Section 6 and Applicable Data Protection Law.

6.2 Current Sub-processors

The current list of Sub-processors is maintained in Section 3.1 of the Privacy Policy and includes, as of the Last Updated date of this DPA:

6.3 Notice of Changes; Objection

AgentTax shall provide Customer with at least thirty (30) days’ prior notice before adding or replacing a Sub-processor that will Process Customer’s Personal Data, by updating the sub-processor list in the Privacy Policy and, where the Customer has subscribed to sub-processor notifications, by email. Customer may object to the addition of a new Sub-processor on reasonable grounds relating to data protection by providing written notice to legal@agenttax.io within the notice period. Where the parties are unable to resolve the objection, either party may terminate the affected portion of the Service on written notice, and Customer’s sole remedy shall be the pro-rata refund of any prepaid fees for unused Service.

6.4 Sub-processor Obligations

AgentTax shall impose on each Sub-processor data protection obligations that are, in substance, no less protective than those set out in this DPA, including obligations regarding confidentiality, security of Processing, and assistance with Data Subject requests. AgentTax remains fully liable to Customer for the performance of each Sub-processor’s obligations.

7. Data Subject Requests

Taking into account the nature of the Processing, AgentTax shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR or analogous rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction of Processing, data portability, and objection).

If AgentTax receives a request directly from a Data Subject relating to Personal Data Processed on behalf of Customer, AgentTax shall, without undue delay and in any event within five (5) business days, forward the request to Customer and shall not respond to the Data Subject directly, except as required by Applicable Data Protection Law or to confirm that the request has been received and forwarded. AgentTax shall respond to Customer’s verified requests for assistance within thirty (30) days, or such shorter period as is required by Applicable Data Protection Law.

8. Personal Data Breach Notification

AgentTax shall notify Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. Such notice shall, to the extent reasonably available, include: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; (c) the measures taken or proposed to be taken by AgentTax to address the Personal Data Breach and, where appropriate, to mitigate its possible adverse effects; and (d) the name and contact details of a point of contact from whom more information can be obtained.

Where (and insofar as) it is not possible to provide all such information at the same time, the information may be provided in phases without undue further delay. AgentTax’s notification of a Personal Data Breach is not, and shall not be construed as, an acknowledgement by AgentTax of any fault or liability with respect to the Personal Data Breach.

AgentTax shall maintain a record of all Personal Data Breaches affecting Customer’s Personal Data, including the facts relating to the Personal Data Breach, its effects, and the remedial action taken, and shall make such records available to Customer on reasonable request.

9. Data Protection Impact Assessments; Prior Consultation

Taking into account the nature of the Processing and the information available to AgentTax, AgentTax shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Applicable Data Protection Law.

10. Return or Deletion of Personal Data

Upon termination or expiration of the Agreement, AgentTax shall, at the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data (GDPR Art. 28(3)(g)).

Customer acknowledges that AgentTax is required to retain certain transaction records and related Personal Data for a minimum of seven (7) years to comply with applicable tax record-keeping requirements, including IRS requirements. During such retention period, AgentTax shall continue to apply the security measures set out in this DPA to such retained Personal Data and shall not Process such Personal Data for any purpose other than compliance with applicable law or the defense of legal claims.

Customer may request deletion or export of Personal Data at any time during the term of the Agreement by contacting privacy@agenttax.io, subject to AgentTax’s retention obligations and the limitations of the Service.

11. International Transfers

The Service is hosted in the United States and Personal Data processed under this DPA may be transferred to, and stored or Processed in, the United States and other jurisdictions where AgentTax or its Sub-processors operate.

Where the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to AgentTax or a Sub-processor located in a third country is subject to the GDPR or analogous law, the parties agree that such transfer shall be governed by the Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable), which are incorporated by reference into this DPA. Where the UK International Data Transfer Addendum or the Swiss Federal Data Protection and Information Commissioner’s requirements apply, the parties shall implement the applicable addendum or adaptation.

For purposes of the SCCs: (a) Module Two applies when Customer is a controller and AgentTax is a processor; (b) Module Three applies when Customer is itself a processor and AgentTax is a sub-processor; (c) Clause 7 (docking clause) is incorporated; (d) for Clause 9, Option 2 (general written authorization) applies, with the time period specified in Section 6.3 of this DPA; (e) for Clause 11, the optional language regarding independent dispute resolution bodies is not incorporated; (f) for Clause 17, the governing law is Ireland; (g) for Clause 18, the competent courts are those of Ireland; (h) for Annex I, the information set out in Sections 2.4, 2.5, 2.6, and 6.2 of this DPA applies; and (i) for Annex II, the information set out in Section 5 of this DPA applies.

12. Audit Rights

AgentTax shall make available to Customer all information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the GDPR and this DPA. AgentTax will satisfy this obligation primarily by providing, on reasonable request, copies of (a) the most recent third-party security certifications or audit reports applicable to the Service (such as SOC 2 reports when available), and (b) responses to reasonable written questionnaires.

Customer may, no more than once per calendar year (except where required by a supervisory authority or following a confirmed Personal Data Breach), conduct an on-site audit of AgentTax’s data protection practices relevant to the Processing of Customer’s Personal Data, provided that Customer gives AgentTax at least thirty (30) days’ prior written notice; conducts the audit during normal business hours and in a manner that does not unreasonably disrupt AgentTax’s business; limits the audit to information reasonably necessary to demonstrate compliance with this DPA; and bears its own costs and expenses. Customer shall provide AgentTax with a copy of any audit report, which shall be treated as AgentTax’s Confidential Information under the Agreement.

Nothing in this Section 12 shall require AgentTax to disclose information that would compromise the security of the Service, other customers’ data, or AgentTax’s obligations of confidentiality to third parties.

13. Liability

Each party’s liability arising out of or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement, including without limitation the aggregate liability cap set forth in Section 10.2 of the Terms of Service. Any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA taken together.

Nothing in this DPA limits or excludes either party’s liability to the extent that such limitation or exclusion is prohibited by Applicable Data Protection Law.

14. General

This DPA shall be governed by the law specified in the Agreement (Delaware), except where Applicable Data Protection Law requires a different governing law. The parties agree that this DPA satisfies the requirement for a written contract under Article 28(3) of the GDPR.

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. This DPA may only be amended by a writing signed by both parties, except that AgentTax may update this DPA from time to time to comply with Applicable Data Protection Law, provided that such updates do not materially reduce the level of protection afforded to Customer’s Personal Data.

15. Contact

Questions or requests relating to this DPA should be directed to:

Agentic Tax Solutions LLC
Legal: legal@agenttax.io
Privacy: privacy@agenttax.io
Security: security@agenttax.io
Website: agenttax.io