TellYou Data processing Agreement

This Data Processing Agreement ("DPA") forms part of the Agreement between Tellyou AI AB ("Processor") and the Customer ("Controller"). It governs Processor's processing of personal data on Controller's behalf in connection with the Service and reflects the requirements of Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR as applicable. Capitalised terms not defined here have the meaning given in the Terms of Service or in the GDPR.

1. Scope and Roles

The Controller is the controller of Customer Data submitted to the Service. The Processor processes such Customer Data on the Controller's documented instructions, which consist of the Agreement, the configuration choices made by the Controller within the Service, and any further instructions agreed in writing.

For data Processor collects directly about the Controller's account holders (login, profile, billing, product telemetry), Processor is an independent controller; this is governed by the Tellyou Privacy Policy, not by this DPA.

The duration of processing is the term of the Agreement plus any post-termination period required to return or delete data. The nature and purpose of processing is the provision, operation, security and support of the Service. The types of personal data and categories of data subjects are described in Annex 1.

2. Controller Responsibilities

The Controller warrants that it has a lawful basis for the processing it instructs, that it has provided all required notices and obtained all required consents from data subjects, and that its instructions to the Processor comply with applicable law. The Controller is responsible for configuring the Service in accordance with its own privacy notices and obligations.

3. Processor Obligations

The Processor will: (a) process Customer Data only on documented instructions from the Controller, including with regard to transfers, unless required by law (in which case the Processor will inform the Controller of that requirement before processing, unless prohibited from doing so); (b) ensure that personnel authorised to process Customer Data are under written confidentiality obligations; (c) implement the technical and organisational measures described in Annex 2; (d) assist the Controller, taking into account the nature of the processing and the information available, in fulfilling its obligations to respond to data-subject requests and in ensuring compliance with Articles 32 to 36 GDPR; (e) at the Controller's choice, delete or return Customer Data on termination of the Agreement and delete existing copies unless retention is required by law; and (f) make available to the Controller information necessary to demonstrate compliance with Article 28 GDPR and allow for audits as set out in Section 8.

4. Sub-processors

The Controller grants the Processor a general authorisation to engage Sub-processors. The Processor maintains a current list of Sub-processors at tellyou.ai/sub-processors and will give the Controller at least thirty (30) days' prior notice of the addition or replacement of a Sub-processor (or such shorter notice as is reasonable for urgent security replacements). The Controller may object on reasonable data-protection grounds within that period, in which case the parties will work in good faith to find a resolution; if no resolution is reached, the Controller may terminate the affected portion of the Service and receive a pro-rata refund of pre-paid unused fees.

The Processor will impose contractual obligations on each Sub-processor that are no less protective than those in this DPA and will remain responsible for each Sub-processor's performance.

5. International Transfers

Where the Processor or a Sub-processor processes Customer Data outside the European Economic Area, the United Kingdom or Switzerland, the parties rely on a valid transfer mechanism under applicable law, including adequacy decisions (such as the EU–US Data Privacy Framework where the recipient is certified), the European Commission's Standard Contractual Clauses 2021/914 (Modules 2 and 3, as relevant), the UK International Data Transfer Addendum, and the Swiss addendum where applicable. The parties hereby enter into such clauses by reference, with the Controller acting as data exporter and the Processor (or its relevant Sub-processor) as data importer; the optional clauses are completed in Annex 3.

6. Security

The Processor will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in Annex 2. The Processor regularly tests, assesses and evaluates these measures and may update them, provided the level of protection is not materially reduced.

7. Personal Data Breach

The Processor will notify the Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a personal data breach affecting Customer Data. The notification will include the information then known to the Processor and required by Article 33(3) GDPR, and the Processor will provide updates as further information becomes available. The Processor will reasonably assist the Controller in fulfilling its own breach-notification obligations.

8. Audits

The Processor will make available to the Controller, on reasonable request and no more than once per twelve-month period (except in the case of a personal data breach or where required by a regulator), summary information about its security programme, including its most recent independent audit reports (such as SOC 2 or ISO 27001 where available) and responses to a reasonable security questionnaire. Where these materials are insufficient to demonstrate compliance, the Controller (or an independent third-party auditor bound by confidentiality obligations and not a competitor of the Processor) may conduct an on-site audit during normal business hours, on at least thirty (30) days' written notice, in a manner that minimises disruption and at the Controller's expense, subject to reasonable confidentiality and security restrictions.

9. Data Subject Requests

If the Processor receives a request directly from a data subject relating to Customer Data, it will, without responding substantively to the request, refer the data subject to the Controller and notify the Controller. Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to data-subject requests.

10. Return and Deletion

On termination or expiry of the Agreement, and at the Controller's choice, the Processor will return Customer Data to the Controller in a commonly used machine-readable format or delete it. Unless the Controller specifies otherwise, the Processor will delete Customer Data within thirty (30) days after termination. Backup copies will be deleted in accordance with the Processor's standard backup-retention cycle, which does not exceed thirty-five (35) days. Where law requires the Processor to retain Customer Data, it will inform the Controller and protect the data for as long as it is retained.

11. Aggregated and Service-Improvement Data

The Processor may generate and use aggregated, statistical and anonymised information about use of the Service (information that does not identify any individual, directly or indirectly, by any means reasonably likely to be used) to operate, secure, monitor and improve the Service. The Processor does not use Customer Data to train foundation models and contractually requires its AI Sub-processors to refrain from using Customer Data to train their foundation models.

12. Liability and Order of Precedence

The liability provisions of the Agreement apply to this DPA. In case of conflict between this DPA and the rest of the Agreement on data-protection matters, this DPA prevails. In case of conflict between this DPA and any Standard Contractual Clauses incorporated under Section 5, the Standard Contractual Clauses prevail.

Annex 1 — Description of Processing

• Subject matter and duration: the provision of the Service for the term of the Agreement and any post-termination return or deletion period.

• Nature and purpose: hosting, transmitting, processing and analysing Customer Data to provide, secure, support and improve the Service, including the generation of AI Output, the operation of integrations and the provision of dashboards and analytics.

• Categories of data subjects: the Controller's authorised Users; end users who interact with chatbots operated by the Controller through the Service; individuals identified in content submitted to the Service.

• Categories of personal data: identifiers (such as user IDs on connected platforms), contact data (such as email and name where provided), conversation content (text, attachments, and where the voice agent is enabled, audio and transcripts), device and connection data (such as IP address and user agent), metadata about interactions, and any other personal data the Controller chooses to submit.

• Special categories of personal data: none, unless expressly agreed in writing.

Annex 2 — Technical and Organisational Measures

The Processor implements measures appropriate to the risk, including: encryption of Customer Data in transit (TLS 1.2 or higher) and at rest; logical isolation of Customer Data; role-based access controls and the principle of least privilege; multi-factor authentication for personnel access; centralised secrets management; security logging and monitoring; vulnerability management and dependency scanning; secure development lifecycle practices including code review; vendor risk management for Sub-processors; regular backups and tested restoration; documented incident response and personal data breach procedures; confidentiality undertakings and security training for personnel; physical security provided by sub-processors operating certified data-centre facilities; and business continuity arrangements.

Annex 3 — Standard Contractual Clauses (where applicable)

Where transfers covered by Section 5 occur, the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 are deemed incorporated by reference, with the following:

• Module 2 (controller to processor) applies between the Controller as data exporter and the Processor as data importer.

• Module 3 (processor to sub-processor) applies between the Processor and its Sub-processors as relevant.

• Clause 7 (docking) applies.

• Clause 9, Option 2 (general written authorisation): notice period of thirty (30) days as set out in Section 4.

• Clause 11(a) (independent dispute resolution): not selected.

• Clause 17, Option 1 (governing law): the laws of Sweden.

• Clause 18 (forum): the courts of Sweden, with Stockholm District Court as court of first instance.

• Annex I.A (parties): as identified in the Agreement.

• Annex I.B (description of transfer): as set out in Annex 1 above.

• Annex I.C (competent supervisory authority): the Swedish Authority for Privacy Protection (IMY).

• Annex II (technical and organisational measures): as set out in Annex 2 above.

• Annex III (sub-processors): as published at tellyou.ai/sub-processors.

For transfers subject to the UK GDPR, the UK International Data Transfer Addendum issued by the ICO is incorporated and amends the Standard Contractual Clauses accordingly.