Last updated: May 24, 2026
This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Robomotion Terms of Service or other written or electronic agreement between you (the "Customer") and Robomotion Corporation ("Robomotion") that governs Customer's use of the Service (the "Agreement"). This DPA applies to Robomotion's Processing of Customer Personal Data on Customer's behalf in connection with the Service.
In the event of a conflict, the order of precedence is: (1) the Standard Contractual Clauses and the UK Addendum (where they apply); (2) this DPA; and (3) the remainder of the Agreement, in each case solely with respect to the subject matter of this DPA. Except as modified here, the Agreement remains in full force and effect. Capitalized terms not defined in this DPA have the meaning given in the Agreement.
2.1 Customer is Controller; Robomotion is Processor. With respect to Customer Personal Data, Customer is the Controller (or, where Customer itself acts as a processor for a third party, the processor) and Robomotion is the Processor (or sub-processor). This DPA does not apply to Personal Data for which Robomotion is itself the Controller — for example, account-registration, billing, and website-visitor data — which is governed by our Privacy Policy.
2.2 Customer responsibilities. Customer is responsible for the lawfulness of the Customer Personal Data and of the means by which Customer acquired it, for having a valid legal basis for the Processing, and for the accuracy, quality, and legality of Customer Personal Data and Customer's instructions. Customer is responsible for providing any notices to, and obtaining any consents from, Data Subjects required under Data Protection Laws, including in connection with Customer's automations, robots, and AI agents and any AI features Customer makes available to its own end users.
3.1 Instructions. Robomotion will Process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by applicable law (in which case Robomotion will, where legally permitted, inform Customer of that requirement). The Agreement, this DPA, and Customer's configuration and use of the Service (including the automations, robots, and AI agents Customer builds and runs) constitute Customer's complete and documented instructions. Robomotion will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
3.2 Details of Processing. The subject matter, duration, nature and purpose of the Processing, the types of Customer Personal Data, and the categories of Data Subjects are described in Annex I.
3.3 No sale. Robomotion will not sell Customer Personal Data and will not retain, use, or disclose it for any purpose other than providing the Service under the Agreement, or otherwise as permitted by Data Protection Laws.
Robomotion will ensure that personnel authorized to Process Customer Personal Data are subject to an appropriate duty of confidentiality and have received appropriate training on their responsibilities. Access is limited to personnel who need it to provide the Service.
Robomotion will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects. A description of those measures is set out in Annex II and in our Information Security Policy. Customer is responsible for the security measures within its own control, including configuring the Service appropriately, applying least-privilege and scoped credentials, and the safeguards described in the Agreement.
6.1 General authorization. Customer provides general authorization for Robomotion to engage Sub-processors to Process Customer Personal Data. A current list of Sub-processors is set out in Annex III.
6.2 Obligations. Robomotion will impose on each Sub-processor data protection obligations that are substantially the same as, and no less protective than, those in this DPA, and remains liable to Customer for each Sub-processor's performance of its obligations.
6.3 Changes. Robomotion will inform Customer of any intended addition or replacement of a Sub-processor (by updating Annex III, by email, or through another reasonable means) and give Customer a reasonable opportunity to object on reasonable, data-protection-related grounds. If Customer's objection cannot be reasonably resolved, Customer may, as its sole remedy, terminate the affected portion of the Service.
Taking into account the nature of the Processing, Robomotion will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If Robomotion receives such a request directly from a Data Subject relating to Customer Personal Data, it will, where legally permitted, advise the Data Subject to submit the request to Customer and will not otherwise respond except on Customer's instructions.
Taking into account the nature of Processing and the information available to it, Robomotion will provide reasonable assistance to Customer with: data protection impact assessments and prior consultations with Supervisory Authorities (Articles 35–36 GDPR); and Customer's obligations to keep Customer Personal Data secure and to notify Personal Data Breaches (Articles 32–34 GDPR).
Robomotion will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide Customer with information reasonably available to it to assist Customer in meeting its breach-notification obligations. Robomotion's notification is not an acknowledgment of fault or liability.
Upon termination or expiry of the Agreement, Robomotion will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, unless applicable law requires continued storage. Customer may also export or delete Customer Personal Data using the functionality of the Service during the term. Customer Personal Data residing in routine backups is deleted in accordance with Robomotion's backup-retention cycle.
Robomotion will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To the extent permitted by Data Protection Laws, Customer will first accept any relevant third-party certifications, audit reports, or security documentation that Robomotion makes available. Any further audit will be limited to once in any twelve-month period (unless required by a Supervisory Authority or following a Personal Data Breach), conducted on reasonable prior written notice, during business hours, subject to confidentiality obligations, in a manner that does not disrupt Robomotion's operations, and at Customer's expense.
12.1 Hosting location. Customer Personal Data is primarily hosted in data centers within the European Union (in Germany and the Netherlands). Because Robomotion is established in the United States and uses Sub-processors in the United States and other countries, Customer Personal Data may be accessed or Processed from those countries.
12.2 Transfer mechanism. Where Robomotion's Processing of Customer Personal Data involves a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the Standard Contractual Clauses are hereby incorporated into this DPA by reference and apply as follows:
12.3 UK and Switzerland. For transfers subject to the UK GDPR, the UK Addendum is incorporated and completed using the information in this DPA. For transfers subject to Swiss law, the SCCs apply with the adjustments necessary under the Swiss Federal Act on Data Protection.
12.4 In the event of any conflict between the SCCs (or UK Addendum) and this DPA, the SCCs (or UK Addendum) prevail.
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the Agreement (including the Limitation of Liability section), and any reference in the Agreement to a party's liability means the aggregate liability of that party under the Agreement and this DPA together. This Section does not limit either party's liability to Data Subjects under the third-party-beneficiary provisions of the SCCs.
This DPA is governed by the same law and subject to the same dispute-resolution and jurisdiction provisions as the Agreement, except where Data Protection Laws or the SCCs require otherwise. If any provision of this DPA is held invalid or unenforceable, the remainder continues in effect. This DPA takes effect on the date Customer accepts the Agreement and remains in effect for as long as Robomotion Processes Customer Personal Data.
Questions about this DPA may be sent to privacy@robomotion.io, or by mail to: Robomotion Corporation, 256 Chapman RD, STE 105-4, Newark, Delaware, 19702, USA.
A. Parties. The data exporter is Customer (and, where applicable, its affiliates) as identified in the Agreement. The data importer is Robomotion Corporation, 256 Chapman RD, STE 105-4, Newark, Delaware, 19702, USA; contact: privacy@robomotion.io.
B. Categories of Data Subjects. The Data Subjects whose Personal Data is included in Customer Content, as determined and controlled by Customer. These may include Customer's representatives and authorized users, and Customer's own customers, employees, contractors, suppliers, and other individuals whose Personal Data Customer chooses to Process through the Service.
C. Categories of Personal Data. The Personal Data contained in Customer Content, as determined and controlled by Customer. These may include identifiers (such as names, usernames, and email addresses), contact details, credentials and secrets that Customer stores in the encrypted vault, and any other Personal Data that Customer includes in its inputs, flows, automations, or AI prompts. Customer is responsible for not submitting Personal Data that it is not authorized to Process.
D. Special Categories of Personal Data. The Service is not intended for the Processing of special categories of Personal Data (Article 9 GDPR). If Customer chooses to include such data, it does so on its own responsibility and must ensure an appropriate legal basis and any additional safeguards required by law.
E. Frequency. Continuous, for the duration of the Agreement.
F. Nature and Purpose. Hosting, storage, transmission, execution of Customer's automations, robots, and AI agents, provision of AI features, and related support, in each case to provide the Service under the Agreement.
G. Duration / Retention. For the term of the Agreement and thereafter as described in Section 10 (Deletion and Return).
H. Sub-processors. As described in Annex III.
I. Competent Supervisory Authority. Where the SCCs apply, the competent Supervisory Authority is the lead Supervisory Authority of the data exporter's EU establishment or, where the data exporter is not established in the EU, the Supervisory Authority of the EU Member State in which the data exporter's EU representative is located; for transfers subject to the UK GDPR, the UK Information Commissioner's Office.
Robomotion maintains measures designed to protect Customer Personal Data, including, as applicable:
Further detail is available in our Information Security Policy. Robomotion may update these measures from time to time provided the level of protection is not materially decreased.
As of the date above, Robomotion engages the following Sub-processors to Process Customer Personal Data:
| Sub-processor | Purpose | Location of Processing |
|---|---|---|
| DigitalOcean, LLC | Cloud hosting, compute, database, and object storage | European Union (Frankfurt, Germany; Amsterdam, Netherlands) |
| Hetzner Online GmbH | Database hosting (analytics) | Germany (European Union) |
| Anthropic, PBC | AI model inference (only when AI features are used) | United States |
| Google LLC | AI model inference (only when AI features are used) | United States / European Union |
| OpenAI, LLC | AI model inference (only when AI features are used) | United States |
| OpenRouter, Inc. | AI model routing and inference (only when AI features are used) | United States |
| Stripe, Inc. | Payment processing | United States |
| Mailjet (Sinch) | Transactional email | European Union (France) |
| Functional Software, Inc. (Sentry) | Error monitoring | United States |
Transfers to Sub-processors located outside Europe are covered by the Standard Contractual Clauses and, where applicable, the UK Addendum, as described in Section 12. An updated list of Sub-processors is available on request at privacy@robomotion.io.