Capable — Data Processing Agreement

Effective date: 2026-06-17

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service (the "Agreement") between Capable Agents AB ("Capable", "Processor") and the customer that has accepted the Agreement ("Customer", "Controller"). It applies where, and to the extent that, Capable processes Personal Data that forms part of Customer Data on Customer's behalf in providing the Services. Capitalised terms not defined here have the meaning given in the Agreement.

If there is a conflict between this DPA and the Agreement on matters of data protection, this DPA prevails.

1. Definitions

The terms "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority", "Special Categories of Personal Data", and "Personal Data Breach" have the meanings given in the GDPR.

"Data Protection Law" means all laws applicable to the Processing of Personal Data under the Agreement, including: Regulation (EU) 2016/679 (the "GDPR"); the GDPR as incorporated into the law of the United Kingdom (the "UK GDPR") and the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection (the "Swiss FADP"); and the California Consumer Privacy Act as amended by the CPRA (the "CCPA"), each as applicable.
"Customer Personal Data" means Personal Data contained in Customer Data that Capable Processes on Customer's behalf under the Agreement.
"Standard Contractual Clauses (EU SCCs)" means the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/914.
"UK Addendum" means the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.
"Sub-processor" means any third party engaged by Capable to Process Customer Personal Data.

2. Roles and scope

2.1 Roles. As to Customer Personal Data, Customer is the Controller and Capable is the Processor. Where Customer is itself a processor acting on behalf of a third-party controller, Capable acts as a sub-processor and Customer warrants it has the third-party controller's authority to engage Capable on these terms.

2.2 Capable as controller. This DPA does not apply to Personal Data for which Capable is itself a controller (e.g. account, billing, and product-usage data). That Processing is described in our Privacy Policy.

2.3 Details of Processing. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects are set out in Annex I.

3. Processing instructions

3.1 Documented instructions. Capable will Process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement, this DPA, the configuration and use of the Services by Authorized Users, and any further written instructions Customer gives that the parties agree to, unless required to Process by EU or Member State law (in which case Capable will inform Customer of that requirement before Processing, unless the law prohibits it on important grounds of public interest).

3.2 Lawfulness. Customer is responsible for the lawfulness of Customer Personal Data and of the instructions it gives, including having a valid legal basis and any required notices or consents.

3.3 Unlawful instructions. Capable will inform Customer if, in its opinion, an instruction infringes Data Protection Law (without obligation to provide legal advice).

4. Confidentiality of personnel

Capable ensures that persons authorised to Process Customer Personal Data are bound by appropriate obligations of confidentiality and are subject to least-privilege access controls, and that access is limited to personnel who need it to provide, secure, or support the Services.

5. Security

Capable implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.

6. Sub-processors

6.1 General authorisation. Customer provides a general written authorisation for Capable to engage Sub-processors to Process Customer Personal Data. The current Sub-processors are listed at legal/subprocessors.md and in Annex III.

6.2 Obligations. Capable will impose on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable to Customer for its Sub-processors' performance of those obligations.

6.3 Change notification and objection. Capable will notify Customer of any intended addition or replacement of a Sub-processor (by updating the list and by a notice mechanism such as email or in-product, where Customer has subscribed to such notice), giving Customer a reasonable period (at least thirty (30) days unless a shorter period is needed for security or legal reasons) to object on reasonable data-protection grounds. If Customer reasonably objects and the parties cannot resolve the objection, Customer may terminate the affected part of the Services as its exclusive remedy.

7. Assistance to Customer

7.1 Data subject requests. Taking into account the nature of the Processing, Capable will assist Customer by appropriate technical and organisational measures, insofar as possible, to respond to Data Subject requests to exercise their rights. If Capable receives a request directly from a Data Subject relating to Customer Personal Data, it will not respond on the merits and will, without undue delay, direct the request to Customer or instruct the Data Subject to contact Customer.

7.2 DPIAs and prior consultation. Capable will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, taking into account the nature of Processing and the information available to Capable.

8. Personal Data Breach

Capable will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its breach-notification obligations. Capable will take reasonable steps to mitigate and remediate the breach. Notice of a breach is not an acknowledgement of fault or liability.

9. Return and deletion

On termination or expiry of the Agreement, Capable will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, except to the extent storage is required by EU or Member State law. Capable's standard mechanism is a thirty (30) day post-termination export window followed by deletion, subject to soft-deletion and backup cycles; data in backups is purged as those backups age out on Capable's normal rotation.

10. Audit and information

10.1 Information. Capable will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.

10.2 Audits. Capable will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach), on reasonable prior written notice, during business hours, subject to confidentiality, and in a manner that does not disrupt Capable's operations or compromise the security or data of other customers. Capable may satisfy audit requests by providing relevant third-party reports, certifications, and security documentation where available.

11. International transfers

11.1 Mechanisms. To the extent Capable transfers Customer Personal Data out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the following are incorporated by reference and apply:

the Standard Contractual Clauses (EU SCCs), with Module Two (Controller-to-Processor) where Customer is a controller, and Module Three (Processor-to-Processor) where Customer is itself a processor;
the UK Addendum for transfers subject to the UK GDPR; and
the Swiss addendum (with references to the GDPR read as references to the Swiss FADP, the competent authority being the FDPIC, and protection extended to legal entities) for transfers subject to the Swiss FADP.

11.2 Capable as exporter. Where Capable transfers Customer Personal Data onward to a Sub-processor in a non-adequate country, Capable is the data exporter and concludes appropriate transfer mechanisms with that Sub-processor.

11.3 SCC operative elements. For the EU SCCs: the optional docking clause applies; the Module Two/Three options for sub-processor authorisation correspond to the general authorisation in Section 6; the period for sub-processor notice is as set in Section 6.3; the governing law and forum are those of Sweden where permitted; and Annexes I, II, and III to this DPA populate the corresponding SCC annexes (parties, description of transfer, competent supervisory authority, and technical and organisational measures). For the EU SCCs, the competent Supervisory Authority is the Swedish Authority for Privacy Protection (IMY).

12. AI processing architecture (Anthropic)

The Services do not make server-side calls to any large language model, and Capable does not transmit Customer Personal Data to a model server. The AI assistant used with the Services is Anthropic's Claude, connected by the Authorized User under that user's own agreement with Anthropic. When an Authorized User instructs Claude, Capable's MCP server returns the requested Customer Data into that user's own Claude session, where Anthropic Processes it under the user's own Anthropic terms. Accordingly, Anthropic is not a Sub-processor under this DPA, and Capable does not engage Anthropic to Process Customer Personal Data on Capable's behalf. Customer is responsible for its Authorized Users' relationship with, and use of, Anthropic's Claude.

13. CCPA service-provider addendum

Where the CCPA applies, Capable acts as a service provider to Customer with respect to Customer Personal Data. Capable will not: (a) sell or share such Personal Data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; (c) retain, use, or disclose it outside the direct business relationship between the parties; or (d) combine it with personal information from other sources, except as permitted by the CCPA. Capable certifies that it understands and will comply with these restrictions.

14. Liability and precedence

14.1 Liability. Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement (in EUR), and any reference to a party's liability means the aggregate liability under the Agreement and this DPA together. The limitation-of-liability carve-out for data-protection breaches in the Agreement applies.

14.2 Precedence. This DPA prevails over the Agreement on matters of data protection. Where the EU SCCs apply, the SCCs prevail over this DPA and the Agreement to the extent of any conflict regarding the safeguarding of transferred Personal Data.

14.3 Governing law. Except where the EU SCCs require otherwise, this DPA is governed by the laws of Sweden, with venue per the Agreement (Stockholm District Court (Stockholms tingsrätt)).

Annex I — Description of Processing

A. Parties

Controller / data exporter: Customer (the entity that accepted the Agreement), as identified in its account or Order Form.
Processor / data importer: Capable Agents AB, a limited liability company (aktiebolag) incorporated in Sweden, organisationsnummer 559504-0444, VAT SE559504044401, Bäckaskiftsvägen 68, 122 42 Enskede, Sweden. Contact: hello@capable.run. UK representative: not applicable (Capable does not currently offer the Services to UK data subjects; one will be appointed before any UK onboarding).

B. Subject matter and duration. Provision of the AI-native CRM Services described in the Agreement, for the duration of the Agreement plus the post-termination deletion period in Section 9.

C. Nature and purpose of Processing. Hosting, storage, organisation, structuring, retrieval, transmission, and display of Customer Data; recording and transcription of meetings where enabled; population of CRM records from connected Google metadata; company-level (domain) enrichment; background processing of imports, signals, scheduled reports, and recorder routing; rate-limiting, caching, error monitoring, and metadata-minimized product analytics — all to provide, secure, support, and improve the Services on Customer's behalf.

D. Categories of Data Subjects. Customer's Authorized Users; Customer's contacts, leads, prospects, customers, and counterparties; attendees of meetings recorded with the meeting recorder; and other individuals whose Personal Data Customer chooses to include in the Services.

E. Categories of Personal Data.

Identity and contact data of contacts and Authorized Users (name, email, title, role, organisation).
CRM relationship data (accounts, opportunities, subscriptions, tasks, signals, notes, activity/touches).
Email header metadata from the connected Google account (e.g. From/To/Cc/Date/Subject) — never message bodies.
Calendar event metadata (titles, attendees, start/end times, join links) — never event descriptions, locations, or attachments.
Meeting transcripts and recording links (where the recorder is enabled).
Company-level facts looked up by domain (firmographic, not individual).

F. Special Categories of Personal Data. Not intended. Customer must not submit Special Categories of Personal Data except in compliance with the AUP and Data Protection Law; any incidental special-category data appearing in free-text notes or transcripts is Processed only as part of the general Services.

G. Frequency of transfer. Continuous, for the duration of the Agreement.

H. Competent Supervisory Authority. Integritetsskyddsmyndigheten (IMY), Sweden.

Annex II — Technical and Organisational Measures (TOMs)

Capable maintains measures appropriate to the risk, including:

Encryption. Personal Data is encrypted in transit (HTTPS/TLS) and at rest (provider-managed encryption at the primary data store). Connected Google OAuth refresh tokens are encrypted with authenticated encryption (AES-256-GCM).
Access control & SSO. Least-privilege access; required single sign-on for administrative access; role-based access (admin, manager, member, viewer); row-level security isolating each Workspace's data; service-role credentials restricted to backend use.
Audit logging. Audit logs from day one for security-relevant and write operations, including a governance enforcement chokepoint through which write operations pass.
Network & application security. Hardened, managed cloud infrastructure; signed webhooks for third-party callbacks; per-Workspace and per-user rate limiting; input validation and an allowlist discipline for dynamic operations.
Backups, PITR & DR. Regular backups with point-in-time recovery and a documented disaster-recovery plan.
Incident response. A documented incident-response process, including breach assessment and notification without undue delay.
Vendor management. A maintained vendor/sub-processor list with contractual data-protection obligations and change notification.
Data minimisation & pseudonymisation. Gmail access is limited to header metadata (never bodies); Calendar to event metadata (never descriptions/attachments); company enrichment is domain-level only (no per-individual enrichment); product analytics is cookieless and metadata-minimized; error monitoring is configured not to send personal data by default; soft deletion is used across the Services.

Capable builds to SOC 2 principles and is not yet SOC 2 certified. Measures may be updated provided protection is not materially reduced.

Annex III — Sub-processors

The current list of Sub-processors, with purpose, data processed, and location, is maintained at legal/subprocessors.md and incorporated here by reference. That list also explains, in a footnote, why Anthropic is deliberately not a Sub-processor (consistent with Section 12 of this DPA): Customer Data is returned into the Authorized User's own Claude session under the user's own Anthropic agreement, and Capable makes no server-side model calls.