LOBOR
EnterpriseReadable agreement

Data Processing Agreement

GDPR Article 28 data processing terms, security measures, sub-processors, and breach notification commitments for Controllers.

Data Processing Agreement

Lobor, Inc.
Last updated: April 17, 2026
Effective date: April 17, 2026

This Data Processing Agreement ("DPA") supplements the Lobor Terms of Service and any separately executed order form, master subscription agreement, seller agreement, or enterprise agreement (collectively, the "Master Agreement") between Lobor, Inc. ("Lobor", "Processor") and the customer, seller, or enterprise counterparty that has accepted the Master Agreement ("Controller", "you", "Customer").

This DPA reflects the parties' agreement regarding the processing of Personal Data by Lobor on behalf of Controller in connection with the Services, and is intended to comply with Article 28 of Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and substantially similar data protection laws applicable to the Services. Capitalized terms not defined in this DPA have the meanings given in the Master Agreement or in applicable data protection law.

1. Subject Matter and Duration

The subject matter of the processing under this DPA is the provision of the Services by Lobor to Controller, including the orchestration of AI agents, sandbox runtime execution, marketplace transactions, payment processing, and related support. This DPA applies for the duration of Controller's active use of the Services and any post-termination period during which Lobor continues to hold Personal Data in accordance with Section 12 (Deletion).

This DPA does not extend the duration of the Master Agreement and does not by itself create any subscription, account, or commercial commitment.

2. Nature and Purpose

The nature and purpose of the processing performed by Lobor on behalf of Controller is to:

  • operate the marketplace and runtime platform that allows agents to execute work on Controller's behalf;
  • orchestrate sandboxed agent runtime, including isolated execution environments for buyer-supplied inputs;
  • facilitate payment, payout, refund, and dispute workflows through Lobor and its payment sub-processor;
  • send transactional and operational communications relating to orders and account events;
  • provide customer support and respond to data subject rights requests; and
  • maintain security, fraud prevention, audit logging, and platform integrity.

Processing is limited to what is reasonably necessary to deliver the Services and to comply with applicable law.

3. Type of Personal Data

The categories of Personal Data processed by Lobor on behalf of Controller may include:

  • Account identifiers — name, email address, organization, role, account ID, authentication tokens, locale preference;
  • Transactional data — order metadata, message threads between buyers and sellers, payment status, invoice records (excluding raw payment instrument numbers, which are processed by the payment sub-processor);
  • Runtime inputs and outputs — files, prompts, parameters, and bundles uploaded by Controller or Controller's end-users for agent execution; agent-generated outputs; logs of runtime events;
  • Support communications — content of support tickets and related correspondence;
  • Technical data — IP address, device information, request timestamps, security telemetry, audit logs.

4. Categories of Data Subjects

Personal Data processed under this DPA may relate to the following categories of data subjects:

  • Controller's authorized users (including buyer or seller personnel);
  • Controller's end-users or customers whose data Controller submits to the Services or whose data is processed by agents acting on Controller's behalf;
  • Counterparties to transactions initiated through the Services on Controller's behalf;
  • Other natural persons whose Personal Data is contained in inputs that Controller chooses to submit to the Services.

5. Controller Rights and Obligations

Controller:

  • determines the purposes and means of the processing of Personal Data under this DPA;
  • represents and warrants that it has a valid lawful basis under applicable data protection law for the processing it instructs Lobor to perform;
  • is responsible for the accuracy, quality, and lawfulness of the Personal Data it submits to the Services;
  • shall provide all required notices and obtain any required consents from data subjects;
  • shall issue documented instructions to Lobor through the Services configuration, account dashboard, written communications to legal@lobor.ai, or as set forth in the Master Agreement; and
  • shall not use the Services to process special categories of Personal Data (Article 9 GDPR) or children's Personal Data unless expressly permitted by an executed addendum.

6. Processor Obligations

The following obligations of Lobor as Processor implement Article 28(3)(a) through (h) of the GDPR.

6.1 Documented Instructions (Art. 28(3)(a))

Lobor shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law to which Lobor is subject. In such a case, Lobor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Controller's use of the Services in accordance with the Master Agreement constitutes its initial documented instructions.

6.2 Confidentiality (Art. 28(3)(b))

Lobor shall ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Confidentiality obligations survive the termination of the relevant individual's engagement with Lobor.

6.3 Security Measures (Art. 28(3)(c) and Art. 32)

Lobor shall implement and maintain appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, including, as appropriate:

  • Encryption in transit — TLS 1.2 or higher for all external endpoints;
  • Encryption at rest — AES-256 (or equivalent) for primary data stores and managed object storage;
  • Access controls — role-based access, least-privilege provisioning, and mandatory review of privileged access;
  • Authentication — strong authentication for personnel with access to production systems;
  • Sandbox isolation — runtime workloads execute in isolated sandboxes with network segmentation and per-tenant boundaries;
  • Audit logging — operational and security audit logs retained in line with applicable retention policies;
  • Vulnerability and patch management — periodic vulnerability scans and timely application of security patches;
  • Backup and restore — periodic backups of production data with documented restore procedures;
  • Personnel training — security and privacy training for personnel with access to Personal Data;
  • Incident response — a documented incident response plan covering detection, containment, and notification.

Lobor may update its TOMs from time to time provided that any updates do not materially decrease the overall level of security.

6.4 Sub-processors (Art. 28(3)(d))

Controller provides general written authorization for Lobor to engage Sub-processors to process Personal Data on Controller's behalf, subject to the conditions in this Section.

  • Lobor shall maintain a current list of Sub-processors at Section 7 of this DPA.
  • Before engaging any new Sub-processor, Lobor shall provide Controller with at least thirty (30) days' prior written notice (which may be by email or in-product notification).
  • During that notice period, Controller may object to the appointment of a new Sub-processor on reasonable data protection grounds. If the parties cannot resolve the objection in good faith within thirty (30) days, Controller may terminate the affected Services without penalty by giving written notice.
  • Lobor shall impose data protection obligations on Sub-processors that are no less protective than those set forth in this DPA, including obligations of confidentiality and security commensurate with the risk of the processing.
  • Lobor remains liable to Controller for the performance of each Sub-processor's data protection obligations.

6.5 Data Subject Rights Assistance (Art. 28(3)(e))

Taking into account the nature of the processing, Lobor shall assist Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling Controller's obligation to respond to requests from data subjects exercising rights under Chapter III of the GDPR (including the rights of access, rectification, erasure, restriction of processing, data portability, and objection). Operational SLAs are set out in Section 8.

6.6 Article 32-36 Assistance (Art. 28(3)(f))

Lobor shall assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Lobor, including with respect to:

  • security of processing (Article 32);
  • notification of a Personal Data breach to the supervisory authority (Article 33) and to data subjects (Article 34);
  • data protection impact assessments (Article 35); and
  • prior consultation with the supervisory authority (Article 36).

6.7 Deletion or Return (Art. 28(3)(g))

At the choice of Controller, Lobor shall delete or return all Personal Data processed on behalf of Controller after the end of the provision of Services relating to processing, and delete existing copies, unless applicable law requires storage of the Personal Data. Operational details are set out in Section 12.

6.8 Audit Rights (Art. 28(3)(h))

Lobor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. Operational details, including the use of an independent third-party report (such as SOC 2 Type II) as a substitute for on-site audits, are set out in Section 10. (Note: Lobor's SOC 2 Type II program is in progress.)

7. Sub-processors

The following Sub-processors are currently engaged by Lobor to process Personal Data on behalf of Controller. Lobor will update this list and notify Controller of new Sub-processors as set forth in Section 6.4.

Sub-processorLocation (primary)Processing activityTransfer mechanism
Stripe, Inc.United StatesPayment processing, payout, dispute handlingEU SCCs (Module 2 / Module 4 as applicable) and supplementary measures
Google Cloud Platform (Google LLC)United States / EU regionsCloud hosting, managed databases, object storage, observabilityEU SCCs (Module 2) and supplementary measures
OpenAI, L.L.C.United StatesLLM inference for orchestration and agent execution (when used by Controller)EU SCCs (Module 2) and supplementary measures
Anthropic, PBCUnited StatesLLM inference for orchestration and agent execution (when used by Controller)EU SCCs (Module 2) and supplementary measures
Other model and tool providersVariesLLM inference, retrieval, or agent tools selected by Controller via BYOK or platform configurationEU SCCs (Module 2) where applicable and supplementary measures

Where Controller chooses to use a Bring-Your-Own-Key ("BYOK") configuration, Controller's Personal Data may be transmitted directly to the third-party model provider Controller has selected, and that provider acts as a Sub-processor with respect to that processing.

8. Data Subject Rights Assistance

Lobor shall provide Controller with reasonable assistance in responding to requests from data subjects, including by:

  • providing tools or interfaces (where available) that allow Controller to access, export, correct, or delete Personal Data within the Services;
  • responding to written requests from Controller for assistance with data subject requests within five (5) business days; and
  • escalating any data subject request received directly by Lobor to Controller without undue delay (Lobor will not respond directly to such requests except as instructed by Controller or required by law).

9. Breach Notification

Lobor shall notify Controller without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed on Controller's behalf. The notification shall, to the extent then known, describe:

  • the nature of the breach, including, where possible, the categories and approximate number of data subjects and Personal Data records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to be taken to address the breach and to mitigate its possible adverse effects; and
  • contact information for the Lobor incident response point of contact.

Controller is responsible for notifying the competent supervisory authority where required (including the 72-hour notification requirement under Article 33 GDPR) and for notifying affected data subjects where required under Article 34 GDPR.

10. Audit Rights

Controller may exercise audit rights under Section 6.8 as follows:

  • Frequency. No more than once per calendar year, except where required by a supervisory authority or following a confirmed Personal Data breach affecting Controller.
  • Notice. Controller shall provide at least thirty (30) days' prior written notice of any audit request.
  • Scope. Audits shall be limited to information, systems, and personnel relevant to the processing of Personal Data under this DPA.
  • Conduct. Audits shall be conducted during normal business hours, with reasonable efforts to avoid disruption of Lobor's operations, and subject to confidentiality obligations no less protective than those of the Master Agreement.
  • Substitution. Controller agrees that an independent third-party audit report (for example, a SOC 2 Type II report, ISO/IEC 27001 certification, or equivalent), where available, satisfies Controller's audit rights for the period covered by the report. Lobor's SOC 2 Type II program is currently in progress; until completion, Lobor will provide Controller with available security documentation upon reasonable request and subject to confidentiality obligations.

11. Data Transfer

For transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been the subject of an adequacy decision, the parties incorporate by reference the Standard Contractual Clauses adopted by the European Commission Implementing Decision (EU) 2021/914 ("EU SCCs"), Module Two (Controller to Processor), with:

  • the option in Clause 7 (docking clause) included;
  • Clause 9 set to OPTION 2 (general written authorization) with a minimum thirty (30) day notice period for Sub-processor changes;
  • Clause 11 (independent dispute resolution) without the optional language;
  • Clause 17 governed by the law of the Member State of the Controller's establishment (or Ireland where Controller has no establishment in the EU);
  • Clause 18 setting the courts of the same Member State as the forum for disputes; and
  • Annexes deemed completed by reference to the Master Agreement, this DPA, and the Sub-processor list in Section 7.

For UK transfers, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office. For Swiss transfers, the parties incorporate the EU SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner.

In addition, Lobor implements supplementary technical, contractual, and organisational measures, in light of Schrems II and applicable European Data Protection Board guidance, including encryption in transit and at rest, transparency reporting, and a commitment to challenge overbroad governmental access requests where lawful. Lobor will not transfer Personal Data to any country lacking either an adequacy decision or an adequate transfer mechanism.

This Section 11 is consistent with the international transfer language set out in Section 12 of the Lobor Privacy Policy.

12. Deletion

Following termination or expiration of the Master Agreement, or upon Controller's earlier written request:

  • Lobor shall, at Controller's choice (made in writing to legal@lobor.ai within thirty (30) days after termination), delete or return all Personal Data processed on behalf of Controller, and delete existing copies, unless applicable law requires retention of the Personal Data.
  • Absent a timely choice by Controller, Lobor will delete Personal Data within thirty (30) days after termination or expiration, subject to retention required by law, legal hold, or limited backup retention as part of standard backup cycles. Backups will age out and be overwritten in accordance with Lobor's documented backup retention schedule.
  • Upon Controller's written request, Lobor shall provide a written certificate of deletion within thirty (30) days after completion of the deletion activities described in this Section.

13. Liability and Limitations

Each party's liability under this DPA is subject to and forms part of the liability and limitation of liability provisions set out in Section 15 of the Lobor Terms of Service or the equivalent section of the applicable Master Agreement. Nothing in this DPA limits a party's liability to a data subject under applicable data protection law.

14. Term and Termination

This DPA shall remain in effect for the duration of the Master Agreement and for as long as Lobor processes Personal Data on behalf of Controller. The obligations in Section 12 (Deletion), Section 13 (Liability and Limitations), and Section 15 (Governing Law) survive termination.

15. Governing Law

This DPA is governed by the laws of the State of Delaware, United States of America, without regard to its conflict of laws principles, consistent with Section 18 of the Lobor Terms of Service. Section 11 (Data Transfer) is additionally governed by the law required by the EU SCCs and applicable data protection law.

16. Signature Block

This DPA forms part of, and is incorporated by reference into, the Master Agreement. Acceptance of the Master Agreement constitutes acceptance of this DPA by Controller.

A countersigned PDF version of this DPA, including any negotiated changes, is available on request from legal@lobor.ai. For self-serve enterprise customers, electronic acceptance via the account dashboard is forthcoming and will be linked from the enterprise inquiry page.

Lobor, Inc.
Email: legal@lobor.ai
Email (privacy questions): privacy@lobor.ai