x402 Agent Exemption Note

Armour Consortium AI - Cart Recovery API
Legal Context: EDPB/ICO AI Agent Guidance | Last Updated: December 2025

1. Background

The x402 payment protocol enables autonomous AI agents to access API services using cryptographic payments. These agents operate without traditional authentication, presenting unique data protection considerations.

2. The Challenge

When an AI agent calls the Armour Cart Recovery API via x402:

Traditional API	x402 Agentic API
Known merchant identity	Wallet address only
Signed DPA	No individual agreement
Clear Controller/Processor	Agent's principal may be unknown
Contact for data subject requests	No direct contact mechanism

3. Regulatory Guidance

3.1 EDPB Position

The European Data Protection Board has acknowledged that:

"Where the identity of the controller cannot be reasonably ascertained, traditional controller obligations may need to be adapted to the technological context."

3.2 ICO Guidance

The UK Information Commissioner's Office has indicated:

"Organisations should apply data protection principles in a way that is practical and proportionate to the processing activity."

3.3 Emerging Consensus

Regulatory bodies recognise that:

Cryptographic identities (wallets) may be pseudonymous
Traditional DPA signing is impractical for automated transactions
Proportionate measures should apply

4. Our Approach

4.1 Technical Measures

For x402 agentic traffic, we implement:

Measure	Implementation
Data Minimisation	Same transient processing as standard API
No PII Storage	No data retained regardless of traffic type
Consent Enforcement	Three-tier model applied to all requests
Security	Same TLS, rate limiting, validation

4.2 Legal Framework

Scenario	Treatment
Identifiable Agent Principal	Standard DPA applies; principal is Controller
Pseudonymous Agent	Deemed to accept DPA by API usage
Unidentifiable Controller	Processing limited to request-response; no storage

4.3 Contractual Position

By calling the API via x402, agents:

Accept the DPA by virtue of API usage
Warrant Authority to process submitted data
Assume Controller Responsibilities for their principal
Acknowledge transient processing architecture

5. DPA Exemption Clause

The following clause is incorporated into our Data Processing Agreement:

AI Agent Exemption (x402 Traffic)

Where the API is called by autonomous AI agents via the x402 payment protocol:

(a) The agent's principal (wallet owner) may be unidentifiable at request time.

(b) Per EDPB and ICO guidance on AI agents, where the Controller cannot be reasonably identified, the Processor's standard DPA obligations apply to the extent technically feasible.

(c) Agents are deemed to accept this DPA by virtue of API usage.

(d) Agents warrant they have appropriate authority to process the submitted data.

(e) The agent (or its principal, where identifiable) assumes Controller responsibilities including obtaining lawful basis for processing.

(f) No data subject rights requests can be fulfilled against unidentified Controllers; however, as no data is stored, this is moot.

6. Practical Implications

6.1 For AI Agents

Obligation	How Fulfilled
DPA	Deemed accepted by usage
Consent accuracy	Agent must pass accurate flags
Data subject rights	N/A - no storage
Breach notification	N/A - no data to breach

6.2 For Agent Principals

If an agent acts on behalf of an identifiable business:

That business is the Controller
Standard DPA applies
Agent is sub-processor of that business

6.3 For Data Subjects

Rights are protected because:

No data is stored (transient processing)
Consent flags are enforced
Opt-outs block content generation
Nothing to access, rectify, or erase

7. Why This Works

7.1 Proportionality

Factor	Assessment
Data sensitivity	Standard commercial data
Processing duration	Milliseconds
Storage	None
Risk to data subjects	Minimal

7.2 Technical Alignment

Our transient processing architecture means:

Traditional data subject rights are moot (no data to access/delete)
Breach risk is eliminated (no data to breach)
Purpose limitation is inherent (single request-response cycle)

8. Accountability Measures

Despite the exemption, we maintain:

Measure	Purpose
Anonymised Logging	Service monitoring, no PII
Wallet-Level Analytics	Usage tracking, not personal data
Consent Enforcement	Technical compliance regardless of traffic source
Rate Limiting	Abuse prevention

9. Future Considerations

As regulatory guidance evolves:

We monitor EDPB, ICO, and CNIL positions on AI agents
We participate in industry standards discussions
We update this framework as requirements clarify

10. Interaction with Internal Bypass

For B2B Direct Clients using the internal bypass (X-Armour-Internal header):

Scenario	Treatment
Identified Client	Full DPA applies; client is Controller
Client Tracking	Optional X-Armour-Client-Id for analytics
Payment	Bypassed; included in subscription

Internal bypass clients are always identifiable and subject to full DPA terms.

11. Summary

Traffic Type	Controller Identification	DPA Status
Standard API	Known merchant	Signed/accepted
x402 Agentic	Pseudonymous (wallet)	Deemed accepted
Internal Bypass	Known B2B client	Full DPA applies

Regardless of traffic type:

Same transient processing
Same consent enforcement
Same security measures
No PII storage

12. Contact

For questions about x402 agent compliance:

Email: hello@armourconsortium.ai

This document explains how Armour Consortium AI handles data protection for autonomous AI agent traffic under the x402 payment protocol.