Tersign Data Processing Addendum (DPA)

v1.0 — effective 14 July 2026 (professional counsel review pending; material changes on 30 days’ notice per Section 22) This DPA forms part of the Tersign Terms of Service (the "Terms") between Kevin Zhang, trading as Tersign ("Tersign", the "Processor") and the Customer (the "Controller", which may itself act as a processor for its own customers, in which case Tersign acts as sub-processor and Module Three of the SCCs applies as relevant). Effective: 14 July 2026.

1. Scope; Roles; Precedence

1.1 This DPA applies where and to the extent Tersign processes personal data on Customer's behalf in providing paid Records Tier services under the Terms. It does not apply to the Free Tier (which must not contain personal data in payloads — Terms Sections 7.2 and 14.2), and it does not apply to data for which Tersign is an independent controller (account, billing, support, and telemetry data — see the Tersign Privacy Notice).

1.2 For the processing of personal data, this DPA prevails over the Terms, except that nothing in this DPA limits the license in Section 9 of the Terms or the creation of Aggregated Data and Anonymized Data as instructed in Section 3.3 of this DPA.

1.3 "GDPR" means Regulation (EU) 2016/679 and, where relevant, its UK equivalent; "SCCs" means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). Other terms have the meanings in the Terms or the GDPR.

2. Processing Details (Art 28(3))

The subject matter, duration, nature and purpose of processing, types of personal data, and categories of data subjects are set out in Annex A.

3. Instructions

3.1 Tersign will process personal data only on Customer's documented instructions, including regarding transfers, unless required otherwise by law Tersign is subject to (in which case Tersign will inform Customer before processing, unless the law prohibits that on important grounds of public interest). The Terms, this DPA, and Customer's use of the Services' APIs and configuration are the complete documented instructions. Additional instructions require written agreement.

3.2 Tersign will inform Customer if, in its opinion, an instruction infringes the GDPR or other data-protection law.

3.3 Instructed derivation of Outcome Data. Customer instructs Tersign to create Aggregated Data and Anonymized Data (as defined in Terms Section 9) from Records and use of the Services — including where source material contains personal data — for the purposes stated in Terms Section 9. Aggregation and anonymization under this Section are documented processing instructions for the purposes of Article 28(3)(a) GDPR. Data that, following such processing, no longer relates to an identified or identifiable natural person is not personal data and falls outside the scope of this DPA.

3.4 Data minimization is the default instruction: the Services are designed so that Records carry digests and payload personal data remains Customer-side wherever possible. Customer will not submit special categories of personal data (Art 9) or data relating to criminal convictions (Art 10) without Tersign's prior written agreement.

4. Confidentiality

4.1 Tersign ensures that persons authorized to process personal data (currently the operating principal (Kevin Zhang), plus any future personnel) are committed to confidentiality by contract or statutory obligation.

5. Security (Art 32)

5.1 Tersign implements and maintains the technical and organizational measures in Annex B, taking into account the state of the art, costs, and the nature, scope, context, and purposes of processing, and the risks to data subjects. Tersign may update Annex B provided security is not materially degraded.

6. Sub-processors

6.1 Customer grants general authorization to engage the sub-processors listed in Annex C (also published at https://tersign.ai/legal/subprocessors).

6.2 Tersign will give at least 30 days' notice (sub-processor page update plus email or dashboard notice) before adding or replacing a sub-processor. If Customer objects within that window on reasonable data-protection grounds and Tersign cannot offer a commercially reasonable alternative, Customer's sole and exclusive remedy is to terminate the affected Services and receive a pro-rata refund of prepaid, unused subscription fees.

6.3 Tersign imposes data-protection obligations on sub-processors that are materially equivalent to this DPA and remains liable for their performance.

7. Data-Subject Requests

7.1 Taking into account the nature of the processing, Tersign will assist Customer by appropriate technical and organizational measures — deletion, export, and access tooling — in fulfilling Customer's obligation to respond to data-subject requests. If a data subject contacts Tersign directly about Records, Tersign will redirect the request to Customer and not respond substantively except as law requires.

8. Personal Data Breach

8.1 Tersign will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer's personal data, providing the information reasonably available to Tersign (nature, categories and approximate numbers, likely consequences, measures taken or proposed), supplemented as information becomes available.

9. DPIAs and Prior Consultation

9.1 Taking into account the nature of processing and information available to Tersign, Tersign will provide reasonable assistance with data-protection impact assessments and prior consultations concerning the Services (Arts 35-36), primarily via its published documentation.

10. Deletion and Return

10.1 On termination of the applicable Services, Tersign will, at Customer's choice exercised within the export window in Terms Section 13, return personal data via the export tooling and/or delete it, and will delete remaining personal data after the export window closes, unless law Tersign is subject to requires continued storage.

10.2 Cryptographic deletion mechanics. The ledger is append-only: cryptographic digests, counter-signatures, chain links, and anchors cannot be deleted. "Deletion" of personal data under this DPA is therefore performed by permanently deleting the stored payload and all associated personal data held by Tersign for the relevant Records — including purging from backups within the ordinary rotation cycle, and in any event within 30 days — while retaining the digests, chain links, and anchors, which are designed not to contain or reveal personal data. [COUNSEL: whether a retained digest whose preimage contained personal data remains personal data after payload destruction is NOT settled. EDPB Guidelines 02/2025 (v2, adopted 7 July 2026) state that unkeyed hashes should in general not be considered sufficient to protect personal data on public ledgers and favor keyed/committed constructions and erasure via deletion of off-chain components or key destruction. Position and engineering prerequisite: COUNSEL-REVIEW items 1 and E-1. Do not represent digests as anonymous until counsel signs off.]

11. Audits

11.1 Tersign will make available information reasonably necessary to demonstrate compliance with Article 28 — published documentation, security summaries, and completed security questionnaires — and will allow and contribute to audits. Audits beyond documentation review: at most once per 12 months, on 30 days' notice, remote-first, during business hours, at Customer's expense, not accessing other customers' data, findings confidential.

12. International Transfers

12.1 Tersign is operated from Hong Kong on globally distributed infrastructure. Where the GDPR applies to a transfer, the SCCs (Module Two: controller-to-processor; Module Three where Customer is a processor) are incorporated by reference, with: Clause 7 (docking) included; Clause 9 Option 2 (general authorization, 30 days); Clause 11 optional language excluded; Clause 17 Option 1 — Irish law; Clause 18 — Irish courts; Annexes I-III completed by Annexes A-C of this DPA and the parties' account details. For UK transfers, the UK IDTA Addendum applies with equivalent selections; for Swiss transfers, the SCCs apply as adapted by the FDPIC's requirements.

12.2 Signing the Terms constitutes signature of the SCCs where they apply.

13. Liability; Term

13.1 Liability under this DPA is subject to the limitations in Terms Section 19, to the extent permitted by law. This DPA lasts as long as Tersign processes personal data under the Terms.

Annex A — Processing Description

Annex B — Technical and Organizational Measures

Annex C — Sub-processors

Sub-processor Role Location Data touched
Cloudflare, Inc. Cloud infrastructure: hosting, compute, storage, network (Workers, D1, R2) Global (US-headquartered) All stored Records and payloads, in encrypted infrastructure
LLM API providers Engaged only if and when Customer uses dispute services, and only for non-determinative intake assistance and summarization in dispute workflows. Never the triage determination itself, which is deterministic and recomputable (Terms Section 12.1). The specific provider will be listed at https://tersign.ai/legal/subprocessors before first engagement. Per listing Dispute-submission content Customer routes to dispute services