Nagent AI

Data Processing Agreement

Version 1.0

Last Updated: July 13, 2026

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the agreement between PWIN Technologies Private Limited, the company behind Nagent AI ("Nagent", "we", "us"), with its registered office at 67/A, Sarala Nagar, Laxmi Sagar, Bhubaneswar, Odisha, India, and the customer ("Customer") for the use of the Nagent AI platform and related services (the "Service").

This DPA reflects the parties' agreement on the processing of personal data in accordance with the requirements of applicable data protection law, including the EU General Data Protection Regulation ("GDPR") and India's Digital Personal Data Protection Act, 2023 ("DPDP Act").

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed in connection with the Service.
  • "Controller", "Processor", "Data Subject", "Processing" and "Supervisory Authority" have the meanings given in the GDPR.
  • "Sub-processor" means any third party engaged by Nagent to process Personal Data on behalf of the Customer.

3. Roles of the Parties

For Personal Data the Customer submits to the platform (for example lead records, contact details, and workspace content), the Customer is the Controller and Nagent acts as a Processor, processing such data only on the Customer's documented instructions.

For Personal Data collected directly from visitors to nagent.ai (for example demo bookings and analytics, where consented), Nagent acts as the Controller, as described in our Privacy Policy.

4. Details of Processing

  • Subject matter: provision of the Nagent AI agentic platform and related support.
  • Duration: the term of the underlying agreement, plus the deletion grace period described in Section 12.
  • Nature and purpose: hosting, storage, AI-driven workflow execution, analytics, communication, and support.
  • Categories of data: identity and contact data (name, email, phone, employer), behavioural and usage data, and content the Customer submits to the Service.
  • Categories of data subjects:the Customer's users, leads, prospects, and business contacts.

We do not process financial account data, government-issued identifiers, biometric data, or special-category data as part of the Service.

5. Sub-processors

The Customer authorises Nagent to engage the following Sub-processors. Nagent will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for their performance.

  • MongoDB Atlas — primary application datastore (encrypted at rest and in transit).
  • Google Cloud Platform — application hosting (Cloud Run) and logging.
  • Resend — transactional and marketing email delivery.
  • Anthropic — AI model provider used for agentic workflows.
  • OpenAI — AI model provider used for agentic workflows.
  • Cloudinary — image and media hosting.
  • Storyblok — headless content management.
  • Cal.com (cal.id) — demo and meeting scheduling.
  • Google Analytics — website analytics (loaded only with visitor consent).
  • Meta Platforms — advertising measurement (loaded only with visitor consent).

Nagent will provide notice of any intended addition or replacement of Sub-processors, giving the Customer the opportunity to object on reasonable data protection grounds.

6. Security Measures

Nagent implements appropriate technical and organisational measures, including: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control with least-privilege permissions across all administrative surfaces, tenant-level data isolation enforced at the database query layer, multi-factor authentication support, immutable audit logging of administrative actions with a 365-day retention, and automatic time-bound expiry of operational logs.

7. Data Subject Rights and Assistance

Taking into account the nature of the processing, Nagent will assist the Customer in responding to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). The platform provides data export and cascading deletion capabilities to support these requests. Requests received directly by Nagent that concern the Customer's data will be forwarded to the Customer without undue delay.

8. International Transfers

Personal Data may be processed in the regions where Nagent and its Sub-processors operate infrastructure. Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, as implemented in the relevant Sub-processor agreements.

9. Personal Data Breach Notification

Nagent will notify the Customer without undue delay after becoming aware of a Personal Data breach affecting the Customer's Personal Data, and will provide information reasonably required to allow the Customer to meet its own notification obligations, including the nature of the breach, likely consequences, and measures taken or proposed.

10. Audit Rights

Nagent will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice, confidentiality obligations, and no more than once per year unless required by a Supervisory Authority.

11. Documented Instructions

Nagent processes Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law — in which case Nagent will inform the Customer of that legal requirement before processing, unless the law prohibits such disclosure.

12. Return and Deletion of Data

Upon termination of the Service, the Customer may export its data using the platform's export tooling. Following a 30-day grace period after account deletion, Nagent performs a cascading purge of the Customer's Personal Data across all platform datastores, unless retention is required by applicable law.

13. Liability and Term

This DPA takes effect on the date the Customer accepts the Terms and Conditions and remains in force for as long as Nagent processes Personal Data on behalf of the Customer. Liability under this DPA is subject to the limitations of liability set out in the underlying agreement.

14. Contact

For questions about this DPA or our data protection practices:
Data Protection Officer: Chinmoy Nanda
Email: support@nagent.ai