Tersign Data Processing Addendum (DPA)
v1.0 — effective 14 July 2026 (professional counsel review pending; material changes on 30 days’ notice per Section 22) This DPA forms part of the Tersign Terms of Service (the "Terms") between Kevin Zhang, trading as Tersign ("Tersign", the "Processor") and the Customer (the "Controller", which may itself act as a processor for its own customers, in which case Tersign acts as sub-processor and Module Three of the SCCs applies as relevant). Effective: 14 July 2026.
1. Scope; Roles; Precedence
1.1 This DPA applies where and to the extent Tersign processes personal data on Customer's behalf in providing paid Records Tier services under the Terms. It does not apply to the Free Tier (which must not contain personal data in payloads — Terms Sections 7.2 and 14.2), and it does not apply to data for which Tersign is an independent controller (account, billing, support, and telemetry data — see the Tersign Privacy Notice).
1.2 For the processing of personal data, this DPA prevails over the Terms, except that nothing in this DPA limits the license in Section 9 of the Terms or the creation of Aggregated Data and Anonymized Data as instructed in Section 3.3 of this DPA.
1.3 "GDPR" means Regulation (EU) 2016/679 and, where relevant, its UK equivalent; "SCCs" means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). Other terms have the meanings in the Terms or the GDPR.
2. Processing Details (Art 28(3))
The subject matter, duration, nature and purpose of processing, types of personal data, and categories of data subjects are set out in Annex A.
3. Instructions
3.1 Tersign will process personal data only on Customer's documented instructions, including regarding transfers, unless required otherwise by law Tersign is subject to (in which case Tersign will inform Customer before processing, unless the law prohibits that on important grounds of public interest). The Terms, this DPA, and Customer's use of the Services' APIs and configuration are the complete documented instructions. Additional instructions require written agreement.
3.2 Tersign will inform Customer if, in its opinion, an instruction infringes the GDPR or other data-protection law.
3.3 Instructed derivation of Outcome Data. Customer instructs Tersign to create Aggregated Data and Anonymized Data (as defined in Terms Section 9) from Records and use of the Services — including where source material contains personal data — for the purposes stated in Terms Section 9. Aggregation and anonymization under this Section are documented processing instructions for the purposes of Article 28(3)(a) GDPR. Data that, following such processing, no longer relates to an identified or identifiable natural person is not personal data and falls outside the scope of this DPA.
3.4 Data minimization is the default instruction: the Services are designed so that Records carry digests and payload personal data remains Customer-side wherever possible. Customer will not submit special categories of personal data (Art 9) or data relating to criminal convictions (Art 10) without Tersign's prior written agreement.
4. Confidentiality
4.1 Tersign ensures that persons authorized to process personal data (currently the operating principal (Kevin Zhang), plus any future personnel) are committed to confidentiality by contract or statutory obligation.
5. Security (Art 32)
5.1 Tersign implements and maintains the technical and organizational measures in Annex B, taking into account the state of the art, costs, and the nature, scope, context, and purposes of processing, and the risks to data subjects. Tersign may update Annex B provided security is not materially degraded.
6. Sub-processors
6.1 Customer grants general authorization to engage the sub-processors listed in Annex C (also published at https://tersign.ai/legal/subprocessors).
6.2 Tersign will give at least 30 days' notice (sub-processor page update plus email or dashboard notice) before adding or replacing a sub-processor. If Customer objects within that window on reasonable data-protection grounds and Tersign cannot offer a commercially reasonable alternative, Customer's sole and exclusive remedy is to terminate the affected Services and receive a pro-rata refund of prepaid, unused subscription fees.
6.3 Tersign imposes data-protection obligations on sub-processors that are materially equivalent to this DPA and remains liable for their performance.
7. Data-Subject Requests
7.1 Taking into account the nature of the processing, Tersign will assist Customer by appropriate technical and organizational measures — deletion, export, and access tooling — in fulfilling Customer's obligation to respond to data-subject requests. If a data subject contacts Tersign directly about Records, Tersign will redirect the request to Customer and not respond substantively except as law requires.
8. Personal Data Breach
8.1 Tersign will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer's personal data, providing the information reasonably available to Tersign (nature, categories and approximate numbers, likely consequences, measures taken or proposed), supplemented as information becomes available.
9. DPIAs and Prior Consultation
9.1 Taking into account the nature of processing and information available to Tersign, Tersign will provide reasonable assistance with data-protection impact assessments and prior consultations concerning the Services (Arts 35-36), primarily via its published documentation.
10. Deletion and Return
10.1 On termination of the applicable Services, Tersign will, at Customer's choice exercised within the export window in Terms Section 13, return personal data via the export tooling and/or delete it, and will delete remaining personal data after the export window closes, unless law Tersign is subject to requires continued storage.
10.2 Cryptographic deletion mechanics. The ledger is append-only: cryptographic digests, counter-signatures, chain links, and anchors cannot be deleted. "Deletion" of personal data under this DPA is therefore performed by permanently deleting the stored payload and all associated personal data held by Tersign for the relevant Records — including purging from backups within the ordinary rotation cycle, and in any event within 30 days — while retaining the digests, chain links, and anchors, which are designed not to contain or reveal personal data. [COUNSEL: whether a retained digest whose preimage contained personal data remains personal data after payload destruction is NOT settled. EDPB Guidelines 02/2025 (v2, adopted 7 July 2026) state that unkeyed hashes should in general not be considered sufficient to protect personal data on public ledgers and favor keyed/committed constructions and erasure via deletion of off-chain components or key destruction. Position and engineering prerequisite: COUNSEL-REVIEW items 1 and E-1. Do not represent digests as anonymous until counsel signs off.]
11. Audits
11.1 Tersign will make available information reasonably necessary to demonstrate compliance with Article 28 — published documentation, security summaries, and completed security questionnaires — and will allow and contribute to audits. Audits beyond documentation review: at most once per 12 months, on 30 days' notice, remote-first, during business hours, at Customer's expense, not accessing other customers' data, findings confidential.
12. International Transfers
12.1 Tersign is operated from Hong Kong on globally distributed infrastructure. Where the GDPR applies to a transfer, the SCCs (Module Two: controller-to-processor; Module Three where Customer is a processor) are incorporated by reference, with: Clause 7 (docking) included; Clause 9 Option 2 (general authorization, 30 days); Clause 11 optional language excluded; Clause 17 Option 1 — Irish law; Clause 18 — Irish courts; Annexes I-III completed by Annexes A-C of this DPA and the parties' account details. For UK transfers, the UK IDTA Addendum applies with equivalent selections; for Swiss transfers, the SCCs apply as adapted by the FDPIC's requirements.
12.2 Signing the Terms constitutes signature of the SCCs where they apply.
13. Liability; Term
13.1 Liability under this DPA is subject to the limitations in Terms Section 19, to the extent permitted by law. This DPA lasts as long as Tersign processes personal data under the Terms.
Annex A — Processing Description
- Subject matter: provision of the Tersign evidence-ledger services (Record storage, counter-signing, verification, exports, evidence packs, dispute triage).
- Duration: the term of the Terms plus the export window (Terms Section 13).
- Nature and purposes: receipt, storage, organization, structuring, digest computation, counter-signing, retrieval, export and formatting of Records; dispute-triage computation over signed evidence; instructed aggregation and anonymization (Section 3.3).
- Categories of personal data: identification and business-contact data (names, emails, organization roles), transaction data (amounts, timestamps, references, wallet addresses), and any other personal data Customer chooses to include in payloads (Customer-controlled; minimization instructed). No special categories intended or permitted without written agreement.
- Data subjects: Customer's personnel and principals; counterparties' personnel and principals; end customers appearing in transaction payloads.
Annex B — Technical and Organizational Measures
- Encryption in transit (TLS 1.2+) and at rest (Cloudflare-managed storage encryption).
- Append-only, hash-chained ledger with counter-signatures and public third-party verifiability (integrity by design).
- Data minimization by design: digest-first architecture; payloads optional and Customer-controlled.
- Access control: least-privilege administrative access limited to authorized personnel, protected by multi-factor authentication; secrets held in OS-keystore, never in code or shell environments.
- Logical separation of customer data (per-seller chains); no sale or disclosure of raw Records.
- Logging and monitoring of administrative and API access; documented incident response with 72-hour customer notification (Section 8).
- Backups with bounded retention; deleted data purged within at most 30 days.
- Supply-chain hygiene: provenance-attested releases; dependency review; CI conformance tests on export mappings.
Annex C — Sub-processors
| Sub-processor | Role | Location | Data touched |
|---|---|---|---|
| Cloudflare, Inc. | Cloud infrastructure: hosting, compute, storage, network (Workers, D1, R2) | Global (US-headquartered) | All stored Records and payloads, in encrypted infrastructure |
| LLM API providers | Engaged only if and when Customer uses dispute services, and only for non-determinative intake assistance and summarization in dispute workflows. Never the triage determination itself, which is deterministic and recomputable (Terms Section 12.1). The specific provider will be listed at https://tersign.ai/legal/subprocessors before first engagement. | Per listing | Dispute-submission content Customer routes to dispute services |