Data processing agreement

Last updated Mar 30, 2026

If your organisation processes personal data through MultiClaw, UK GDPR and EU GDPR require a Data Processing Agreement (DPA) between you and MultiClaw before that processing begins. A DPA is a contract under Article 28 that defines how MultiClaw, as the data processor, handles personal data on your behalf as the data controller.

MultiClaw provides a standard, pre-signed DPA to any organisation that needs one. The DPA includes EU Standard Contractual Clauses (SCCs) for EEA data transfers and the UK International Data Transfer Agreement (IDTA) for UK data transfers. Together, these mechanisms cover international transfers to MultiClaw's subprocessors. MultiClaw's security programme aligns with ISO/IEC 27701, the international standard for privacy information management.

Who needs a DPA

You need a DPA if your team uses MultiClaw to process personal data on behalf of your organisation. Common examples:

  • Customer-facing agents that handle support tickets containing names, email addresses, or account details
  • Workflow automations that process employee records, HR data, or payroll information
  • Task outputs that generate or reference personal data from your connected tools

If your use of MultiClaw involves only non-personal data — for example, code generation with no personal identifiers — a DPA is not legally required. When in doubt, request one. There is no cost or downside.

How to request a DPA

  1. Send an email to legal@multiclaw.io.
  2. Use the subject line: DPA request — your workspace name.
  3. Include your organisation's legal entity name and registered address in the email body.

MultiClaw will process your request within 5 business days and send you the pre-signed DPA for countersignature.

After you receive the DPA

  1. Review the agreement with your legal or data protection team.
  2. Countersign the DPA and return it to legal@multiclaw.io.
  3. MultiClaw confirms receipt and stores the executed copy on file.

The DPA remains in effect for as long as your organisation has an active MultiClaw subscription. If you cancel your subscription, the data-handling obligations in the DPA continue until all personal data is deleted or returned, as described in the agreement's deletion and return provisions.

What the DPA covers

The standard DPA covers all Article 28(3) requirements under UK GDPR and EU GDPR, including:

  • Subject matter and duration: what data is processed and for how long
  • Nature and purpose of processing: why and how MultiClaw processes the data
  • Type of personal data: the categories of data involved
  • Categories of data subjects: the people whose data is processed
  • Obligations and rights of the controller: your responsibilities and entitlements as the data controller
  • Security measures: the technical and organisational measures MultiClaw implements to protect the data
  • Subprocessor restrictions: conditions under which MultiClaw may engage subprocessors and notification obligations
  • Data subject rights assistance: how MultiClaw assists you in responding to data subject requests
  • Audit rights: your right to conduct or commission audits of MultiClaw's processing activities
  • Deletion and return: how data is handled at the end of the contract

For a full list of third-party subprocessors covered by the SCCs and IDTA, see Subprocessors and third parties.

International transfer mechanisms

When personal data moves between countries, UK GDPR and EU GDPR require specific legal safeguards. The standard DPA includes two transfer mechanisms:

  • EU Standard Contractual Clauses (SCCs): pre-approved contract clauses adopted by the European Commission that authorise transfers of personal data from the EEA to countries without an adequacy decision. The DPA incorporates the current Module 2 (controller-to-processor) SCCs.
  • UK International Data Transfer Agreement (IDTA): the UK equivalent of SCCs, approved by the UK Information Commissioner's Office (ICO) for transfers from the UK to countries without UK adequacy regulations.

These mechanisms apply automatically to any personal data transferred to MultiClaw's subprocessors outside the EEA or UK. You don't need to sign a separate transfer agreement — the DPA covers international transfers by default.

Controller vs processor roles

MultiClaw acts as a data processor for data you store in your workspace — for example, task content, agent outputs, and team member activity. You remain the data controller for that data.

For personal data MultiClaw collects about its own account holders — such as login credentials and contact details — MultiClaw acts as the data controller. That processing is covered by the Privacy Policy, not the DPA.

Custom terms

If your organisation requires provisions beyond the standard DPA, contact legal@multiclaw.io to discuss custom terms. Common reasons for custom terms include:

  • Additional data residency requirements beyond the standard subprocessor locations
  • Specific audit procedures or timelines required by your industry regulator
  • Enhanced breach notification commitments, such as shorter notification windows
  • Supplementary security measures required by your organisation's compliance framework

Custom term requests take longer to process than standard DPA requests, as they require legal review on both sides. Include your specific requirements in the initial email so MultiClaw's legal team can assess the scope upfront.

Related articles

Privacy policy

A plain-language summary of what data MultiClaw collects, how it is used, and how to exercise your privacy rights.

Compliance and certifications

MultiClaw's controls align with ISO 27001, 27017, 27018, 27701, and ISO 22301. Includes GDPR, SOC 2 status, penetration testing, and procurement docs.

Subprocessors and third parties

The third-party services that handle your data on MultiClaw's behalf, how they're vetted, and how changes are communicated.