Data Processing Agreement
Last updated: June 2026
1. Scope of processing
Regor processes personal data solely to provide the services in the underlying agreement: ingesting and analyzing search and click event data, operating autonomous agents to identify and remediate product discovery issues, generating analytics and recommendations, and providing the merchant and administrative dashboards.
Categories of data subjects
- The customer's end users (online shoppers)
- The customer's employees and authorized platform users
Types of personal data
- Search queries and clickstream data, anonymized by default
- IP addresses, hashed for analytics and not stored in raw form
- Product interaction data: clicks, add-to-cart events, purchases
- Customer account information: name, email, and role for platform access
2. Roles and instructions
The customer is the data controller and Regor is the data processor. Regor processes personal data only on the customer's documented instructions, which the agreement and this DPA constitute, unless required otherwise by applicable law. All Regor personnel authorized to process personal data are bound by confidentiality obligations.
3. Security measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256), with encrypted API keys
- Role-based access control, JWT authentication, and HMAC-signed webhooks
- Audit trail for all agent actions: proposed, approved, executed, rolled back
- Data minimization, with search analytics aggregated and anonymized where possible
A detailed security overview is available to customers and prospects on request at security@regor.ai.
4. Sub-processors
| Sub-processor | Service |
|---|---|
| Supabase | Database hosting |
| Hetzner | Application hosting |
| Stripe | Payment processing |
| OpenAI | LLM inference (anonymized queries) |
| Cloudflare | DNS, CDN, WAF, DDoS |
| Vercel | Website hosting (no personal data) |
Regor notifies customers at least 30 days before engaging a new sub-processor. A customer may object in writing within 14 days, and where a reasonable objection cannot be resolved, may terminate the affected services. All sub-processors are bound by data protection obligations no less protective than this DPA.
5. Data subject rights
Regor assists the customer in responding to data subject requests to exercise rights of access, rectification, erasure, restriction, portability, and objection. If Regor receives a request directly from a data subject, it promptly notifies the customer and does not respond without authorization.
6. Security incidents
Regor notifies the customer without undue delay, and within 72 hours of becoming aware of a security incident affecting the customer's personal data. Notification includes the nature of the incident, approximate scope, a point of contact, likely consequences, and measures taken. Regor cooperates with investigation, mitigation, and any required regulatory or data subject notifications.
7. Deletion and return
Within 30 days of termination, Regor deletes all personal data from production systems, provides an export in a standard format (JSON or CSV) on request, and confirms deletion in writing. Personal data in automated backups is deleted in line with the backup rotation schedule, not to exceed 90 days. Regor retains data beyond this only where required by law.
8. Audits and international transfers
A customer may audit Regor's compliance on 30 days' written notice, no more than once per year, or accept an independent third-party audit report as evidence. Where personal data is transferred outside the EEA, Regor relies on Standard Contractual Clauses and verifies that recipient sub-processors maintain adequate protection.
9. Contact
For a signed DPA or data protection questions, contact security@regor.ai. See also our Privacy Policy and Terms of Service.