Data Processing Agreement
Last updated: May 2026
This Data Processing Agreement (the “DPA”) forms part of the subscription agreement between the Customer and Driven Success LLC, a Delaware limited liability company doing business as OpenClaw Direct (“Processor”, “we”, “us”), and applies whenever the Customer (“Controller”) processes personal data through the Service that is subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP) supervised by the FDPIC, or analogous U.S. state privacy laws including the California Consumer Privacy Act as amended by the CPRA, and the comprehensive privacy statutes of Colorado, Connecticut, Delaware, Maryland, Montana, New Jersey, New Hampshire, Oregon, Tennessee, Texas, Indiana, Kentucky, and Rhode Island. This DPA is incorporated by reference into §14 (Data Protection) of our Terms of Service. This document is provided for reference; an executed countersigned copy is available on request from privacy@openclaw.direct.
1. Parties and Roles
For the purposes of this DPA and applicable data-protection law, Driven Success LLC acts as the “Processor” (or “Service Provider” under U.S. state laws) of personal data submitted to the Service. The Customer is the “Controller” (or “Business”) and is responsible for establishing a lawful basis for the processing, providing required notices to its end users, and configuring the Service in a manner consistent with applicable law. The Customer's end users, employees, contractors, integration counterparties, and any other natural persons whose personal data is submitted to the Service are the Data Subjects. Where the Customer is itself acting as a processor on behalf of a further controller, the Customer represents that it has obtained all authorizations necessary to engage Driven Success LLC as a subprocessor, and the obligations of this DPA flow through accordingly. Nothing in this DPA establishes Driven Success LLC as a joint controller with the Customer.
2. Subject Matter and Duration
The subject matter of the processing is the provision of the managed-hosting Service for AI agents as described in the Terms of Service, including operation of Machine Instances, transmission of prompts to foundation-model providers, return of model outputs, persistence of conversation history, and integration with messaging channels selected by the Customer. The processing continues for the duration of the Customer's active subscription and through any post-termination return or deletion period specified in Clause 10. The categories of personal data processed include: (a) Customer account information (name, work email, billing address, payment identifiers held by Stripe); (b) authentication and audit metadata (IP address, user-agent, login timestamps); (c) prompt content submitted to Machine Instances; (d) model outputs returned to the Customer; and (e) integration content exchanged with third-party messaging channels and tools the Customer connects. The categories of Data Subjects include the Customer's authorized users and any natural persons whose personal data the Customer or its users choose to submit through prompts, files, or connected integrations.
3. Instructions; Confidentiality
Driven Success LLC will process personal data only on the Customer's documented instructions, including with regard to transfers of personal data to a third country, unless required to do otherwise by Union, Member State, or applicable U.S. law to which the Processor is subject; in such a case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest. The Customer's documented instructions are set out in this DPA, the Terms of Service, the configuration the Customer applies through the Service, and any subsequent written instructions agreed in writing by both parties. If Driven Success LLC believes an instruction infringes applicable data-protection law, it will inform the Customer without undue delay. All personnel of Driven Success LLC authorized to process personal data are bound by written confidentiality obligations or are under an appropriate statutory duty of confidentiality, and such obligations survive termination of their engagement.
4. Security Measures
Driven Success LLC implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and equivalent obligations under the UK GDPR, FADP, and U.S. state laws. These measures include, at minimum: encryption at rest for Customer Content stored in persistent volumes and managed databases; encryption in transit via TLS 1.2 or higher for all external connections; network isolation of each Machine Instance, including separate Kubernetes namespaces and per-tenant network policies; access controls based on least-privilege and multi-factor authentication for administrative access; audit logging of administrative and security-relevant events; secret management for credentials and API keys; routine patching of base images and dependencies; and a vulnerability disclosure program reachable at security@openclaw.direct. A current description of our security program is published at /security and is incorporated into this DPA by reference. Driven Success LLC may update these measures from time to time, provided the overall level of protection is not materially diminished.
5. Subprocessors
The Customer grants Driven Success LLC a general written authorization to engage subprocessors to process personal data in connection with the Service, subject to the requirements of this Clause 5. The current list of subprocessors is published at /subprocessors and includes our Kubernetes hosting provider, Stripe (Stripe, Inc. and Stripe Payments Europe Ltd.), Anthropic PBC, OpenAI L.L.C. and OpenAI Ireland Ltd., Amazon Web Services, Inc. (Simple Email Service), and Google LLC (Tag Manager and Analytics 4, gated by visitor consent on public pages only). Driven Success LLC will provide the Customer with at least 14 days' prior notice of the addition, removal, or material change in role of any subprocessor, by updating the public list and emailing the Customer's account address. The Customer may reasonably object to a proposed change on data-protection grounds within the notice period; if the parties cannot agree on a resolution, the Customer may terminate the affected subscription. Driven Success LLC will impose data-protection obligations on each subprocessor that are substantially equivalent to those set out in this DPA, and remains liable to the Customer for the performance of each subprocessor's obligations.
6. International Transfers
Driven Success LLC operates from the United States and stores Customer Content in a single U.S.-region Kubernetes cluster. Where the Customer transfers personal data subject to the GDPR, UK GDPR, or FADP from the European Economic Area, the United Kingdom, or Switzerland to Driven Success LLC or to a subprocessor located outside those territories, the parties agree to rely on the following safeguards as applicable: (a) the EU Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914, Module Two (controller-to-processor) or Module Three (processor-to-processor), with the optional clauses selected as described in this DPA, the docking clause enabled, and the supervisory authority and governing law specified by reference to the Customer's place of establishment; (b) the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office, version B1.0; and (c) for transfers subject to the FADP, the EU SCCs as amended for Switzerland in accordance with FDPIC guidance, with references to the GDPR construed as references to the FADP and the FDPIC as the competent authority. The SCCs, IDTA, and Swiss amendments are deemed incorporated by reference into this DPA upon execution of the underlying subscription agreement.
7. Data Subject Rights
Taking into account the nature of the processing, Driven Success LLC will provide reasonable assistance to the Customer, by appropriate technical and organizational measures, insofar as possible, to enable the Customer to fulfil its obligation to respond to requests from Data Subjects exercising their rights under applicable data-protection law, including the rights of access, rectification, erasure, restriction of processing, portability, and objection, and the right not to be subject to a decision based solely on automated processing. If Driven Success LLC receives a request directly from a Data Subject that relates to personal data processed on the Customer's behalf, Driven Success LLC will not respond to the substance of the request itself and will, without undue delay, forward the request to the Customer so that the Customer can address it. Driven Success LLC's assistance under this Clause 7 may be invoiced where the request volume or complexity materially exceeds what is reasonably included in the subscription, with prior notice and consent of the Customer.
8. Personal Data Breach Notification
Driven Success LLC will notify the Customer without undue delay, and in any event with a target of within 72 hours of becoming aware, of any “personal data breach” within the meaning of Article 4(12) GDPR affecting personal data processed under this DPA. The notification will include, to the extent then known and as further information becomes available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of the Driven Success LLC point of contact for the incident; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects. Driven Success LLC will cooperate with the Customer and provide reasonable assistance to allow the Customer to meet its own notification obligations to supervisory authorities and Data Subjects. Notifications under this Clause 8 are not, in themselves, an admission of fault or liability.
9. Audits
Driven Success LLC will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA. Where available, Driven Success LLC will provide its most recent SOC 2 report or equivalent third-party security audit upon written request and under a mutually acceptable non-disclosure agreement; SOC 2 reports are not yet generally available and will be provided once produced. The Customer may, no more than once per twelve-month period (or more frequently if required by a supervisory authority or following a personal data breach), and on at least thirty days' prior written notice, conduct an on-site audit of Driven Success LLC's processing activities relevant to this DPA, at the Customer's expense, during normal business hours, in a manner that does not unreasonably interfere with the Service or breach the confidentiality obligations owed to other customers. Audits are limited to the Customer's own data and to systems and records reasonably relevant to that data.
10. Deletion and Return
Upon termination or expiration of the Customer's subscription, and at the Customer's choice expressed in writing within thirty days of termination, Driven Success LLC will return all Customer Content to the Customer in a commonly used machine-readable format, or delete all Customer Content from production systems, in each case within 30 days of the Customer's instruction or, absent any instruction, within 30 days of termination. After this period, residual copies of Customer Content remaining in encrypted, append-only backups will be purged in the normal backup rotation and will not be accessed, restored, or used for any purpose other than emergency recovery prior to expiry. Driven Success LLC may retain personal data to the limited extent and for the limited duration required by applicable law (including tax, accounting, and audit obligations), provided that such retained data remains subject to the confidentiality and security obligations of this DPA. Upon request, Driven Success LLC will certify in writing that deletion has occurred in accordance with this Clause 10.
11. Liability and Governing Law
Each party's liability under or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, is subject to and counts toward the aggregate limitation of liability set out in §13 of the Terms of Service, except where such limitation is prohibited by applicable law (including, for the avoidance of doubt, Clause 12 of the EU Standard Contractual Clauses to the extent it grants Data Subjects rights against a party as third-party beneficiaries). This DPA is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws provisions, and the parties submit to the exclusive jurisdiction of the state and federal courts located in Delaware, except that where applicable data-protection law, the EU SCCs, the UK IDTA, or the Swiss FADP mandates a different governing law, forum, or supervisory authority for the protection of Data Subjects, that mandatory law prevails to the extent of the conflict. The parties further agree that the choice of forum and law in this Clause 11 does not deprive Data Subjects of the protection afforded to them by the law of their habitual residence.