Data Processing Agreement

Data Processing Agreement

Effective date: July 16, 2026

This Data Processing Agreement (“DPA”) forms part of the Master Service Agreement and is incorporated by reference into any Order Form executed between Tandem App, Inc. (“Processor”) and Customer (“Controller”).

1. DEFINITIONS

For purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on Personal Data.

“Data Subject” means the individual to whom Personal Data relates.

“Sub-processor” means any third party engaged by Processor to process Personal Data.

“Data Protection Laws” means all data protection, privacy, and security laws applicable to the Processing of Personal Data under this DPA, including the GDPR and the California Consumer Privacy Act, as amended by the California Privacy Rights Act, where applicable.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. PROCESSING OF PERSONAL DATA

2.1 Scope and Purpose

Processor shall process Personal Data solely to provide the Services as described in the Master Service Agreement.

2.2 Categories of Data

Depending on the Services used and the Customer’s configuration, Personal Data processed may include:

Account and identity data: names, work email addresses, user IDs, profile images, roles, workspace membership, and authentication records.

Professional and contact data: company details, job role, customer or colleague names, work email addresses, and Slack handles.

Project and workspace data: project details, playbooks, tasks, assignments, actions, messages, and activity history.

Connected-service and uploaded content: content and metadata that the Customer authorizes Tandem to access through connected services or provides through uploaded files, including emails, chat messages, documents, calendar events, CRM records, meeting notes, and call recordings or transcripts.

AI interaction and generated content: prompts and messages submitted to Tandem’s AI features, relevant context used to provide a response, and generated summaries, recommendations, and action items.

Technical, security, and usage data: IP addresses, browser and device information, session information, timestamps, application events, error reports, and feature-usage data.

Support and communications data: support requests, correspondence, and feedback provided to Tandem.

2.3 Categories of Data Subjects

Controller’s employees and contractors.

Controller’s customers and end users.

Controller’s prospects and leads.

3. PROCESSOR OBLIGATIONS

3.1 Compliance

Processor shall process Personal Data only on documented instructions from Controller, comply with all applicable Data Protection Laws, and maintain records of all processing activities.

3.2 Confidentiality

Processor ensures that persons authorized to process Personal Data are subject to appropriate confidentiality obligations, process Personal Data only on Controller’s instructions, and receive appropriate training on data protection.

3.3 Security Measures

Processor shall implement appropriate technical and organizational measures including encryption of Personal Data in transit and at rest, access controls and authentication mechanisms, regular security testing and vulnerability assessments, incident detection and response procedures, and business continuity and disaster recovery plans.

3.4 AI Processing

Where Controller enables AI-powered features, Processor may transmit Customer Personal Data to the AI Sub-processors identified in Section 4 solely to provide those features and generate the requested outputs.

Processor shall not use Customer Personal Data to train or improve generalized artificial intelligence or machine-learning models.

4. SUB-PROCESSORS

4.1 Authorized Sub-processors

Controller authorizes the following sub-processors:

Sub-processor

Purpose

Location

Google Cloud Platform

Cloud hosting, networking, managed databases, object storage, backups, workflow execution, and infrastructure services

United States (us-east1)

PostHog

Product analytics and usage telemetry

United States

SigNoz Cloud

Infrastructure monitoring and observability

United States

Resend

Transactional email delivery

United States

Sentry

Error tracking and application-performance monitoring

United States

Firecrawl

Crawling customer-designated knowledge-base URLs

United States

Slack

Operational alerts relating to service and integration failures

United States

OpenAI

AI inference services

United States

Anthropic

AI inference services

United States

Mistral

AI inference services

EU

OpenRouter

AI request routing and inference brokerage

United States

Cerebras

AI inference services

United States

Groq

AI inference services

United States

Fireworks (via OpenRouter)

AI inference services

United States

Baseten (via OpenRouter)

AI inference services

United States

Together (via OpenRouter)

AI inference services

United States

SambaNova (via OpenRouter)

AI inference services

United States

DeepInfra (via OpenRouter)

AI inference services

United States

Processor configures AI request routing for OpenRouter. Depending on the enabled model and availability of the configured providers, OpenRouter may route requests among AI inference providers authorized by Processor. Processor will maintain the list of authorized AI Sub-processors in accordance with Section 4.2.

At the Customer’s direction, Tandem may access or receive data from connected services such as Google Workspace (Gmail, Drive, and Calendar), Slack, Notion, HubSpot, and others. These services are selected and authorized by the Customer. Their processing of data is governed by the Customer’s agreement with the relevant provider.

4.2 NEW SUB-PROCESSORS

Processor may appoint new Sub-processors, provided that Processor gives Controller at least thirty (30) days’ prior written notice of the proposed appointment.

Controller may object to the proposed appointment by providing written notice, with reasonable grounds relating to data protection, within fourteen (14) days after receiving Processor’s notice.

If Controller makes a reasonable objection, the parties will work in good faith to make available a commercially reasonable alternative. If no alternative is available, either party may terminate the affected Services upon written notice, without penalty, to the extent the proposed Sub-processor is necessary to provide those Services.

4.3 Sub-processor Agreements

Processor ensures each sub-processor is bound by data protection obligations no less protective than this DPA and remains fully liable for sub-processor performance.

5. DATA SUBJECT RIGHTS

5.1 Assistance

Taking into account the nature of the Processing and the information available to Processor, Processor shall provide reasonable assistance to Controller in responding to Data Subject requests regarding access to Personal Data, rectification or erasure, data portability, restriction of processing, and objection to processing.

5.2 Response Time

Processor shall provide reasonable assistance without undue delay and, where practicable, within five (5) business days after receiving a request from Controller.

6. SECURITY INCIDENTS

6.1 Notification

Processor shall notify Controller of any Security Incident within 24 hours of becoming aware, including all relevant information available, with regular updates as investigation proceeds.

6.2 Incident Response

Processor shall investigate the cause and scope, implement remedial measures, cooperate with Controller’s compliance obligations, and document all incidents and responses.

7. AUDITS AND INSPECTIONS

7.1 Right to Audit

Controller shall first review Processor’s then-current third-party audit reports, certifications, and other compliance documentation made available by Processor.

If those materials are not reasonably sufficient to demonstrate Processor’s compliance with this DPA, Controller may conduct an audit no more than once per calendar year, on at least thirty (30) days’ prior written notice, during normal business hours, through an independent third-party auditor bound by confidentiality obligations.

Controller shall bear the costs of an audit unless the audit identifies material non-compliance by Processor.

7.2 Certifications

Processor maintains SOC 2 Type II certification and annual penetration testing reports.

8. DATA PROTECTION IMPACT ASSESSMENTS

Processor shall provide reasonable assistance for Controller’s Data Protection Impact Assessments (DPIAs), prior consultations with supervisory authorities, and privacy compliance documentation.

9. INTERNATIONAL TRANSFERS

9.1 Transfer Mechanisms

Tandem may process Customer Personal Data in the United States and other countries outside the EEA, UK, or Switzerland.

Where a transfer of Customer Personal Data requires a transfer mechanism under applicable Data Protection Laws, the parties will rely on an appropriate mechanism, including the European Commission Standard Contractual Clauses (“SCCs”), the UK International Data Transfer Agreement or UK Addendum to the SCCs, applicable Swiss adaptations to the SCCs, or an adequacy decision or another valid transfer mechanism, including the EU–US Data Privacy Framework only where the relevant recipient is certified and the transfer is within the scope of that certification.

9.2 Supplementary Measures

Tandem will implement the technical and organisational measures described in this DPA and its applicable annexes. Where required, Tandem will assess the circumstances of relevant international transfers and implement supplementary measures appropriate to the nature of the processing and the applicable Data Protection Laws.

10. DATA RETENTION AND DELETION

10.1 Retention Period

Personal Data retained only as long as necessary for the Services or as required by law.

10.2 Deletion or Return

Upon termination of the Services, and at Controller’s choice, Processor shall return or delete Customer Personal Data within thirty (30) days, unless retention is required by applicable law.

Customer Personal Data contained in backup systems may remain until deleted in accordance with Processor’s ordinary backup-retention schedule, provided that such data remains protected under this DPA and is not restored or otherwise actively processed except as necessary for disaster recovery or as required by law.

Upon Controller’s reasonable written request, Processor shall confirm completion of the return or deletion.

11. LIABILITY AND INDEMNIFICATION

11.1 Liability

Each party’s liability for data protection breaches subject to Master Service Agreement limitations.

11.2 Indemnification

Processor indemnifies Controller for damages resulting from Processor’s breach of this DPA, actions outside or contrary to Controller’s instructions, or failure to comply with Data Protection Laws.

12. COOPERATION

12.1 Government Requests

Unless prohibited by applicable law, Processor shall promptly notify Controller of any legally binding request from a governmental authority for disclosure of Customer Personal Data. Processor shall provide Controller with information reasonably available to Processor regarding the request and shall cooperate with Controller’s reasonable efforts to seek protective treatment of the requested Customer Personal Data.

12.2 General Cooperation

Taking into account the nature of the Processing and the information available to Processor, Processor shall provide reasonable cooperation with Controller’s compliance obligations, supervisory-authority inquiries, and data-protection audits and assessments.

13. STANDARD CONTRACTUAL CLAUSES

13.1 EEA Transfers

Where required for a transfer of Customer Personal Data from the EEA to a country that is not subject to an applicable adequacy decision, the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914, including Module Two (Controller to Processor), are incorporated into this DPA.

The completed annexes are set out in Appendix 3. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

13.2 UK and Swiss Transfers

Where required, the UK International Data Transfer Addendum or UK International Data Transfer Agreement, and the applicable Swiss adaptations to the Standard Contractual Clauses, are incorporated into this DPA.

14. CALIFORNIA SPECIFIC TERMS

To the extent Customer Personal Data is subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), Processor is a Service Provider. Processor shall not sell or share Customer Personal Data; retain, use, or disclose Customer Personal Data for any purpose other than providing the Services and performing the business purposes specified in this DPA, except as otherwise permitted by the CCPA; combine Customer Personal Data with Personal Data received from another source, except as permitted by the CCPA; or use Customer Personal Data outside the direct business relationship between Controller and Processor.

Processor shall provide the same level of privacy protection required of a Service Provider under the CCPA and shall notify Controller if Processor determines that it can no longer meet its obligations under this Section.

15. TERM AND TERMINATION

This DPA remains in effect for duration of Master Service Agreement, survives termination for Personal Data still in Processor’s possession, and may be amended only by a written agreement signed by both parties, except that Processor may update its Sub-processor list in accordance with Section 4.2.

16. GOVERNING LAW

This DPA is governed by the same law as the Master Service Agreement, except where Data Protection Laws require otherwise.

APPENDIX 1 — PROCESSING DETAILS

Subject matter and purpose of Processing: Provision, operation, support, security, and improvement of Tandem’s project-management, connected-service, document, workflow, and AI-assistance features, in accordance with the Master Service Agreement and Controller’s documented instructions.

Nature of Processing: Collection, storage, organization, structuring, retrieval, consultation, use, transmission, analysis, generation of outputs, support, security monitoring, deletion, and return of Personal Data.

Duration: The term of the Master Service Agreement, plus any period required for return, deletion, backup retention, or legal compliance.

Categories of Data Subjects: Controller’s employees, contractors, customers, end users, prospects, leads, and other individuals whose Personal Data is included in Customer-provided content or connected services.

Types of Personal Data: The categories described in Section 2.2 of this DPA, including account and identity data; professional and contact data; project and workspace data; connected-service and uploaded content; AI interaction and generated content; technical, security, and usage data; and support and communications data.

Special Categories of Personal Data: Tandem does not require Customers to provide Special Category Personal Data. Customers must not provide such data unless they have a lawful basis and have agreed appropriate processing instructions with Tandem.

APPENDIX 2 — TECHNICAL AND ORGANIZATIONAL MEASURES

Processor maintains technical and organisational measures appropriate to the nature of the Processing and the risks to Data Subjects’ rights and freedoms. These measures include:

Access controls: Access to Customer Personal Data is restricted on a need-to-know basis. Administrative access requires multi-factor authentication where supported. Access permissions are reviewed periodically.

Data protection: Customer Personal Data is encrypted in transit using TLS and at rest using controls provided by the applicable hosting and storage service. Logical access controls and role-based permissions are used to protect Customer Personal Data.

Security operations: Processor maintains incident-detection and incident-response procedures, performs vulnerability management and security testing appropriate to the Services, and maintains audit logging and change-management practices appropriate to the Services.

Availability and resilience: Processor maintains backup, business-continuity, and disaster-recovery measures appropriate to the Services. Processor uses logical separation measures designed to protect Customer data in its multi-tenant environment.

Organisational measures: Personnel authorized to process Customer Personal Data are subject to confidentiality obligations. Processor provides appropriate security and privacy training to relevant personnel and maintains vendor-management procedures for its Sub-processors.

APPENDIX 3 — STANDARD CONTRACTUAL CLAUSES ANNEXES

Annex I — List of Parties and Transfer Details

Data exporter: The Customer, acting as Controller, as identified in the applicable Order Form.

Data importer: Tandem App, Inc., acting as Processor, as identified in the applicable Order Form.

Competent supervisory authority: The supervisory authority of the EU Member State in which the Data Exporter is established or, where applicable, the supervisory authority determined in accordance with Clause 13 of the Standard Contractual Clauses.

Categories of Data Subjects: The categories described in Appendix 1.

Categories of Personal Data: The categories described in Section 2.2 and Appendix 1.

Frequency of the transfer: Continuous and as necessary to provide the Services.

Nature of the Processing: The Processing activities described in Appendix 1.

Purpose of the transfer and further Processing: To provide, operate, support, secure, and improve the Services in accordance with the Master Service Agreement, this DPA, and Controller’s documented instructions.

Retention period: For the duration described in Appendix 1 and Section 10 of this DPA.

Sub-processors: The Sub-processors listed in Section 4.1, as updated in accordance with Section 4.2.

Annex II — Technical and Organisational Measures: The technical and organisational measures described in Appendix 2 apply to the Processing under the Standard Contractual Clauses.

Annex III — List of Sub-processors: The Sub-processors listed in Section 4.1, as updated in accordance with Section 4.2.

These terms are available at usetandem.ai/data-processing-agreement and are incorporated by reference into any Order Form executed between Tandem and Customer.