Legal

Data Processing Agreement

Last updated 2026-01-09 · Mikko Finell

Acceptable Use Policy Data Processing Agreement Privacy Policy Subprocessors Terms of Service

Data Processing Agreement (DPA)

Last updated: 2026-01-09

This Data Processing Agreement (“DPA”) forms part of the agreement between Customer (“Customer”, “Controller”) and Mikko Finell (“Processor”, “we”, “us”, “our”) governing Customer’s use of TeaLab.io (the “Service”).

This DPA applies where we process Personal Data on behalf of the Customer in connection with the Service.

1. Definitions

For purposes of this DPA:

  • “GDPR” means Regulation (EU) 2016/679.
  • “Personal Data” means any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1), processed by the Processor on behalf of the Customer.
  • “Processing”, “Controller”, “Processor”, “Data Subject” have the meanings defined in GDPR Art. 4.
  • “Subprocessor” means a third party engaged by the Processor to process Personal Data on behalf of the Customer.
  • “Standard Contractual Clauses” (SCCs) means the EU Commission Implementing Decision (EU) 2021/914.

2. Roles of the Parties

  • Customer acts as Data Controller for the Personal Data it provides or makes available through the Service.
  • Processor acts as Data Processor and processes Personal Data only on documented instructions from the Customer, except where required by law.

3. Scope of Processing

Processor shall process Personal Data only as necessary to provide the Service to Customer, including:

  • Hosting Customer data
  • Storing account data
  • Running AI workflows on Customer-provided inputs
  • Generating outputs
  • Maintaining, supporting and securing the Service

A detailed description of the processing is set out in Annex I.

4. Customer Instructions

Processor shall process Personal Data only on the following instructions:

  1. To provide, maintain and support the Service
  2. To store and manage Customer accounts
  3. To process and transmit uploaded content to AI providers as required to generate outputs
  4. To retain and delete Personal Data in accordance with Customer configuration and Section 10
  5. Any additional instructions provided in writing by the Customer

Processor may notify Customer if we believe an instruction violates GDPR.

5. Confidentiality

Processor ensures that all persons authorized to process Personal Data:

  • Are bound by confidentiality obligations; and
  • Have received appropriate training regarding data protection.

6. Subprocessors

Customer authorizes Processor to engage Subprocessors listed in Annex III.

Processor shall:

  • Use Subprocessors only under written contracts that impose GDPR-compliant data protection obligations
  • Notify Customer of new Subprocessors as required by Customer’s main agreement with Processor
  • Remain liable for each Subprocessor’s performance

7. International Transfers

Some processing may involve transfer of Personal Data outside the EU/EEA, specifically when transmitting Customer-uploaded content to AI providers such as OpenAI (United States).

Where such transfers occur:

  • Processor uses Standard Contractual Clauses (SCCs)
  • Processor implements any supplementary measures required for adequate protection
  • Processor configures AI providers so that data is not used for model training, where such options exist
  • Only the minimum data necessary to generate outputs is transmitted

Additional details are set out in Annex I and Annex III.

8. Security Measures

Processor implements appropriate technical and organizational measures (“TOMs”) as required by GDPR Art. 32, including but not limited to:

  • Encryption in transit
  • Access control and authentication
  • Logging and monitoring
  • EU-only hosting for stored data (DigitalOcean, Frankfurt)
  • Secure backups in EU data centers
  • Least-privilege access rules for employees and systems

A more complete list of measures is provided in Annex II.

9. Personal Data Breach

In case of a Personal Data Breach affecting Customer Personal Data, Processor shall:

  • Notify Customer without undue delay
  • Provide relevant details to support Customer's obligations under GDPR Arts. 33–34
  • Take steps to remediate the breach

10. Data Retention and Deletion

Upon termination of the Service or upon Customer’s request:

  • Processor shall delete or return all Personal Data, except where retention is required by law
  • Backups are deleted within a standard retention window (e.g. 30 days)
  • Customer may export its data before termination

Processor may retain minimal necessary data for legitimate business purposes (billing records, logs, etc.) as permitted by law.

11. Assistance

Processor shall reasonably assist Customer with:

  • Data Subject requests (access, rectification, erasure, etc.)
  • Data Protection Impact Assessments (DPIAs)
  • Demonstrating compliance with GDPR Art. 28 obligations

Any significant additional assistance may be subject to reasonable fees.

12. Audits

Upon reasonable written request, Customer may audit Processor’s compliance with this DPA by:

  • Reviewing documentation made available by Processor; or
  • Conducting an audit performed by an independent third party, subject to confidentiality

Audits must:

  • Not occur more than once per year
  • Not unreasonably disrupt Processor operations
  • Respect the confidentiality and security of other customers’ data and systems

13. Liability

Liability under this DPA is subject to the limitation of liability provisions in the main agreement between Customer and Processor.

14. Term

This DPA remains in effect for the duration of Customer’s use of the Service and until all Personal Data is deleted as required under Section 10.

Annex I — Description of Processing

A. Subject Matter

Processing of Personal Data provided by Customer through the Service.

B. Duration

For the duration of the Customer’s use of the Service, plus retention periods outlined in Section 10.

C. Purpose of Processing

  • Providing and operating the Service
  • Running AI workflows
  • Generating outputs
  • Account administration
  • Security, logging and support
  • Backup and recovery

D. Categories of Data Subjects

  • Customer employees and contractors
  • End users authorized by Customer

E. Categories of Personal Data

  • Account data: email address, name (if provided), authentication identifiers
  • Usage data: logs, timestamps, telemetry
  • Uploaded content: documents, text, prompts, configuration parameters
  • Generated outputs

F. Special Categories of Personal Data

Not intentionally processed by Processor. Customer acknowledges that it may upload such data and is responsible for ensuring lawful processing.

G. Nature of Processing

  • Collection
  • Storage
  • Transmission
  • AI-based processing
  • Retrieval
  • Erasure
  • Backup and recovery

H. International Transfers

Transfers to OpenAI (US) for the sole purpose of generating outputs. SCCs and appropriate safeguards apply.

Annex II — Technical and Organizational Security Measures

Processor implements, at minimum, the following measures:

1. Organizational Measures

  • Employee confidentiality agreements
  • Access granted on least-privilege basis
  • Security training for employees
  • Defined incident response procedures

2. Infrastructure Security

  • Hosting exclusively in EU (DigitalOcean Frankfurt)
  • Backups stored in EU data centers
  • Firewalls, network segregation and secure configuration
  • Regular updates and patching

3. Data Security

  • TLS encryption for data in transit
  • Encrypted storage where applicable
  • Secure access tokens for authentication
  • Monitoring of access and system activity

4. Application Security

  • Role-based access controls
  • Input validation
  • Secure development practices
  • Logging for audit and debugging

5. Vendor & Subprocessor Management

  • DPAs with Subprocessors
  • SCCs for international transfers
  • Annual vendor reviews

Annex III — Authorized Subprocessors

Subprocessor Purpose Location Data Processed Transfer Outside EU Safeguards
DigitalOcean, LLC Hosting infrastructure, databases, storage, backups Frankfurt (EU) All Customer Personal Data stored in the Service No (EU-only) DPA, EU data center, contractual safeguards
OpenAI, L.L.C. AI processing to generate outputs United States Customer-uploaded documents and prompts, configuration parameters Yes SCCs, data not used for training, limited retention
Cloudflare, Inc. DNS, edge network, security, DDoS protection Global IP addresses, basic traffic metadata Yes SCCs, DPA, security certifications

Annex IV — International Transfers & SCCs

Where Processor transfers Personal Data outside the EU/EEA, including to the United States:

  • The Standard Contractual Clauses (Processor-to-Processor or Processor-to-Controller) as adopted in EU Commission Implementing Decision 2021/914 apply.
  • These SCCs are incorporated by reference into this DPA.
  • Annex I, II, and III of this DPA serve as the required Annexes of the SCCs.
  • Where necessary, Processor implements additional safeguards (technical, contractual, and organizational) to ensure adequate protection.