Legal

Data Processing Agreement (DPA)

1. Roles and subject matter

When using Tutelium, we process personal data on behalf of your organization. Your organization is the data controller and determines the purpose and means; Tutelium is the data processor and processes data solely on the instructions of your organization.

2. Duration

This agreement applies for as long as Tutelium processes personal data for your organization, i.e. for the duration of the main agreement. Provisions that by their nature continue to apply (such as confidentiality) remain in effect after termination.

3. Nature, purpose and data of the processing

The nature and purpose of the processing, the types of personal data, and the categories of data subjects are described in Appendix 1. Tutelium processes the data only to provide and improve the service, not for its own purposes.

4. Instructions

Tutelium processes personal data solely on the basis of documented instructions from the data controller, including instructions embedded in the service itself. If a legal obligation requires processing, Tutelium will inform the controller in advance, unless the law prohibits this.

5. Confidentiality

Tutelium requires its employees and engaged personnel to keep personal data confidential.

6. Security

Tutelium takes appropriate technical and organizational measures as referred to in Article 32 GDPR. An overview is provided in Appendix 2. Key measures include encryption at rest and in transit, strict access control, separation of customer environments, logging, and US-based hosting.

7. Subprocessors

Your organization gives Tutelium general authorization to engage subprocessors, provided Tutelium imposes the same obligations on them and remains liable for their actions. The current list is provided in Appendix 3. We will notify you in advance of any intended changes, so you can object.

8. Data subject rights

If Tutelium receives a request from a data subject (such as access or deletion), it will refer this to your organization. Tutelium provides reasonable assistance so your organization can meet its obligations.

9. Data breaches

In the event of a personal data breach, Tutelium will notify the data controller without undue delay after discovery, with the information needed to comply with any notification requirements.

10. Audits

Tutelium demonstrates its compliance using available information and, where applicable, reports or certifications. Your organization may conduct (or have conducted) an audit under reasonable conditions.

11. Return and deletion

After the agreement ends, Tutelium gives your organization the opportunity to export the data and then deletes the personal data, unless legal retention requirements require otherwise.

12. International data transfers

Tutelium processes personal data within the United States. If a transfer outside the United States is ever unavoidable, Tutelium will ensure appropriate safeguards are in place.

13. Liability

Liability under this data processing agreement is governed by the liability provisions in the terms of service.

Appendix 1 — Details of the processing

Appendix 2 — Security measures

Appendix 3 — Subprocessors

Contact

Questions about this agreement? Contact us through our contact page.

Tutelium is offered by Tutelium, Inc. — an entity currently being formed; the registration number will follow once formation is complete.