Data Processing Agreement

1) Definitions

Terms like Personal Data, Processing, Controller, Processor, Sub-processor have the meanings in GDPR/UK GDPR.

2) Scope and roles

• Customer is the Controller (or Processor on behalf of another Controller).
• Tealytics is the Processor.
• Tealytics processes Personal Data only to provide and support the Service, per Customer instructions, as described here.

3) Customer instructions

Tealytics will process Personal Data:

• to provide the Service as configured and used by Customer,
• to maintain security, prevent abuse, troubleshoot, and improve reliability,
• as documented in the Service documentation,
• as required by applicable law (with notice where permitted).

Customer warrants its instructions comply with applicable law, including having a lawful basis for processing and appropriate notices.

4) Security measures

Tealytics implements appropriate technical and organizational measures (TOMs) designed to protect Personal Data, including (as applicable):

• Access controls (least privilege, authentication).
• Encryption in transit (TLS).
• Encryption at rest where feasible.
• Logging and monitoring.
• Backup and disaster recovery.
• Vulnerability management and incident response.

Annex B may list current TOMs in more detail once finalized.

5) Confidentiality

Tealytics ensures personnel authorized to process Personal Data are bound by confidentiality obligations.

6) Sub-processors

Customer authorizes Tealytics to use Sub-processors to provide the Service.

• Tealytics will maintain a list of Sub-processors (in documentation or on request).
• Tealytics will notify Customer of material changes to Sub-processors where feasible.
• Tealytics remains responsible for Sub-processor performance under this DPA.

7) Assistance to Customer

Tealytics will provide reasonable assistance to help Customer:

• respond to data subject requests (access, deletion, etc.), to the extent Customer cannot do it via the Service,
• meet obligations regarding DPIAs and prior consultations, limited to information reasonably available to Tealytics.

8) Data subject requests

If Tealytics receives a request directly from a data subject relating to Customer data, Tealytics will (where legally permitted) notify Customer and direct the data subject to Customer.

9) Personal data breach

Tealytics will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data and provide information reasonably necessary for Customer’s obligations.

10) International transfers

Where GDPR/UK GDPR applies and Personal Data is transferred outside the EEA/UK, Tealytics will ensure appropriate safeguards, such as:

• EU SCCs and/or UK Addendum, or
• adequacy decisions, or
• other lawful mechanisms.

11) Audits

Customer may audit Tealytics compliance with this DPA:

• no more than once per year (unless a material incident),
• with reasonable prior notice,
• during business hours,
• subject to confidentiality and security constraints.

Tealytics may satisfy audit requests via third-party reports (e.g., SOC 2) when available.

12) Return and deletion

Upon termination of the Service, Tealytics will delete or return Customer Personal Data within a reasonable time, unless:

• retention is required by law,
• data remains in backups for a limited rolling period.

13) Liability

Liability is governed by the main agreement, except where mandatory data protection law requires otherwise.