Event — Securing the Agent Skill Supply Chain | Virtual | June 17Register
Logo
Registry
EnterpriseCareersDocsRegistry

Data Processing Addendum

Effective as of: 12 May 2026Last modified: 26 May 2026

Tessl Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the agreement between Tessl AI Limited, a company incorporated in England and Wales with company number 15532364 and registered office at 210 Pentonville Road, London N1 9JY ("Tessl"), and the customer accepting the Agreement ("Customer").

This DPA applies to the extent Tessl processes Customer Personal Data on behalf of Customer in connection with the Services.

For purposes of this DPA, the "Agreement" means, as applicable, Tessl’s Terms of Service available at https://tessl.io/policies/terms/ (https://tessl.io/policies/terms/), any Order Form, any evaluation agreement and any enterprise master services agreement or other written agreement entered into between Tessl and Customer for the Services.

Customer accepts this DPA by entering into the Agreement or by accessing or using the Services.

1. Definitions

In this DPA:

"Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable, the UK GDPR, the Data Protection Act 2018, the EU GDPR, and any legislation implementing, supplementing, or replacing them.

"Customer Personal Data" means Personal Data Processed by Tessl on behalf of Customer in connection with the Services.

"Data Subject", "Controller", "Personal Data", "Personal Data Breach", "Process", "Processing", "Processor", and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.

"EU GDPR" means Regulation (EU) 2016/679.

"Restricted Transfer" means a transfer of Personal Data that is subject to Applicable Data Protection Law and requires appropriate safeguards under Chapter V of the EU GDPR or the UK GDPR.

"Services" means Tessl’s agent-enablement platform for software development teams and related services.

"Standard Contractual Clauses" or "EU SCCs" means the standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914, as updated, replaced, or superseded from time to time.

"Subprocessor" means any third party appointed by or on behalf of Tessl to Process Customer Personal Data on behalf of Customer in connection with the Services.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, as updated, replaced, or superseded from time to time.

"UK GDPR" means the EU GDPR as it forms part of the law of the United Kingdom.

2. Scope and Priority

2.1 This DPA applies only to the extent Tessl acts as a Processor of Customer Personal Data.

2.2 If there is any conflict between this DPA and the Agreement regarding the Processing of Customer Personal Data, this DPA will prevail to the extent of that conflict.

2.3 Except as expressly amended by this DPA, the Agreement remains in full force and effect.

3. Roles of the Parties

3.1 With respect to Customer Personal Data, Customer is the Controller and Tessl is the Processor.

3.2 Customer appoints Tessl to Process Customer Personal Data only as necessary to provide the Services and perform Tessl’s obligations under the Agreement, this DPA, and Customer’s documented instructions.

3.3 The details of the Processing are set out in Schedule 1.

3.4 The parties acknowledge that Tessl acts as an independent Controller, and not as Customer’s Processor, for Personal Data relating to Customer’s account owners, administrators, billing contacts, support contacts, and similar representatives, and for Personal Data Tessl Processes for its own legitimate business purposes, including billing, account management, service administration, financial reporting, fraud prevention, abuse prevention, network and information security, legal compliance, and the establishment, exercise, or defence of legal claims.

3.5 Tessl will not use Customer Personal Data, including prompts, inputs, outputs, files, or other customer-submitted content containing Personal Data, to train, fine-tune, or improve any general-purpose, shared, or foundation machine learning or artificial intelligence model.

3.6 Tessl may use service telemetry, usage data, log data, and data that has been aggregated and de-identified so that it is not Personal Data under Applicable Data Protection Law for security, support, analytics, operations, and service improvement, provided Tessl does not attempt to re-identify that data.

4. Customer Instructions and Customer Responsibilities

4.1 Tessl will Process Customer Personal Data only on Customer’s documented instructions, unless Tessl is required by applicable law to do otherwise. If Tessl is required by applicable law to Process Customer Personal Data other than on Customer’s instructions, Tessl will inform Customer before the Processing unless that law prohibits notice on important grounds of public interest.

4.2 The Agreement, this DPA, Customer’s use and configuration of the Services, and any other written instructions agreed by the parties constitute Customer’s complete documented instructions as of the effective date of this DPA.

4.3 Tessl will promptly inform Customer if, in Tessl’s opinion, an instruction infringes Applicable Data Protection Law. Tessl may suspend the affected Processing until Customer confirms or modifies the instruction.

4.4 Customer is responsible for ensuring that it has all rights, notices, consents, and lawful bases required to provide Customer Personal Data to Tessl and to authorise Tessl to Process it in accordance with the Agreement and this DPA.

4.5 Unless the parties expressly agree otherwise in writing, Customer will not submit to the Services, and will use reasonable measures to prevent the submission of, any: (a) special category data; (b) criminal offence data; (c) Personal Data of children under 16; (d) government-issued identification numbers; (e) payment card data, bank account data, or other regulated financial account data; (f) health, genetic, or biometric data; (g) data subject to HIPAA, GLBA, PCI DSS, ITAR, export controls, or similar sector-specific regulation; or (h) any other highly sensitive Personal Data requiring heightened protections under Applicable Data Protection Law.

5. Confidentiality and Personnel

5.1 Tessl will ensure that persons authorised to Process Customer Personal Data are subject to appropriate obligations of confidentiality.

5.2 Tessl will ensure that access to Customer Personal Data is limited to personnel and contractors who need that access for the purposes of providing the Services and who are subject to appropriate security and privacy obligations.

6. Security

6.1 Tessl will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful Processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.

6.2 Tessl’s measures include, at a minimum, the measures described in Schedule 2.

6.3 Tessl may update or modify the measures described in Schedule 2 from time to time, provided that the updates do not materially reduce the overall security of the Services.

7. Subprocessors

7.1 Customer authorises Tessl to engage the Subprocessors listed in Schedule 3.

7.2 Tessl may appoint new Subprocessors or replace existing Subprocessors provided that Tessl: (a) imposes data protection obligations on the Subprocessor that are no less protective than those set out in this DPA to the extent applicable to the services performed by that Subprocessor; (b) remains responsible for the acts and omissions of the Subprocessor to the same extent as if Tessl were performing the relevant services directly; and (c) provides Customer with prior notice of the change by updating the subprocessor list at tessl.io/policies/subprocessors or by another reasonable written notice mechanism at least thirty (30) days before the change takes effect.

7.3 If Customer reasonably objects to a new Subprocessor on data protection grounds within the notice period, the parties will work in good faith to address the objection. If Tessl cannot provide a commercially reasonable alternative, Customer may terminate the affected Services by written notice, and Tessl will refund any prepaid fees covering the terminated portion of the remaining term. This termination right is Customer’s sole and exclusive remedy for a valid objection under this Section 7.

8. Assistance

8.1 Taking into account the nature of the Processing and the information available to Tessl, Tessl will provide reasonable assistance to Customer to enable Customer to comply with its obligations under Applicable Data Protection Law in relation to: (a) requests from Data Subjects to exercise their rights; (b) security of Processing; (c) notifications of Personal Data Breaches to Supervisory Authorities or Data Subjects; (d) data protection impact assessments; and (e) prior consultation with Supervisory Authorities.

8.2 Tessl may satisfy its obligations under this Section by providing self-service functionality, account controls, product features, or documentation where appropriate.

8.3 To the extent legally permitted, Customer will reimburse Tessl for reasonable costs incurred in providing assistance under this Section 8 that exceeds Tessl’s standard obligations under the Agreement and this DPA.

9. Personal Data Breaches

9.1 Tessl will notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.

9.2 Tessl’s notice will include, to the extent then known: (a) the nature of the Personal Data Breach; (b) the categories and approximate number of affected Data Subjects and records, where available; (c) the likely consequences of the Personal Data Breach; and (d) the measures taken or proposed to address and mitigate the Personal Data Breach.

9.3 Tessl will take reasonable steps to contain, investigate, mitigate, and remediate the Personal Data Breach and will provide Customer with timely updates as material information becomes available.

9.4 Tessl’s notification of or response to a Personal Data Breach will not be construed as an admission of fault or liability.

10. Return and Deletion

10.1 Upon termination or expiry of the Agreement, Tessl will, at Customer’s choice, return or delete Customer Personal Data unless retention is required by applicable law.

10.2 Unless the Agreement or Customer’s written instructions provide otherwise, Tessl may satisfy Section 10.1 by making Customer Personal Data available for export for thirty (30) days after termination and deleting it thereafter from active systems.

10.3 Notwithstanding Section 10.1, Tessl may retain Customer Personal Data: (a) for up to ninety (90) days in routine backup or disaster recovery systems, provided that retained data remains protected under this DPA and is deleted in accordance with Tessl’s normal backup overwrite cycle; and (b) for longer where required by applicable law, provided Tessl uses the retained data only for that purpose and continues to protect it in accordance with this DPA.

11. Demonstrating Compliance

11.1 Tessl will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR and EU GDPR, including current security summaries, relevant policies, and copies or summaries of independent third-party audit reports or certifications, where available, such as SOC 2 Type II, ISO 27001, or equivalent materials, in each case subject to reasonable confidentiality restrictions.

11.2 Customer agrees that the information provided under Section 11.1, together with Tessl’s responses to reasonable written questions, will ordinarily satisfy Tessl’s obligations to make information available and contribute to audits under Applicable Data Protection Law.

11.3 Customer will not conduct, and Tessl is not required to permit, any on-site inspection, penetration test, vulnerability scan, or other direct audit of Tessl’s systems, facilities, code, or infrastructure.

11.4 If, and only to the extent, Customer demonstrates that the information provided under Section 11.1 is insufficient to satisfy a specific legal obligation imposed by Applicable Data Protection Law, and that shortfall cannot reasonably be addressed through additional written information, the parties will discuss in good faith a narrowly scoped review by an independent third-party auditor appointed by Customer and reasonably approved by Tessl, subject to: (a) at least thirty (30) days' prior written notice; (b) appropriate confidentiality obligations; (c) the auditor not being a competitor of Tessl; (d) the review occurring no more than once in any twelve (12) month period unless required by a competent Supervisory Authority or applicable law; (e) the review being limited to information strictly necessary to address the identified legal requirement; (f) the review not unreasonably interfering with Tessl’s operations or security; and (g) Customer bearing all costs of the review.

12. International Transfers

12.1 Tessl may Process Customer Personal Data in the United Kingdom, the European Economic Area, the United States, and other jurisdictions in which Tessl or its Subprocessors operate, provided Tessl complies with Applicable Data Protection Law in relation to Restricted Transfers.

12.2 Where a Restricted Transfer from Customer to Tessl requires appropriate safeguards, the parties agree that the relevant lawful transfer mechanism will apply automatically, including the EU SCCs and, where required, the UK Addendum.

12.3 For any transfer that requires the EU SCCs: (a) Module Two (Controller to Processor) will apply; (b) Customer is the data exporter and Tessl is the data importer; (c) Clause 7 (Docking Clause) applies; (d) in Clause 9, Option 2 applies and the notice period for Subprocessor changes is the period set out in Section 7.2(c); (e) Clause 11 does not apply; (f) in Clause 17, the governing law is the law of Ireland; (g) in Clause 18(b), the parties submit to the courts of Ireland; and (h) Annex I, Annex II, and Annex III of the EU SCCs are deemed completed using the information set out in this DPA and the Schedules.

12.4 For any transfer that requires the UK Addendum, the EU SCCs incorporated under Section 12.3 will be deemed amended by the UK Addendum, which is incorporated by reference into this DPA.

12.5 Tessl will ensure that any onward Restricted Transfer to a Subprocessor is covered by a lawful transfer mechanism and any supplementary measures required by Applicable Data Protection Law.

12.6 Customer acknowledges that transfers from the EEA to the United Kingdom are not Restricted Transfers for so long as the United Kingdom benefits from a valid adequacy decision under Article 45 of the EU GDPR.

13. Liability

13.1 Each party’s total aggregate liability arising out of or in connection with this DPA will be subject to the exclusions and limitations of liability set out in the Agreement.

13.2 Nothing in this DPA limits either party’s liability to the extent such limitation is prohibited by applicable law.

14. Governing Law

14.1 This DPA and any non-contractual obligations arising out of or in connection with it are governed by the laws of England and Wales, except to the extent the EU SCCs or UK Addendum require otherwise.

14.2 The courts of England and Wales have exclusive jurisdiction to resolve any dispute arising out of or in connection with this DPA, except to the extent the EU SCCs or UK Addendum require otherwise.

15. Contact

Questions regarding this DPA may be sent to:

General Counsel
privacy@tessl.io (mailto:privacy@tessl.io)

16. General

16.1 If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect.

16.2 This DPA remains in effect for as long as Tessl Processes Customer Personal Data on behalf of Customer.


Schedule 1 – Details of Processing

1. Subject Matter

The subject matter of the Processing is Tessl’s provision of its agent-enablement platform for software development teams, including reusable structured context such as skills and plugins and related tooling to generate, evaluate, distribute, leverage, observe, and analyse that context across an organisation.

2. Duration

The Processing will continue for the duration of the Agreement and any period during which Tessl retains Customer Personal Data in accordance with the Agreement and this DPA.

3. Nature and Purpose of the Processing

The Processing includes the receipt, storage, hosting, organisation, retrieval, use, disclosure by transmission, analysis, support, maintenance, security monitoring, administration, deletion, and other Processing of Customer Personal Data as necessary to provide and support the Services in accordance with Customer’s documented instructions.

4. Categories of Data Subjects

Customer may submit Customer Personal Data relating to: (a) Customer’s employees, contractors, and personnel; (b) Customer’s authorised users and administrators; (c) Customer’s customers, prospects, vendors, and business partners; (d) individuals whose Personal Data appears in prompts, files, documents, communications, code, tickets, or other content submitted to the Services by or on behalf of Customer; and (e) any other Data Subjects whose Personal Data Customer elects to submit to the Services in accordance with the Agreement and this DPA.

5. Categories of Personal Data

Customer may submit Customer Personal Data including: (a) name, business contact information, and professional details; (b) account identifiers, usernames, user IDs, and authentication-related data; (c) device, log, telemetry, and usage data associated with use of the Services; (d) content, prompts, files, code, documents, tickets, messages, instructions, queries, and other materials submitted to the Services by or on behalf of Customer; (e) support and troubleshooting data; and (f) any other Personal Data Customer chooses to submit to the Services, excluding prohibited data described in Section 4.5 of this DPA unless otherwise expressly agreed in writing.

6. Sensitive Data

The parties do not intend for Tessl to Process special category data, criminal offence data, children’s data, or other prohibited sensitive data under this DPA unless expressly agreed in writing in advance.

7. Frequency of Transfer

Continuous, as initiated by Customer’s use of the Services during the term of the Agreement.

8. Processing Locations

Customer Personal Data may be Processed in the United Kingdom, the European Economic Area, the United States, and other jurisdictions in which Tessl or its authorised Subprocessors operate, subject to Section 12 of this DPA.


Schedule 2 – Technical and Organisational Measures

Tessl will implement and maintain technical and organisational measures designed to protect Customer Personal Data, including the following categories of measures:

  1. Governance and Risk Management
    • documented security and privacy policies;
    • defined ownership for security and privacy responsibilities;
    • periodic risk assessment and review processes.
  2. Access Control
    • role-based access controls and least-privilege access;
    • unique user credentials;
    • multi-factor authentication for privileged or administrative access where appropriate;
    • access provisioning, review, and revocation procedures.
  3. Confidentiality
    • confidentiality obligations for personnel and contractors;
    • security and privacy awareness training appropriate to job function.
  4. Encryption
    • encryption of Customer Personal Data in transit using industry-standard protocols;
    • encryption of Customer Personal Data at rest where appropriate to the service architecture and risk profile;
    • secure key management practices.
  5. Infrastructure and Network Security
    • network security controls, including firewalls or equivalent protections;
    • system hardening and endpoint protection where appropriate;
    • environment segregation appropriate to the Services;
    • logging and monitoring of relevant systems and administrative actions.
  6. Application and Change Security
    • change management procedures;
    • secure development and deployment practices where applicable;
    • vulnerability identification and remediation processes.
  7. Availability and Resilience
    • backup and recovery procedures;
    • business continuity and disaster recovery measures appropriate to the Services;
    • measures designed to support ongoing confidentiality, integrity, availability, and resilience.
  8. Incident Management
    • incident detection, escalation, response, containment, remediation, and post-incident review processes.
  9. Vendor and Subprocessor Management
    • due diligence and oversight for relevant vendors and Subprocessors;
    • written agreements imposing appropriate confidentiality, security, and data protection obligations.
  10. Physical Security
    • use of hosting and infrastructure providers that maintain physical security controls appropriate to the relevant facilities.
  11. Retention and Deletion
    • controls to support retention limitation, deletion, and secure disposal consistent with the Agreement and Tessl’s retention practices.
  12. Testing and Evaluation
    • periodic review, testing, assessment, or evaluation of the effectiveness of security measures, including independent assessments where appropriate.

Tessl may update these measures from time to time, provided that the updates do not materially reduce the overall security of the Services.

Schedule 3 – Authorised Subprocessors

Tessl’s current list of authorised Subprocessors is available at tessl.io/policies/subprocessors


Schedule 4 – SCC Completion Terms

For purposes of the EU SCCs and, where applicable, the UK Addendum:

  1. The categories of parties, categories of Data Subjects, categories of Personal Data, purposes of Processing, and duration of Processing are those set out in Schedule 1.
  2. The technical and organisational measures are those set out in Schedule 2.
  3. The list of Subprocessors is set out in Schedule 3.
  4. The competent Supervisory Authority will be determined in accordance with Clause 13 of the EU SCCs.