Data Processor Addendum

related to the Teti usage

This Data Processing Addendum (hereinafter "DPA") is incorporated into and forms part of the TetiAI LLC (and hereinafter "Teti") Privacy Policy, Terms of Use and other agreement between Customer and Teti that references and applies to Teti's processing of Data. Teti may amend this DPA from time to time on reasonable notice to Customer to the extent such changes are required due to changes in Applicable Data Protection Laws. If there is any conflict between the terms of this DPA and other provisions, the conflicting terms in this DPA will govern.

Definitions

"Applicable Data Protection Laws" means all applicable privacy or data protection laws and regulations relating to the processing of personal data, as may be amended from time to time.

"Customer Data" means all data or other information submitted through the usage of Teti services by or for Customer.

"Data Subject" means the subject who the Customer Data refers to.

"Data Subject Request" means a request from a data subject to exercise their personal data-related rights under Applicable Data Protection Laws, such as rights to access, correct, or delete their personal data.

"GDPR" means the EU 2016/679 General Data Protection Regulation.

"Security Breach" means a breach of Teti's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Data.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

"Subprocessor" means an entity engaged by Teti to process Customer Personal Data in such part of processing.

"UK Addendum" means the International Data Transfer Addendum to the SCCs, issued by the Information Commissioner under S119A(1) Data Protection Act 2018, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf.

"User" means the subject, different from Customer, that uses Teti services processing Customer Data.

The terms "personal data", "data subject", "processing", "controller", and "processor" as used in this DPA have the meanings given by Applicable Data Protection Laws or, absent any such meaning or law, by GDPR. The terms "controller" and "processor" include "business" and "service provider", respectively, as required by Applicable Data Protection Laws.

Processing of Customer Data

With respect to Customer Data, the User that process Customer Data through Teti Services is the controller and Teti is Customer Data processor. Each party will comply with its respective obligations under Applicable Data Protection Laws in connection with the services and the Customer Personal Data.

Unless required by applicable law to which Teti is subject, Teti will only process Customer Data to provide or maintain its services, and in compliance with User's documented instructions (including as set out in the Terms of Use and this DPA).

Without any limitations of the above, Teti will not sell or share Customer Data; retain, use, or disclose Customer Data outside of the direct relationship and for any purpose other than specified in the Privacy Policy or as otherwise permitted by Applicable Data Protection Laws; and, except as otherwise permitted by Applicable Data Protection Laws, combine Customer Data with personal data that Teti receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

Teti will cooperate with and provide reasonable assistance to User for:

User's performance of any data protection impact assessment of the processing of Customer Data by Teti, and
related consultation with supervisory authorities, either or both of which User reasonably considers to be required by Applicable Data Protection Laws.

Teti will ensure that each person it authorizes to process Customer Data is subject to an appropriate duty of confidentiality.

Subprocessors

User grants Teti general authorization to engage the subprocessors listed the table below, and any additional subprocessors in accordance with this section.

For the engagement of any subprocessor, Teti will:

enter into a contractual agreement imposing data protection obligations that are substantially as protective as Teti's obligations under this DPA to the extent applicable to the nature of the services provided by subprocessor; and
remain liable to User for each subprocessors' acts and omissions related to this DPA to the extent Teti is liable for its own, consistent with the limitation of liability provided in the Terms of Use.

In the event that Teti wishes to appoint an additional subprocessor, Teti will provide User reasonable information of the new subprocessor publishing on its online enviroment the changes and User may, on the basis of reasonable data privacy or data security concerns, object to Teti's use of such subprocessor by providing Teti with written notice of the objection within fifteen (15) days of the date of such updates, or User is deemed to consent to the new subprocessor. In the event User objects to Teti's use of a new subprocessor, User and Teti will work together in good faith to find a mutually acceptable resolution to address any objection raised by User.

Teti subprocessors list

(last update october 25)

Railway.com (IaaS Cloud Provider – privacy policy)
LMNT.com (Voice AI Platform Provider - privacy policy)
Deepgram (Speech-to-text Function Provider – privacy policy)
Resend (Mailing Function Provider – privacy policy)
Together AI (Model Function Provider – privacy policy)
Openrouter AI (Model Function Provider – privacy policy)
Hetzner (Cloud Storage Provider – privacy policy)
Stripe Inc. (Payment Provider - privacy policy)
Revenuecat.com (Payment Provider – privacy policy)
Google Inc. App Payment (Payment Provider – privacy policy)
Apple Inc. App Payment (Payment Provider – privacy policy)

Data Subject Rights Requests Support

Teti will forward to User promptly any Data Subject request received by Teti relating to the Customer Data and may advise the Data Subject to submit their request directly to User. Teti will, taking into account the nature of the processing, provide User with reasonable and timely assistance as necessary for User to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject requests.

Technical, Organizational and Security Measures

Teti will comply with the technical, organizational and security obligations of Applicable Data Protection Laws and will implement and maintain reasonable and appropriate data protection and security measures to ensure a level of protection for the Customer Data. Measures will be appropriate to the risk of the relevant processing, as set in the table below. Teti may update these measures from time to time, provided that such updates do not materially reduce the overall security of the services.

Teti technical, organizational and security measures

(last update october 25)

Teti has implemented and will maintain technical, organizational and security measures designed in accordance with industry standard practices to protect the confidentiality, integrity and availability of the Customer Data. Additional information about Teti's measures can be found at teti.ai/hub/security.

Tecnical and organizational measures:

operational procedures and controls define physical, technical, and administrative safeguards that provide for the configuration, monitoring and maintenance of technology and information systems that process Customer Data according to prescribed internal and adopted industry standards;
a robust suite of internal policies that are communicated and distributed to all personnel, including policies covering data breach, supply-chain security, data subject rights, use acceptable, data retention and deletion policy, auding and assessment annual planning;
all personnel engaged by Teti are properly trained and obligated to comply with the requirements of Teti's security program, including with respect to the confidentiality and security of the Customer Data.

Security measures:

business continuity plan and procedures are tested annually and designed to maintain service availability and enable recovery from emergency situations or disasters;
network security controls provide for appropriate network traffic filtering to protect systems from intrusion and limit the scope of any potential security compromise;
all personnel are assigned unique identifiers for interacting with systems managing Customer Data;
all default system credentials are changed prior to a system's use in a production capacity;
a least privileged access approach to system access, using RBAC (Role Based Access Control), by restricting personnel to only the system access needed to fulfill a specific job function or business needs;
all access to systems processing Customer Data are protected by Multi Factor Authentication (MFA);
SSO is enforced for all systems with access to, or that store or maintain, Customer Data;
prohibits the sharing or transmission of passwords through unsecured communication channels;
reviews privileged access to systems managing Customer Data on a regular basis to ensure provisioned access remains appropriate to job functions or business needs;
all users with privileged access to Customer Data have all access revoked promptly following termination of employment;
standard encryption methods for protection of Customer Data, including a minimum of AES-256 for data at rest, and TLS1.3+ for data in transit over public networks;
vulnerability assessment, patch management, threat protection technologies, and scheduled monitoring procedures are designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code and performed at least every six months;
system audit or event logging and related monitoring procedures are proactively configured to detect, prioritize, and escalate, as appropriate, suspicious activities for review;
security-related logs are retained for appropriate timeframes to aid in the investigation of security incidents.

Parties agree that the measures set out in tabel above provide an adequate level of protection for the Customer Data, accounting for the risks presented by the processing outlined in the Terms of Use and this DPA.

Auditing activities

Teti is internally audited annually following the best ISO standard related to its industry.

Upon User's written request, and subject to specific confidentiality obligations, Teti will provide User with such audit reports or certificates applicable to its services, to the extent available, or such other information reasonably necessary to demonstrate compliance with this DPA.

Upon User's written request, Teti will allow User, at User's expense, to audit Teti's applicable controls and compliance with this DPA, provided such operation is conducted by User or a third-party auditor designated by User that has executed an appropriate confidentiality agreement with Teti; User and Teti mutually agree on reasonable details of the operation, including the start date, scope and duration of, and security and confidentiality controls applicable to such operation, and a similar operation has not already been conducted less than twelve (12) months prior, unless there are indications of non-compliance and/or it is required by a supervisory authority or other regulatory authority responsible for the enforcement of Applicable Data Protection Laws.

User will pay any reasonably incurred costs and expenses incurred by Teti in the event User performs an opeartion that is not required by Applicable Data Protection Laws or in response to a security breach.

User may use the results of such operation only for the purposes of meeting User's regulatory audit requirements and/or confirming compliance with the requirements of the DPA.

Security breaches

Teti will notify User in writing without undue delay, but in any event within 48 hours, after becoming aware of any security breach, and will assist User in complying with obligations under Applicable Data Protection laws. Teti's notification of, or response to, a security breach will not be construed as an acknowledgement by Teti of any fault or liability with respect to the security breach.

Upon becoming aware of a security breach, Teti will investigate the security breach and provide timely information relating to the nature of the security breach, such as, where reasonably possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Data records concerned, the likely consequences and the measures taken or proposed to be taken by Teti to address the security breach, including, where appropriate, measures to mitigate its possible adverse effects.

End of processing

In the event of User request to delete its account and end the usage of Teti services or within thirty (30) days of the date of termination or expiration of the agreement, Teti will return a copy of all Customer Data in its control or possession or provide a self-service functionality allowing Customer to do the same (if this operation is requested by User within that period) and delete all copies of Customer Data processed by Teti except to the extent Applicable Data Protection Laws or other applicable legal or regulatory requirements requires storage of the Customer Data, retention of the Customer Data by Teti is necessary to resolve a dispute between the parties, or retention of the Customer Data is necessary to contrast harmful use of the services.

Standard Contractual Clauses (details of processing)

The parties agree that, to the extent required by Applicable Data Protection Laws, the terms of the SCCs (a defined in the previous paragraph) and the jurisdiction-specific addenda to the SCCs are hereby incorporated by reference and will be deemed to have been executed by the parties.

To the extent that there is any conflict between the terms of this DPA, the Terms of Use, and the terms of the SCCs, the terms of the following documents will prevail (in order of precedence): the SCCs; this DPA; and the Terms of Use.

Teti will, upon Customer's request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment to the extent required under Applicable Data Protection Laws.

With reference to the details of processsing, following are listed the related information:

Data Exporter: the data exporter is the User and/or its affiliates exporting Customer Data to which GDPR applies. The data exporter's contact person's name, position and contact details as well as (if appointed) the data protection officer's name and contact details and (if relevant) the representative's contact details are included in the agreement or will be disclosed to Teti upon request;
Data Importer: the data importer is the Teti entity. The data importer's contact person and contact details are included in the agreement or will be disclosed to User upon request;
Categories of Data Subjects and Customer Data: determined by User;
Duration and frequency of the processing: the processing is performed on a continuous basis for the duration of the Services and is determined by User's configuration of them.
Subject matter and nature of the processing: performing the Services on behalf of User which involves processing (including collection, storage, organization and structuring) of personal data as part of a natural language-based, machine-learning tool, as further described in the Terms of Use; verifying or maintaining the quality, security, and integrity of the Services; debugging to identify and repair errors that impair existing intended functionality;
Purpose(s) of the data transfer and further processing: to provide the Services to User pursuant to the Terms of Use and as may be further agreed upon by User and Teti;
Storage Limitation: the duration is the term of the Services used by the User.

With reference to the competent Supervisory Authority (SA), where the data exporter is established in an EU Member State, the SA of the country in which the data exporter established is the competent authority; where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3, ¶2 and has appointed a representative pursuant to Article 27 ¶1 of the GDPR, the competent SA is the one of the Member State in which the representative is established. Finally, where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3 ¶2 without, however, having to appoint a representative pursuant to Article 27 ¶2 of the GDPR, the competent SA is the SA of Ireland.

International Transfer of Data (UK and Swiss addendum)

This UK Addendum will apply to any processing of Customer Data that is subject to the UK GDPR or both the UK GDPR and the GDPR. For the purposes of this UK Addendum:

"Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses;
"UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;
"Mandatory Clauses" means "Part 2: Mandatory Clauses" of the Approved Addendum.

With respect to any transfers of Customer Data falling within the scope of the UK GDPR from User (as data exporter) to Teti (as data importer) to the extent necessary under Applicable Data Protection Law, the Approved Addendum as further specified in this UK Addendum of this section will be incorporated into and form part of this DPA. For the purposes of Table 4 of Part 1 of the Approved Addendum, Teti (as data importer) may end the Approved Addendum.

This Swiss Addendum will apply to any processing of Customer Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.

Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

This "Addendum" means this Addendum to the Clauses.
"Clauses" means the Standard Contractual Clauses as further specified in this Schedule.
"Swiss Data Protection Laws" means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.

This Addendum will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6 ¶2 lett. a) of the Swiss Data Protection Laws, as the case may be.

This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

In the event of a conflict or inconsistency between this Addendum and the provisions of the SCCs or other related agreements between the parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects will prevail.

In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:

for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter's processing when making that transfer; and
to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6 ¶2 lett. a) of the Swiss Data Protection Laws, as the case may be.

User warrants that it and/or its affiliates have made any notifications to the FDPIC (Swiss SA) which are required under Swiss Data Protection Laws.

DPA updates

Tetimay make amendments and/or additions to this DPA, also as a consequence of changes in the applicable legislation. User may view the text of the DPA constantly updated on the Teti online enviroment in the DPA section or make an explicit request by contacting Teti or the DPO directly at the e-mail addresses [email protected] or [email protected].

Last update: October 2025