Legal Documents

Data Processing Agreement

Effective as of May 12, 2026 · Version 1.0 · GDPR Article 28 compliant

Who needs this. This Data Processing Agreement ("DPA") applies to any customer using Tesseum to process personal data subject to the EU General Data Protection Regulation (Regulation 2016/679) or equivalent national law. It is part of, and incorporates by reference, the Tesseum Terms of Service. For consumer (B2C) users not processing third-party personal data, the Privacy Policy alone applies.

1. Parties and Pre-incorporation Notice

This DPA is entered into between:

The Customer ("Controller") — the legal or natural person identified in the Tesseum subscription account.
Tesseum ("Processor") — the legal-research platform operated from Prague, Czech Republic, by its founder. The platform is currently undergoing formal incorporation as a Czech private limited company (s.r.o.). Upon registration, the rights and obligations under this DPA will be assumed by the registered entity by written assignment, with continuity of all terms.

Customers requiring a counter-signed copy of this DPA for procurement may request one at hola@tesseum.com.

2. Subject Matter and Duration

Tesseum processes Customer Personal Data solely to provide the contracted services described in the Terms of Service: legal research, statute browsing, jurisprudence search, citation-verified drafting, and related AI-assisted analytics across the engines Magnus, Praetor, Synopsis, Iudicium, Atlas, Corpus and Apolo.

Processing continues for the duration of the Customer's active subscription plus the retention periods set out in §10.

3. Nature and Purpose of Processing

Retrieval of statutes, jurisprudence, and corpus articles in response to Customer queries.
Generation of AI-assisted analytical outputs grounded in verified corpus sources.
Persistence of conversation history, saved bundles, and citation metadata for authenticated users.
Billing, subscription management, and tier enforcement.
Service security, fraud prevention, and abuse detection.

4. Categories of Data Subjects and Data

4.1 Data subjects

The Customer's employees, partners, and contractors using the platform.
Third parties whose data appears in documents the Customer uploads for analysis (subject to anonymization — see §6.3).

4.2 Categories of personal data

Identifiers: name, email, OAuth profile photo, country, professional profile.
Authentication tokens (managed by Google OAuth and Supabase Auth).
Usage data: queries submitted, jurisdictions consulted, timestamps, citation metadata.
Billing data: handled exclusively by Stripe; Tesseum receives only payment status flags.
Anonymized document content where the Customer uploads documents for analysis.

Tesseum does not process special categories of personal data under Art. 9 GDPR by design. Customers must not upload such data unless explicitly agreed in writing.

5. Roles and Instructions

The Customer is the Controller of Customer Personal Data. Tesseum is the Processor and processes Customer Personal Data only on the Customer's documented instructions, which are set out in this DPA, the Terms of Service, and any written request from the Customer that Tesseum has acknowledged.

Tesseum will inform the Customer if, in its opinion, an instruction infringes GDPR or applicable Czech or EU data-protection law.

6. Processor Obligations

6.1 Confidentiality

Tesseum ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

6.2 Security measures

Tesseum implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those described in Annex II.

6.3 Anonymization pipeline

Documents uploaded by Customers for analysis are passed through Tesseum's anonymization pipeline before any AI engine receives them. Identifying tokens ([PERSON_n], [ADDRESS_n], [ORG_n], [DATE_n], etc.) are substituted for raw identifiers. The original document is not stored; only the anonymized representation persists for the Customer's session.

6.4 Sub-processors

The Customer authorizes Tesseum's engagement of the sub-processors listed in Annex I. Tesseum will give the Customer 30 calendar days' advance notice of any intended addition or replacement of a sub-processor. If the Customer objects in writing within that period, Tesseum will use commercially reasonable efforts to provide an alternative; if no alternative is available, the Customer may terminate the affected service on 30 days' notice with pro-rata refund of prepaid fees.

6.5 Data subject rights

Tesseum will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligations to respond to requests for exercising data subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).

If Tesseum receives a request directly from a data subject relating to Customer Personal Data, Tesseum will forward the request to the Customer without undue delay and will not respond to the data subject directly except to confirm receipt and the forward.

6.6 Personal data breach notification

Tesseum will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

6.7 DPIA assistance

Tesseum will provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (Art. 35 GDPR) and prior consultations with supervisory authorities (Art. 36 GDPR).

6.8 Audit rights

Tesseum makes available to the Customer all information necessary to demonstrate compliance with this DPA. On request and no more than once per calendar year (unless a regulator requires otherwise), Tesseum will respond to a reasonable written audit questionnaire from the Customer or its authorized auditor. On-site audits are not available; documentary audits and third-party attestations (when available) satisfy this section.

7. International Transfers

Some sub-processors are established in the United States. Tesseum relies on the EU Commission Standard Contractual Clauses (Decision 2021/914) — controller-to-processor module (Module Two) and processor-to-processor module (Module Three) as applicable — with each non-EU sub-processor. Where the EU–US Data Privacy Framework applies to a sub-processor, that mechanism is used in conjunction with the SCCs as a redundant safeguard.

The Customer hereby authorizes Tesseum to act on its behalf in onward transfers covered by the SCCs.

8. Return and Deletion

On termination of the subscription, the Customer may export account and conversation data through the account interface for 30 calendar days. After that period, Tesseum will delete or anonymize Customer Personal Data within a further 30 days, except where retention is required by Czech tax law (zákon č. 235/2004 Sb.) for billing records (7 years), or to comply with a documented legal hold.

9. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits a data subject's rights against either party under Art. 82 GDPR.

10. Conflict and Order of Precedence

In the event of a conflict between this DPA, the Terms of Service, and the Privacy Policy, the order of precedence is: (1) this DPA, (2) the Terms of Service, (3) the Privacy Policy — for the subject matter of processing of Customer Personal Data only.

11. Governing Law

This DPA is governed by the laws of the Czech Republic. Disputes arising from this DPA are subject to the exclusive jurisdiction of the competent courts of Prague, without prejudice to the rights of EU consumers under Regulation (EU) 1215/2012.

12. Contact

Data protection inquiries: hola@tesseum.com
Security incidents: security@tesseum.com

Annex I — Authorized Sub-processors

The following sub-processors are authorized as of the effective date of this DPA. The current list is maintained at tesseum.com/company and updated with at least 30 calendar days' advance notice of changes.

Sub-processor	Purpose	Region / Transfer mechanism
Supabase Inc.	Database (PostgreSQL), authentication, file storage, real-time channels	United States · SCCs (Module Three)
Vercel Inc.	Web hosting, serverless function execution, CDN	United States with EU edge (Frankfurt fra1) · SCCs (Module Three)
Anthropic PBC	Claude language model inference. Zero data retention enabled — no training on Customer data, no log retention beyond 30 days for trust and safety review.	United States · SCCs (Module Three)
Google LLC	OAuth 2.0 identity provider · Gemini language model inference	United States · SCCs (Module Three) and EU–US Data Privacy Framework
Stripe Inc.	Payment processing, subscription billing, EU/MX tax computation. Stripe is an independent controller for payment data under Art. 26 GDPR.	Ireland (EU customers) / United States · SCCs (Module Two) and EU–US DPF

Annex II — Technical and Organizational Measures

Encryption

TLS 1.3 for all data in transit between client, Tesseum, and sub-processors.
AES-256 at rest via Supabase managed encryption.
OAuth-only authentication; passwords are never stored. WebAuthn / passkeys supported as an optional second factor.

Access control

Row-level security (RLS) policies enforced at the database layer for every multi-tenant table.
Privileged access to production restricted to the founder and named operations staff. All privileged operations are logged.
Quarterly review of access lists.

Software development

All changes deployed through version-controlled CI/CD pipeline (Vercel).
Anonymization pipeline applied before any AI engine receives user-uploaded content.
Citation-verification gate (Praetor) cross-checks AI outputs against tool-call retrieval results before delivery.

Logging and monitoring

Authentication events, payment events, and privileged actions logged with retention of 90 days minimum.
Vercel and Supabase platform logs retained per their respective DPAs.
No personally identifiable data in application telemetry; Vercel Analytics uses anonymized aggregation only.

Incident response

Documented incident-response procedure with 24h triage commitment.
Customer notification within 48 hours of confirming a personal data breach affecting Customer Personal Data.
Post-incident review and remediation documented for each Sev-1 incident.

Business continuity

Daily automated backups of the production database (Supabase managed).
Disaster recovery objective: RPO 24h, RTO 4 business hours.
No single-region dependency for hosted compute (Vercel multi-region edge).

Vendor management

All sub-processors evaluated for GDPR posture before onboarding.
Sub-processor DPAs and SCCs reviewed annually.
Material changes to sub-processor list announced with 30 days' notice.