Data Processing Agreement

For the purposes of this Data Processing Agreement, the following definitions apply. Terms not defined herein shall have the meaning given to them in the main agreement or, where applicable, in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection legislation.

• "Controller" means the Customer, the entity that determines the purposes and means of processing Personal Data and on whose behalf Tegendo processes Personal Data.
• "Processor" means Tegendo.AI LLC, which processes Personal Data on behalf of the Controller in connection with the provision of the Service.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Service, as defined by applicable data protection law.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

This DPA applies to the processing of Personal Data by Tegendo as Processor on behalf of the Customer as Controller, in connection with the provision of Tegendo.AI's multi-model artificial intelligence platform services (the "Service"). The DPA supplements and forms part of the Terms of Service or other agreement between the parties governing the Customer's use of the Service (the "Main Agreement").

The purpose of the processing is to enable Tegendo to provide the Service to the Customer, including but not limited to: routing conversations to AI model providers for inference, storing conversation history and account data, managing authentication and access control, generating usage analytics and billing information, and maintaining audit logs. Tegendo shall process Personal Data only as necessary to provide the Service and in accordance with the Controller's documented instructions.

The following details describe the nature and scope of the processing activities performed by Tegendo under this DPA:

Nature of Processing

AI model inference (transmitting user prompts to AI providers and returning responses), data storage and retrieval, authentication and session management, usage tracking and billing, audit logging, and background job processing.

Purpose of Processing

To deliver the AI platform Service to the Customer and its authorized users, including all features described in the Service documentation and the Main Agreement.

Categories of Personal Data

• Conversation Content: Prompts, messages, uploaded files, and AI-generated responses submitted by Data Subjects through the Service. This may include any category of personal data that Data Subjects choose to include in their conversations.
• Account Data:Names, email addresses, organization names, roles, and authentication credentials of the Customer's authorized users.
• Usage Data: Token consumption, models used, timestamps, feature usage, IP addresses, browser type, and access logs generated during use of the Service.

Categories of Data Subjects

Data Subjects include the Customer's end users, employees, contractors, and other individuals authorized by the Customer to access the Service, as well as any individuals whose personal data may be included in conversation content submitted by the Customer's authorized users.

Duration of Processing

Processing will continue for the duration of the Main Agreement, plus any post-termination period necessary for data export, deletion, and compliance with legal obligations.

Tegendo, as Processor, shall comply with the following obligations in respect of Personal Data processed under this DPA:

• Documented Instructions: Process Personal Data only on the documented instructions of the Controller, including transfers to third countries, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.
• Confidentiality: Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security Measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6 of this DPA.
• Sub-processor Management: Not engage another processor without prior specific or general written authorization of the Controller. Where general written authorization is given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, in accordance with Section 5.
• Data Subject Requests: Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, for the fulfillment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law.
• Compliance Assistance: Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to the Processor.
• Deletion and Return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires retention. The Customer may export data for up to 30 days following termination.
• Audit Cooperation: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, as described in Section 9.

The Controller provides general authorization for the Processor to engage the following sub-processors for the processing of Personal Data. The Processor has entered into data processing agreements with each sub-processor that impose obligations no less protective than those set forth in this DPA:

The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors, providing the Controller with the opportunity to object. Notification will be sent to the email address associated with the Controller's organization administrator account. If the Controller objects on reasonable grounds related to data protection, the parties shall discuss the objection in good faith. If no resolution can be reached within 30 days of the objection, the Controller may terminate the affected portion of the Service without penalty.

The Processor implements and maintains the following technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage:

Technical Measures

• Encryption at Rest: All Personal Data stored in databases is encrypted using AES-256 encryption. BYOK API keys receive additional application-level encryption.
• Encryption in Transit: All network communications use TLS 1.3 encryption, including data transmitted between users, the Service, and sub-processors.
• Row-Level Security (RLS): Database access policies enforce strict tenant isolation at the query level, ensuring that each organization can only access its own data.
• Access Controls: Role-based access control (RBAC) restricts data access to authorized personnel. Administrative access requires multi-factor authentication and is subject to the principle of least privilege.
• Audit Logging: Comprehensive logging of all data access, modifications, and administrative actions, with tamper-resistant log storage.

Organizational Measures

• Security-First Development: Security review is integrated into the development lifecycle. Code changes undergo security review prior to deployment.
• Incident Response: A documented incident response plan covers identification, containment, eradication, recovery, and post-incident review of security events.
• Employee Training: All personnel with access to Personal Data receive training on data protection obligations, security best practices, and incident reporting procedures.
• Vendor Assessment: Sub-processors are evaluated for security and compliance posture before engagement and on a periodic basis thereafter.

Personal Data processed under this DPA may be transferred to and processed in the United States, where the Processor and its sub-processors are located. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to countries that have not received an adequacy decision, the parties agree to the following transfer mechanisms:

• Standard Contractual Clauses: The parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module 2: Controller to Processor. The Customer acts as the data exporter and Tegendo acts as the data importer.
• Supplementary Measures: In addition to the SCCs, the Processor implements supplementary technical measures including encryption at rest and in transit, access controls, and audit logging to ensure an essentially equivalent level of protection for Personal Data.
• UK International Data Transfer Addendum: For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs applies.

Copies of the executed Standard Contractual Clauses are available upon request by contacting dpa@tegendo.ai.

In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall:

• Notification Timeline: Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the Data Breach, unless the breach is unlikely to result in a risk to the rights and freedoms of Data Subjects.
• Content of Notification: The notification shall include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and data records concerned; (b) the name and contact details of the Processor's data protection contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
• Cooperation: The Processor shall cooperate with the Controller in investigating and remediating the Data Breach and shall provide reasonable assistance to the Controller in fulfilling its breach notification obligations under applicable data protection law. The Processor shall document all Data Breaches, including the facts, effects, and remedial actions taken.
• Ongoing Updates: If full details are not available at the time of initial notification, the Processor shall provide information in phases without further undue delay as additional details become available.

The Controller has the right to verify the Processor's compliance with this DPA through audits and inspections, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice of its intention to conduct an audit, including the proposed scope and duration.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of the audit unless the audit reveals material non-compliance by the Processor.
• The Controller and any third-party auditors shall enter into appropriate confidentiality agreements (mutual NDA) before accessing any Processor systems, documentation, or facilities.
• The Processor may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2 Type II), or documentation that demonstrates compliance, in lieu of on-site inspections, where reasonably sufficient.
• The frequency of audits shall not exceed once per twelve-month period unless a Data Breach has occurred or the Controller has reasonable grounds to suspect non-compliance.

This DPA shall be effective for the duration of the Main Agreement between the Controller and the Processor. The DPA shall automatically terminate upon termination or expiration of the Main Agreement.

Upon termination of this DPA, the Processor shall, at the Controller's election and within 30 days of receiving written instruction:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
• Securely delete all Personal Data from the Processor's systems, including all copies and backups, and provide written certification of deletion.

Where applicable law requires the Processor to retain copies of Personal Data beyond the termination period, the Processor shall (a) inform the Controller of such requirement, (b) limit processing to what is required by law, and (c) continue to protect the data in accordance with this DPA until deletion is permissible.

Provisions of this DPA that by their nature should survive termination shall remain in effect, including obligations related to confidentiality, breach notification, and audit cooperation.

For questions, requests, or correspondence related to this Data Processing Agreement, please contact:

To request an executed copy of this DPA or the applicable Standard Contractual Clauses, please email dpa@tegendo.ai with the subject line "DPA Request" and your organization name.