Data Processing Agreement

This DPA is between:

• The Customer, the organization that signs up for Telos and accepts the Terms of Service (the "Controller").
• Telos Foundry ApS, CVR-nr. 46483561, Teglholmsgade 10B, 3. th., 2450 København SV, Denmark (the "Processor" or "Telos").

• Customer Personal Data. Personal data processed by Telos on behalf of the Customer in connection with the service.
• Sub-processor. Any third party engaged by Telos to process Customer Personal Data.
• GDPR. Regulation (EU) 2016/679.
• SCCs. The Standard Contractual Clauses issued by the European Commission in Decision (EU) 2021/914.

The Customer is the controller and Telos is the processor of Customer Personal Data. Telos processes Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers, unless required to do otherwise by EU or Danish law. If required by law, Telos will inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

The subject matter, duration, nature, and purpose of processing are described in Exhibit A.

• Process Customer Personal Data only on the Customer's documented instructions.
• Ensure personnel authorized to process Customer Personal Data are bound by written confidentiality obligations.
• Implement the technical and organizational measures set out in Exhibit C.
• Assist the Customer with data subject requests, data protection impact assessments, and supervisory authority cooperation, taking into account the nature of processing and the information available to Telos.
• Notify the Customer without undue delay, and in any case within 72 hours of becoming aware, of a personal data breach.
• At the Customer's choice, delete or return all Customer Personal Data after the end of the service, unless EU or Danish law requires retention.
• Make available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR.

The Customer authorizes Telos to engage the sub-processors listed in Exhibit B to process Customer Personal Data. Telos imposes on each sub-processor data protection obligations no less protective than those in this DPA.

Telos will notify the Customer by email to the account owner of any intended addition or replacement of a sub-processor at least 15 days in advance. The Customer may object on reasonable data protection grounds within that window. If the parties cannot resolve the objection, the Customer may terminate the affected part of the service by written notice.

Where Telos transfers Customer Personal Data outside the EEA, the transfer is governed by the SCCs in Module 2 (controller to processor) or Module 3 (processor to processor) as applicable, incorporated by reference into this DPA. The Customer is the data exporter; Telos is the data importer. The optional docking clause is included; the time period for clause 17(d) is 10 days.

Where the transfer involves personal data subject to the UK GDPR, the parties incorporate the UK ICO's International Data Transfer Addendum to the EU SCCs (Version B1.0, in force from 21 March 2022) by reference. In the event of conflict between the EU SCCs and the UK Addendum for UK personal data, the UK Addendum prevails.

Telos will assist the Customer, by appropriate technical and organizational measures and to the extent possible, in fulfilling its obligations to respond to requests from data subjects under Chapter III of the GDPR.

Telos will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audit rights are subject to: reasonable notice (at least 30 days), confidentiality, conduct during business hours, a maximum of once per calendar year except where triggered by a confirmed incident, and reasonable scope to avoid disrupting Telos' operations and other customers. The Customer bears its own and Telos' reasonable costs of any on-site audit.

On termination of the service, the Customer's workspace remains fully accessible through the end of the paid period to enable export. After the paid period ends, production rows are deleted within 7 days; backups rotate out within 90 days. Telos will provide written confirmation of deletion on request.

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA excludes either party's liability to data subjects under Article 82 GDPR.

This DPA is governed by the laws of Denmark. In the event of conflict between this DPA and the Terms of Service, this DPA prevails on matters of personal data processing. In the event of conflict between this DPA and the SCCs, the SCCs prevail.

Categories of data subjects

• Customer employees, contractors, and other users with access to the workspace.
• Customer's own customers, contacts, and prospects, where the Customer chooses to record them in Telos.

Categories of personal data

• Identification data: name, email, role.
• Authentication data: hashed password, session tokens.
• Content data: documents, comments, files, customer records, opportunities, projects, tasks, and other artifacts the Customer creates.
• Usage and log data: IP address (transient), request metadata, audit events.

Special categories of personal data

The Customer should not upload special categories of personal data (Article 9 GDPR) without a documented lawful basis and appropriate safeguards. Telos does not require such data to operate the service.

Subject matter, nature, and purpose

Provision of a multi-tenant SaaS product management tool, including hosting, storage, processing of user requests, AI workflow orchestration on behalf of the Customer's chosen LLM provider, notification delivery, and support.

Duration

For the duration of the subscription plus the retention windows set out in Clause 9 and in the Privacy Policy.

The current sub-processor list. Telos engages each under a data processing agreement and notifies the account owner at least 15 days before any addition or replacement.

• Railway Corp. Application hosting, Postgres database, background workers, and file storage via Tigris-backed S3 buckets. All hosted in the EU region (Amsterdam).
• Resend (Plus Five Five, Inc.). Transactional email delivery (invites, password resets, notifications). EU region available.
• Functional Software, Inc. (Sentry). Error monitoring. Configured to scrub IP addresses and avoid PII request bodies.
• Stripe Payments Europe Ltd. Payment processing. Acts as processor for billing data and as independent controller for fraud prevention.
• Customer-activated LLM providers.When the Customer enables AI features and configures a provider, Telos routes prompts and workspace context selected by the Customer to that provider under the Customer's API key. The provider receives this data under the Customer's direct agreement with the provider and is not engaged by Telos. Supported providers currently include Anthropic, OpenAI, OpenRouter, and self-hosted Ollama-compatible endpoints. The Customer is responsible for the provider's own terms, retention, and transfer mechanisms.

Encryption

• TLS 1.2 or higher for all customer traffic.
• Database and object storage encrypted at rest.
• Secrets and BYO-LLM API keys encrypted at the application layer; decrypted only at request time.

Access control

• Every database query is scoped by tenant (orgId).
• Role-based access enforced server-side; leadership-only fields gated by a field-level allowlist in the API layer.
• Production credentials are restricted to authorized Telos personnel with a need to operate the service.

Authentication

• Passwords stored with bcrypt or equivalent.
• Short-lived HTTP-only session tokens.
• CSRF protection on all state-changing endpoints.

Data isolation and residency

• File storage runs in a single EU bucket; application servers and the Postgres database run in the same EU region.
• Files are stored at key paths scoped by orgId and entity type with private ACLs.
• Uploads use short-lived presigned URLs; the application server never proxies the bytes.

Logging and monitoring

• Per-entity activity recorded for security and operational review.
• Error monitoring via Sentry with PII scrubbing.
• Authentication events logged for abuse and forensic review.

Backups

• Daily automated database backups, retained for 30 days.
• Restore tested at least annually.

Incident response

• Documented runbook: detection, containment, notification, and post-incident review.
• Customer notification of a personal data breach within 72 hours of awareness.

Vendor and personnel

• Sub-processors bound by data protection agreements.
• All personnel with access to Customer Personal Data are bound by written confidentiality obligations.

Acceptance of the Terms of Service constitutes acceptance of this DPA on behalf of the Customer organization. A counter-signed copy is available on request to info@telos-app.com.