Data Processing Agreement (DPA)
Draft pending legal review
This Data Processing Agreement is a working draft published for transparency. It is under legal review and is not yet a signable contract. To request the countersigned DPA before you sign, contact info@oneclickclaw.io. This page is not legal advice.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- The Customer (the "Controller"): the individual or entity that subscribes to and uses the OneClickClaw managed hosting service. Customer legal name, address, and contact are recorded on signature.
- OneClickClaw (the "Processor"): a sole proprietorship operated by Luigi Ramos, based in Greece, EU. Contact: info@oneclickclaw.io.
Each a "Party" and together the "Parties". This DPA forms part of, and is subject to, the OneClickClaw Terms of Service (the "Agreement") between the Parties. The effective date is the date of signature by both Parties.
2. Roles of the Parties
- The Customer is the Controller of the data processed on its OpenClaw VPS instance. The Customer determines the purposes and means of that processing and is responsible for the lawfulness of the data it places on the VPS.
- OneClickClaw is the Processor and processes that data only on the Customer's documented instructions, as set out in this DPA and the Agreement.
- This DPA governs only the Processor relationship. For data where OneClickClaw acts as an independent Controller (account identity, billing, support correspondence), the OneClickClaw Privacy Policy applies.
- The Customer's chosen AI provider (via Bring Your Own Key) is a sub-processor selected and engaged by the Customer, not by OneClickClaw. OneClickClaw does not have access to the Customer's AI provider keys in plaintext and is not a party to the Customer's relationship with that provider.
3. Subject Matter and Duration
- Subject matter: the provision of managed OpenClaw VPS hosting, including provisioning, maintenance, backups, security monitoring of metadata, and technical support.
- Duration: this DPA applies for as long as OneClickClaw processes Customer data under the Agreement, and terminates automatically when the Agreement ends, subject to the deletion and return obligations in Section 11.
4. Nature and Purpose of Processing
OneClickClaw processes Customer data solely to deliver and operate the managed hosting service. This includes:
- Provisioning and configuring a dedicated, single-tenant VPS.
- Applying SSL and firewall configuration and automatic updates to stable OpenClaw versions.
- Creating and storing automated backups.
- Monitoring server metadata (defined in Section 7) for security, abuse detection, and infrastructure-partner obligations.
- Responding to Customer support requests.
OneClickClaw does not access the contents of the Customer's business data, customer conversations, AI provider responses, or files on the server, except where actively investigating a monitoring alert or responding to a valid legal request, as described in the Security and Monitoring documentation.
5. Categories of Data and Data Subjects
Categories of personal data (as determined by the Customer):
- Any personal data the Customer or its end users place into the OpenClaw instance, including agent conversation content, uploaded files, and configuration. The specific categories are controlled by the Customer and are not dictated by OneClickClaw.
- Server-level operational data: IP addresses, performance metrics, deployment logs, SSH session metadata, network metadata, and filesystem metadata.
Categories of data subjects (as determined by the Customer):
- The Customer's own end users, contacts, or other individuals whose data the Customer chooses to process through the OpenClaw instance.
The Customer is responsible for ensuring it has a lawful basis for the personal data it processes and for not placing special-category data on the VPS without an appropriate legal basis and any required safeguards.
6. Processor Obligations (Article 28 GDPR)
OneClickClaw shall:
- Process on documented instructions only. Process Customer personal data only on the Customer's documented instructions (including this DPA and the Agreement), unless required by EU or Member State law, in which case OneClickClaw will inform the Customer unless legally prohibited.
- Confidentiality. Ensure that persons authorised to process the data are bound by confidentiality.
- Security. Implement the technical and organisational measures in Section 7.
- Sub-processors. Engage sub-processors only under the conditions in Section 8.
- Assist the Controller. Assist the Customer, by appropriate measures, in fulfilling its obligation to respond to data subject requests (Section 9) and its obligations under Articles 32 to 36 (security, breach notification, impact assessments).
- Deletion or return. Delete or return Customer personal data at the end of the service as set out in Section 11.
- Audit support. Make available the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits as set out in Section 12.
- Notify on unlawful instructions. Immediately inform the Customer if, in OneClickClaw's opinion, an instruction infringes the GDPR or other data protection law.
7. Security Measures
OneClickClaw implements the following technical and organisational measures. These mirror the public Security and Data Residency page and must be kept consistent with it:
- Isolation: each Customer runs on its own dedicated, single-tenant VPS. No other customer can access another customer's conversations, API keys, or bot configuration.
- Encryption in transit: TLS 1.2 or higher.
- Encryption at rest: Customer-provided API keys (BYOK) are encrypted at rest using AES / Fernet symmetric encryption before transmission to the dedicated server, and are stored only on that VPS, never centrally.
- Backups: automated daily or weekly backups, retained within the same EU region as the server.
- Access controls: access to monitoring data and infrastructure is restricted to authorised personnel; SSH access for the Customer is optional and opt-in.
- Monitoring scope: SSH session metadata, network traffic patterns, filesystem metadata, and listening ports only, not the contents of business data.
- Abuse and bot protection: DDoS protection, rate limiting, input sanitisation, and automated secret redaction in support chat.
Full detail is published at the OneClickClaw Security and Data Residency page and the monitoring documentation.
8. Sub-processors
The Customer authorises OneClickClaw to engage the following sub-processors. This list is identical to the one published on the Security page and the Privacy Policy.
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Webdock | VPS infrastructure | Denmark, EU | Within EU/EEA |
| Neon | Database hosting | European Union | Within EU/EEA |
| Replit | Application hosting | European Union | Within EU/EEA |
| Stripe | Payment processing | USA | Standard Contractual Clauses |
| OAuth authentication | USA | Standard Contractual Clauses | |
| Resend | Email delivery | USA | Standard Contractual Clauses |
| Cloudflare | Bot and DDoS protection | USA | Standard Contractual Clauses |
| Anthropic | OneClickClaw's own AI support chatbot | USA | Standard Contractual Clauses |
Notes:
- The Customer's chosen AI provider under BYOK is the Customer's own sub-processor, engaged directly by the Customer, and is not listed above.
- Anthropic appears only because OneClickClaw uses it to power its own support chatbot, not for processing the Customer's VPS workloads.
- For all sub-processors located outside the EU/EEA, transfers rely on Standard Contractual Clauses.
Changes to sub-processors: OneClickClaw will give the Customer prior notice of any intended addition or replacement of a sub-processor so the Customer may object on reasonable data protection grounds.
9. Data Subject Rights Assistance
OneClickClaw shall assist the Customer, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights under GDPR Articles 15 to 22 (access, rectification, erasure, restriction, portability, objection). Where a data subject contacts OneClickClaw directly about data the Customer controls, OneClickClaw will refer the request to the Customer and will not respond independently except as legally required.
10. Breach Notification
OneClickClaw shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer data, and in any event in time to allow the Customer to meet its own notification obligations. The notification will include, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.
For data where OneClickClaw acts as Controller, OneClickClaw notifies the competent supervisory authority within 72 hours of becoming aware of a breach, and affected individuals without undue delay where the breach is likely to result in a high risk, consistent with its Privacy Policy.
11. Deletion or Return on Termination
On termination of the Agreement, and at the Customer's choice, OneClickClaw shall delete or return all Customer personal data and delete existing copies, unless EU or Member State law requires storage.
- BYOK API keys are deleted when the server is destroyed.
- Server activity and monitoring metadata are automatically deleted after up to 90 days.
- Backups are deleted when the underlying server is destroyed, within the infrastructure partner's backup rotation.
Billing records are retained by OneClickClaw as Controller for 7 years as required by Greek tax law; this retention falls outside the Processor relationship.
12. Audit Rights
OneClickClaw shall make available to the Customer all information necessary to demonstrate compliance with Article 28 and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. To protect the security of other single-tenant customers and infrastructure, audits shall be conducted on reasonable prior notice, no more than once per year absent a breach, and subject to confidentiality. OneClickClaw may satisfy audit requests by providing existing documentation and security descriptions where these reasonably demonstrate compliance.
13. Governing Law
This DPA is governed by the laws of Greece and the applicable provisions of EU law, consistent with the OneClickClaw Privacy Policy and Terms of Service. The competent supervisory authority is the Hellenic Data Protection Authority (HDPA).
14. Signatures
The countersigned signature block is provided with the executable copy of this DPA on request. For OneClickClaw, the DPA is signed by Luigi Ramos, Owner, OneClickClaw. To request the executable copy, contact info@oneclickclaw.io.
