MCP Manager by Usercentrics – Data Processing Agreement
MCP Manager by Usercentrics – Data Processing Agreement
(hereinafter “Agreement“) between
Contracting Party
(hereinafter “Controller“)
and
Usercentrics
(hereinafter “Processor” or “MCP Manager“)
(hereinafter “Agreement“) between
Contracting Party
(hereinafter “Controller“)
and
Usercentrics
(hereinafter “Processor” or “MCP Manager“)
This Agreement forms part of, and is subject to, the General Terms and Conditions for MCP Manager by Usercentrics entered into between the parties (the “Main Agreement” or “GTC”). In the event of any conflict between this Agreement and the Main Agreement, this Agreement shall prevail with respect to data protection matters.
1. Subject Matter and Duration
1.1.
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of MCP Manager platform — a software-as-a-service platform that enables, mediates, and controls access by AI models designated by the Controller to data sources and tools connected by the Controller, as further described in the Main Agreement (the “Service”). The Service operates as a controlled gateway: it routes context requests and tool calls between AI models and connected services strictly in accordance with the Controller’s configuration, permissions, and documented instructions. The Processor does not independently determine the purposes or means of processing personal data under this Agreement.
1.2.
This Agreement is effective for the duration of the Main Agreement and terminates automatically upon its expiry or termination, subject to Section 13 (Deletion of Data).
2. Nature, Purpose, and Scope of Processing
2.1.
Nature and Purpose. The Processor processes personal data solely to provide and support the Service as instructed by the Controller. Because the Service operates via AI-generated tool calls and prompts — the scope and categories of personal data processed at any given time are determined dynamically by the Controller’s integrations, permissions, and the queries submitted by or on behalf of the Controller. Processing activities carried out by the Processor include:
- Receiving and routing queries and tool calls from AI models to connected data sources and services;
- Transmitting retrieved data from connected services back to AI models;
- Enforcing access controls and guardrails as configured by the Controller; and
- Logging interactions for security, debugging, and service integrity purposes.
2.2.
Data Categories. The categories of personal data processed depend on what the Controller connects to the Service and the nature of the queries submitted. These may include, without limitation: identifiers, contact details, professional information, usage data, and any other personal data contained in data sources or queries that the Controller integrates with the Service. The Controller is responsible for ensuring that any personal data it causes to flow through the Service is appropriate and processed in compliance with applicable law. The fixed categories of personal data processed by the Processor in connection with the Service are described in Annex 3.
2.3.
Data Subjects. Data subjects are determined by the Controller’s configuration and use of the Service. They may include the Controller’s customers, employees, end users, or other individuals whose data is present in connected data sources or queries submitted through the Service.
2.4.
No Secondary Use. The Processor does not process personal data under this Agreement — including log data — for model training, cross-context behavioral advertising, product benchmarking, or any other purpose not directly required to fulfil the Controller’s instructions and provide the Service.
3. Controller’s Instructions
3.1.
The Processor processes personal data only in accordance with documented instructions from the Controller. Documented instructions include: (i) this Agreement; (ii) the Main Agreement; and (iii) configurations, integrations, permissions, data access rules, and guardrail settings established by the Controller within the Service. The Controller may issue further instructions in writing (email sufficient). Oral instructions will be confirmed by the Controller immediately in writing or by e-mail.
3.2.
The Processor shall inform the Controller without undue delay if it believes an instruction infringes applicable data protection law, and may suspend execution of that instruction pending confirmation or amendment by the Controller.
3.3.
The Processor shall not disclose personal data to third parties or data subjects without the prior written consent of the Controller, except as required by applicable law.
4. Transient Processing, Caching, and Logging
4.1.
Transient Processing. The Service operates primarily as a data routing mechanism. Personal data transmitted in the course of a query or tool call is processed transiently and is not persistently stored by the Processor, unless explicitly required to complete a multi-step operation (e.g., short-term caching within a session).
4.2.
Interaction Logs. The Processor maintains interaction logs (which may include queries, tool calls, access events, and system events) for security, debugging, and service integrity purposes. Such logs may contain personal data and are treated as in-scope personal data under this Agreement. Logs are subject to the access controls described in Annex 1 and are retained only as long as necessary to complete contractual requirements, after which they may be deleted upon request unless a longer retention period is required by applicable law.
4.3.
Configuration Data. Account data, integration configurations, permission settings, and guardrail configurations maintained by the Controller in the Service are retained for the duration of the Main Agreement and deleted in accordance with Section 13.
5. Controller’s Responsibilities
5.1.
The Controller is solely responsible for:
- (a) ensuring it has a lawful basis for processing personal data through the Service and for any disclosures made to AI model providers or connected third-party services;
- (b) selecting, configuring, and maintaining the integrations, permissions, and guardrail settings within the Service;
- (c) the accuracy, content, and legality of all data it causes to flow through the Service; and
- (d) obtaining any necessary consents, providing required notices, and complying with applicable data protection law in connection with its use of the Service.
5.2.
The Controller acknowledges that the Processor does not control, review, or take responsibility for the content of queries submitted by the Controller or the output of AI models.
6. Confidentiality
6.1.
The Processor shall ensure that all personnel authorized to process personal data under this Agreement are bound by appropriate confidentiality obligations, whether contractual or statutory. This obligation survives termination of the Agreement.
7. Technical and Organisational Measures
7.1.
The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction, ensuring the ongoing confidentiality, integrity, availability, and resilience of the systems and services involved in processing. The technical and organisational measures implemented by the Processor are set out in Annex 1 to this Agreement. The Controller is aware of these measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed. Given that the Service operates primarily as a data routing mechanism, measures are focused on the security of data in motion, API authentication, tenant isolation, and log access controls.
7.2.
The technical and organisational measures set out in Annex 1 are subject to technical progress and further development. The Processor may update or modify such measures over time, provided the overall level of protection afforded to personal data is not reduced. Significant changes will be documented.
8. Subprocessors
8.1.
The Controller authorizes the Processor to engage the subprocessors listed in Annex 2. The Processor will provide written notice (email sufficient) to the Controller at least 30 days before adding or replacing a subprocessor. The Controller may object in writing within that period on reasonable data protection grounds. If no objection is raised, consent is deemed granted. If the parties cannot resolve a valid objection and the Service cannot be provided without the relevant subprocessor, either party may terminate the Agreement with respect to the affected service without liability for early termination.
8.2.
The Processor shall impose data protection obligations on subprocessors substantially equivalent to those in this Agreement and shall remain liable for subprocessor compliance.
8.3.
Third-Party Connected Services and AI Model Providers Are Not Subprocessors. AI model providers (such as OpenAI, Anthropic, or others) and third-party services (such as APIs, databases, or SaaS tools) that the Controller independently selects and connects to the Service are not subprocessors of the Processor under this Agreement. The Controller is solely responsible for its relationships with, and the legality of data flows to, such independent services.
9. International Data Transfers
9.1.
The Service is operated by Processor in the United States. To the extent personal data originating from the European Economic Area (EEA) or the United Kingdom (UK) is transferred to the United States in connection with the Service, such transfers are governed by:
- For transfers subject to the EU GDPR: the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (“EU SCCs”), Module 2 (controller to processor), which are incorporated by reference into this Agreement. In Clause 17, Option 1 applies, and German law governs. In Clause 18(b), disputes shall be resolved before German courts, with the exclusive jurisdiction of Munich.
- For transfers subject to the UK GDPR: the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office (“UK IDTA”), which is also incorporated by reference.
Each party is deemed to have executed the EU SCCs and UK IDTA upon entering into this Agreement.
9.2.
To the extent there is any conflict between this Agreement and the EU SCCs or UK IDTA, the EU SCCs or UK IDTA (as applicable) shall prevail.
9.3.
The Controller acknowledges that data flows from the Service to AI model providers or third-party connected services independently selected by the Controller may involve further international transfers. The Controller is responsible for ensuring appropriate safeguards are in place for such transfers.
10. Data Subject Rights
10.1.
The Processor shall provide reasonable assistance to the Controller to enable it to respond to data subject rights requests under applicable data protection law.
10.2.
If a data subject contacts the Processor directly regarding access, correction, deletion, or restriction of their personal data, the Processor shall forward the request to the Controller without undue delay and shall not respond to the data subject directly unless expressly instructed to do so by the Controller.
11. Security Incidents
11.1.
The Processor shall notify the Controller without undue delay upon becoming aware of a confirmed security incident involving personal data processed under this Agreement, and shall provide sufficient information to enable the Controller to meet its breach notification obligations under applicable law.
11.2.
The Processor shall take reasonable steps to contain and remediate any confirmed security incident and shall keep the Controller informed of material developments.
11.3.
The Processor shall not notify data subjects or supervisory authorities on the Controller’s behalf unless expressly instructed to do so by the Controller.
12. Audit Rights
12.1.
Upon reasonable written request, the Processor shall provide documentation sufficient to demonstrate its compliance with this Agreement, which may include audit certificates, reports, or equivalent documentation from independent third-party auditors available at the time of the request.
12.2.
The Controller may conduct an audit of the Processor’s compliance no more than once per calendar year (unless required by instruction of a competent supervisory authority, or following a confirmed security incident), upon reasonable prior written notice and during normal business hours. The Controller shall bear the costs of any such audit; the Processor may charge reasonable costs for support it provides in connection with the audit.
12.3.
All documentation and audit results provided under this Section are the confidential information of the Processor.
13. Deletion of Data
13.1.
Upon termination or expiry of the Main Agreement, the Processor shall, within 60 days of a written request from the Controller, either return or delete all personal data processed under this Agreement, at the Controller’s election. If no request is received within 30 days of termination, the Processor shall delete the personal data in accordance with its data retention policies.
13.2.
The Processor may retain personal data contained in backups or system logs beyond the period specified in Section 13.1 to the extent necessary for operational continuity, provided that such data is not actively processed, remains subject to the technical and organisational measures set out in Annex 1, and is deleted as soon as reasonably practicable. The Processor shall not retain personal data longer than necessary for the purposes for which it was collected.
13.3.
The Processor may retain documentation required to demonstrate compliance with this Agreement for the period required by applicable law.
13.4.
This Agreement shall survive termination of the Main Agreement until all personal data has been deleted or returned in accordance with this Section.
14. US Data Protection Laws
14.1.
To the extent the Processor processes personal data subject to applicable US federal or state data protection laws (including, without limitation, the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring) (collectively, “US Data Protection Laws“), the following applies. Terms such as “Controller”, “Processor”, “Data Subject”, and “Personal Data” shall have the meanings given under applicable US Data Protection Laws.
14.2.
In addition to its obligations under this Agreement, the Processor shall not:
- Use personal data for any purpose other than providing the Service as specified in this Agreement;
- Sell personal data or make it available to any third party for monetary or other valuable consideration;
- Share personal data with any third party for cross-context behavioral advertising;
- Retain, use, or disclose personal data outside the direct business relationship between the parties; or
- Combine personal data processed under this Agreement with personal data received from other sources, except as permitted by applicable US Data Protection Laws.
14.3.
The Processor shall:
- Comply with its obligations under applicable US Data Protection Laws;
- Notify the Controller if it determines it can no longer meet those obligations; and
- Inform the Controller without delay if it believes an instruction violates applicable US Data Protection Laws, and may suspend execution of that instruction pending confirmation or amendment.
14.4.
To the extent the Processor creates deidentified data from personal data processed under this Agreement, it shall not attempt to reidentify such data, shall maintain it in deidentified form, and shall contractually require any authorized recipients to comply with the same obligations.
14.5.
The Controller has the right to take reasonable and appropriate steps to ensure the Processor uses personal data in a manner consistent with the Controller’s obligations under applicable US Data Protection Laws, and upon notice, to stop and remediate unauthorized use.
15. Liability
15.1.
Liability under this Agreement is governed by the liability provisions of the GTC. To the extent the EU SCCs or UK IDTA impose mandatory liability provisions that cannot be derogated from by contract, those provisions shall apply to the extent required.
Annex 1 – Technical and Organizational Measures (TOM)
The processor processes personal data on behalf of its customers and is aware of its responsibility as a processor. Accordingly, technical and organizational measures have been taken to significantly reduce risks and potential hazards that arise in connection with the processing of personal data. The following measures describe how an appropriate level of security and data protection is achieved. These measures are deemed to be agreed upon with the Controller upon execution of this Agreement.
Given that MCP Manager platform operates primarily as a data-routing gateway — processing data in motion rather than at rest — measures are focused on the security of data in transit, API authentication, tenant isolation, and log access controls.
1. Encryption and Data in Transit
All data transmitted between the Controller, MCP Manager, AI models, and connected services is encrypted using TLS 1.2 or above. API connections are authenticated using randomly generated access tokens or API keys managed by the Controller.
2. Access Controls
Access to Service infrastructure and personal data is restricted on a need-to-know basis using role-based access controls (RBAC). Access rights are reviewed regularly and revoked promptly upon employment termination or role change.
3. Tenant Isolation
Customer data, configurations, and interaction logs are logically isolated between tenants. Cross-tenant access is not permitted.
4. Confidentiality
All personnel with access to personal data are bound by contractual confidentiality obligations. Access is limited to those who require it to perform their role.
5. Availability and Recoverability
The Service is hosted on cloud infrastructure with built-in availability and redundancy measures provided by the hosting provider. The Processor maintains monitoring of system activities and has established incident response and recovery procedures.
6. Regular Review and Testing of Measures
Systems are regularly checked for vulnerabilities and security patches are applied on a regular basis.
7. Incident Response
The Processor maintains an incident response process covering detection, containment, notification, and remediation. In the event of a confirmed security incident involving personal data, the Processor shall notify the Controller without undue delay and provide sufficient information to enable the Controller to meet its notification obligations under applicable law.
8. Data Retention and Deletion
The Processor retains personal data for as long as necessary to fulfil the contractual or legal obligations for which it was collected. The Processor does not currently operate automated data retention or deletion systems; personal data may be retained until defined retention processes are implemented. Deletion requests are processed manually and fulfilled as promptly as practicable in accordance with applicable law. Certain data is retained for evidentiary, accounting, or tax purposes for periods required by applicable law.
Annex 2 – Authorised Subprocessors
| # | Name | Operating Entity | Place of Data Processing | Data Received | Purpose | Scope |
|---|---|---|---|---|---|---|
| 1 | Amazon Web Services (Redshift) | Amazon Web Services, Inc. | US-East-1, 410 Terry Ave N, Seattle, WA 98109, USA | All usage and behavioral data, email address, IP address, account and device identifiers | Data warehouse and hosting infrastructure for the Service | Core Service |
| 2 | HubSpot | HubSpot, Inc. | United States | Email address, account identifier, page navigation data, HubSpot tracking cookie, form submission data | Customer communications (live chat, email), marketing automation, onboarding communications directed at the Controller’s account users | Account management |
| 3 | Heap Analytics | Heap Inc. | United States | Email address, account identifier, display name, environment mode | User engagement analytics — captures interactions of the Controller’s account users with the MCP Manager interface. Interaction data is stored in recording format and is not retained as structured or queryable personal data. | Product analytics |
| 4 | FullStory | FullStory, Inc. | United States | Email address, account identifier, display name, registration source, session recordings | Session recording and product analytics — captures interactions of the Controller’s account users with the MCP Manager interface. Interaction data is stored in recording format and is not retained as structured or queryable personal data. | Product analytics |
FullStory and Heap process data relating to the Controller’s own account users (i.e., the Controller’s employees or staff interacting with the MCP Manager platform) and not personal data of the Controller’s end-users routed through the MCP gateway. Data flows from MCP Manager to these providers on a one-way basis.
All third-party providers listed are based in the United States. Where data is transferred outside the EU/EEA, Standard Contractual Clauses pursuant to Art. 46 GDPR are in place unless otherwise noted. Where you have concerns about international data transfers, you may contact us or our Data Protection Officer. Details below:
SECUWING GmbH & Co. KG
Maximilian Hartung
Frauentorstr. 9, 86152 Augsburg, Germany
E-mail: epost@datenschutz-agentur.de | Phone: +49 821 90786450
Maximilian Hartung
Frauentorstr. 9, 86152 Augsburg, Germany
E-mail: epost@datenschutz-agentur.de | Phone: +49 821 90786450
Notes:
- Cloud infrastructure: The Service is currently hosted on Amazon Web Services and is migrating to Usercentrics cloud infrastructure (Google Cloud). Any change in infrastructure provider will be notified to the Controller in accordance with Section 8.1 of this Agreement.
- All subprocessors listed above are based in the United States. Personal data originating from the EEA or UK is transferred to these providers under Standard Contractual Clauses or equivalent transfer mechanisms.
Processor may engage affiliated Usercentrics group entities as subprocessors where those entities process personal data on its behalf in connection with the Service. Where such intra-group processing involves transfers of personal data from the EEA or UK to the United States or other third countries, appropriate safeguards (including intra-group Standard Contractual Clauses) are in place. An up-to-date list of subprocessors, including any engaged group entities, is available upon request. Changes are notified in accordance with Section 8.1.
Annex 3 – Data Processing Description
This Annex describes the fixed categories of personal data processed by the Processor in connection with the provision of the MCP Manager Service, as referenced in Section 2.2 of this Agreement.
Given the nature of the Service as a data-routing and access control platform, most personal data categories are determined dynamically by the Controller’s use. However, the Processor processes the following baseline categories of personal data in a consistent and predictable manner:
1. Account and Configuration Data
Personal data related to the Controller’s account and Service configuration, including:
- Name and surname
- Business email address
- Account identifiers (e.g., tenant ID, user ID, organization GUID, team GUID)
- Organization and role information
- Integration and permission settings configured by the Controller
2. Usage and Interaction Data (Logs)
Personal data contained in system-generated logs, including:
- Tool calls and API requests
- Access events (login attempts, timestamps)
- IP addresses and device-related information
- System activity and error logs
Note: Query content submitted through the Service may also appear in logs depending on configuration. See Section 4.2 and the Dynamic Data Categories section below.
3. Technical and Device Data
Information automatically processed to ensure secure and reliable operation of the Service, including:
- IP address
- Device identifiers
- Browser type and version
- Operating system
- Network and connection metadata
4. Support and Communication Data
Where applicable, personal data processed in the context of support or account management:
- Contact details (name, business email)
- Support requests and correspondence
- Onboarding and service-related communications
Dynamic Data Categories (Controller-Determined)
In addition to the categories listed above, the Processor processes personal data transmitted through the Service as part of queries, tool calls, and integrations configured by the Controller. These may include, but are not limited to:
- Identification data (e.g., names, user IDs)
- Contact data (e.g., email addresses, phone numbers)
- Professional or employment-related data
- Customer or end-user data
- Any personal data contained in connected systems (e.g., CRM, databases, APIs)
- Any personal data included in prompts, queries, or AI model interactions
The Processor does not control or limit these categories, as they are determined solely by the Controller’s integrations and connected services, the Controller’s configuration and permissions, and the content of queries submitted via the Service.
Special Categories of Personal Data
The Processor does not intentionally process special categories of personal data (as defined under Art. 9 GDPR) unless such data is transmitted through the Service by the Controller. The Controller is solely responsible for determining whether such data is processed, ensuring a valid legal basis for such processing, and implementing appropriate safeguards where required.
Summary
- The Processor processes limited, fixed categories of personal data (account, logs, technical, and support data).
- All other personal data categories are fully controlled and determined by the Controller.
- The Service acts as a neutral, transient processing layer and does not independently expand or enrich data categories.