# HARNEXA AI GDPR Article 28 Processor Packet Template

This template is a technical preparation artifact for qualified legal review. It is not legal advice and does not certify GDPR or EU AI Act compliance.

## 1. Parties and Roles

- Controller: client organisation.
- Processor: HARNEXA AI, for the scoped agentic commerce workflow.
- Sub-processors: listed in the public trust page and final client agreement.

## 2. Subject Matter and Duration

- Subject matter: design, deployment, operation, and audit support for the named governed agent workflow.
- Duration: limited to the signed diagnostic, deployment sprint, or AgentOps retainer term.

## 3. Nature and Purpose of Processing

- Nature: workflow analysis, tool-call execution inside approved boundaries, audit logging, evaluation, and reporting.
- Purpose: deliver the agreed governed commerce workflow and supporting AgentOps evidence.

## 4. Personal Data and Data Subjects

- Personal data categories: defined per client scope before access is granted.
- Data subjects: customers, employees, operators, suppliers, or other affected groups only when the signed scope includes them.

## 5. Documented Instructions

HARNEXA processes data only under documented client instructions, approved tool boundaries, and the selected risk class. Public proof surfaces never grant client-system access.

## 6. Security and Governance Measures

- Persistent agent identity.
- Scoped permissions and revocation path.
- Human approval gates for consequential actions.
- CLEAR evaluation baseline.
- Append-only audit trail.
- AgentOps reporting and review cadence.

## 7. Sub-Processors

Sub-processors are identified by role, data category, and boundary. New sub-processors require notice according to the client agreement.

## 8. Assistance and Incident Support

HARNEXA provides technical evidence needed for rights requests, DPIA inputs, security incident review, and audit inspection within the agreed scope.

## 9. Return or Deletion

At termination, client data is returned, deleted, or preserved only where audit integrity, contract terms, or law require retention.

## 10. Audit Evidence

HARNEXA provides AgentOps exports, audit rows, CLEAR scorecards, and control mappings for client review.
