Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", acting as data controller) and Tenfold Studio ("Tenfold", acting as data processor) and applies to any personal data Tenfold processes on the Customer's behalf in connection with the Service.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "data subject" and "supervisory authority" have the meanings set out in the GDPR.

2. Scope and Roles

Tenfold processes personal data only on the Customer's documented instructions, as set out in the Terms of Service, this DPA, and the Customer's use of the Service. With respect to end-user data Customer submits into the platform, Customer is the controller and Tenfold is the processor.

3. Nature, Duration and Purpose

• Subject matter: provision of the Service (intake, AI Developer assistance, application build, hosting).
• Duration: the term of the Customer's engagement plus retention periods set out in the Privacy Policy.
• Categories of data: contact details, business information, brand assets, voice transcripts, uploaded documents/photos, chat messages, technical identifiers.
• Categories of data subjects: Customer's representatives and any end users whose data Customer submits.

4. Tenfold's Obligations

• Process personal data only on documented Customer instructions.
• Ensure personnel are bound by confidentiality.
• Implement appropriate technical and organizational measures (Section 5).
• Assist Customer with data-subject rights requests where reasonably possible.
• Notify Customer without undue delay (and in any event within 72 hours) of any personal-data breach affecting Customer data.
• Make available information necessary to demonstrate compliance and allow audits on reasonable notice.

5. Security Measures

• Encryption in transit (TLS 1.2+) and at rest.
• Row-level security in the database scoped by authenticated user.
• Role-based, least-privilege access for Tenfold personnel.
• Hashed passwords and signed session tokens.
• Routine backups and disaster-recovery procedures.
• Vulnerability monitoring and patching of dependencies.

6. Subprocessors

Customer authorizes Tenfold to engage the subprocessors listed in our Privacy Policy (Section 4). Tenfold will give prior notice of any new subprocessor and will impose data-protection terms substantially equivalent to those of this DPA. If Customer objects to a new subprocessor on reasonable data-protection grounds, Customer may terminate the affected portion of the Service.

7. International Transfers

Where transfers of personal data outside the EEA/UK are necessary, Tenfold (and its subprocessors) rely on the EU Standard Contractual Clauses (Module 3, Processor-to-Processor; Module 4, Processor-to-Controller as applicable) and the EU–US Data Privacy Framework where applicable.

8. Data Subject Rights

Tenfold will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill its obligation to respond to requests for exercising data-subject rights.

9. Return or Deletion

Upon termination, Tenfold will, at the Customer's choice, delete or return all personal data and delete existing copies, except where retention is required by law.

10. Liability

The parties' liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

11. Governing Law

This DPA is governed by the same law as the Terms of Service, except where a mandatory data-protection law of the Customer's jurisdiction applies.

12. Signing this DPA

By accepting our Terms of Service and using the Service, the Customer is deemed to have accepted this DPA. Customers requiring a countersigned version may request one at hello@tenfoldstudio.org.