Teamphoria Data Processing Addendum

The Controller is the controller and Teamphoria is the processor (and, under U.S. state privacy law, the service provider) of Personal Data processed through the Service. The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of data subjects are described in Annex I.

Teamphoria processes Personal Data only on the Controller's documented instructions, including with respect to international transfers, unless required by law (in which case Teamphoria will notify the Controller, unless legally prohibited). The Subscription Agreement, this DPA, and the Controller's use of the Service constitute the Controller's complete documented instructions. Teamphoria will inform the Controller if, in its opinion, an instruction infringes applicable data-protection law.

Teamphoria ensures that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.

Teamphoria implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, as described in Annex II (Security Measures). These measures include encryption of Personal Data in transit and at rest, access controls and authentication, logging and monitoring, secure backup, vulnerability management, and personnel security and confidentiality obligations.

The Controller provides a general authorization for Teamphoria to engage the subprocessors described in the Subprocessor List. Teamphoria imposes data-protection obligations on its subprocessors that are no less protective than those in this DPA and remains liable for their performance. Teamphoria will give the Controller at least thirty (30) days' prior notice of any intended addition or replacement of a subprocessor and an opportunity to object on reasonable, data-protection-related grounds; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service.

Taking into account the nature of the processing, Teamphoria assists the Controller by appropriate technical and organizational measures, insofar as possible, in responding to data subjects' requests to exercise their rights. If Teamphoria receives a request directly from a data subject, it will, where permitted, refer the data subject to the Controller.

Teamphoria notifies the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data breach affecting the Controller's Personal Data, and provides the information reasonably necessary for the Controller to meet its own notification obligations.

Teamphoria assists the Controller with data-protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Teamphoria.

On termination of the Service, Teamphoria deletes or returns Personal Data at the Controller's choice and deletes existing copies, unless retention is required by law. Verified deletion is completed within thirty (30) days, subject to ordinary backup cycles, which are purged on their regular rotation, and to any applicable legal-hold obligations.

Teamphoria makes available to the Controller the information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality, frequency, and security conditions.

For transfers of Personal Data subject to the GDPR, UK GDPR, or Swiss law to a country that has not received an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller-to-processor), which are deemed entered into and completed as set out in Annex IV. For transfers subject to UK law, the parties incorporate the UK International Data Transfer Addendum/IDTA to the EU Standard Contractual Clauses. For transfers subject to Swiss law, the EU Standard Contractual Clauses apply with the Swiss amendments (references to the GDPR read as references to the Swiss Federal Act on Data Protection, the competent authority being the Swiss Federal Data Protection and Information Commissioner). Teamphoria applies supplementary technical, organizational, and contractual measures where needed and commits to assessing the impact of relevant transfers. Teamphoria does not rely on self-certification under the EU-US Data Privacy Framework; the Standard Contractual Clauses are the operative transfer mechanism and prevail over any conflicting term on transfer matters.

Where U.S. state privacy laws apply, Teamphoria acts as a service provider or processor. Teamphoria processes Personal Data only for the limited and specified business purposes set out in the Subscription Agreement; does not sell or “share” Personal Data as those terms are defined under those laws; does not retain, use, or disclose Personal Data outside the direct business relationship or for any purpose other than providing the Service; does not combine Personal Data with data from other sources except as permitted by law; and does not use Customer Data to train its own or any third party’s general-purpose AI models. Teamphoria will notify the Controller if it can no longer meet these obligations.