Data Processing Agreement

Capitalized terms not defined here have the meaning given in the Terms of Service. “Data Protection Law” means the GDPR and any national law implementing or supplementing it that applies to the processing. “Customer Personal Data”means any Personal Data that we process on the Customer’s behalf under the Terms. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “processing” and “Personal Data Breach” have the meanings given in the GDPR.

For Customer Personal Data, the Customer is the Controller and Tseha is the Processor. The Customer determines the purposes and means of the processing; Tseha processes the data only to provide the Service and only on the Customer’s documented instructions. Where Tseha determines the purposes and means of processing in its own right (for example, account administration, billing, and Service security), it acts as an independent Controller, and that processing is governed by our Privacy Policy rather than this DPA.

We process Customer Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law; in that case we will inform the Customer of the legal requirement before processing, unless that law prohibits it. The Customer’s instructions are set out in the Terms, this DPA, and the Customer’s use of the Service’s features.

We will inform the Customer without undue delay if, in our opinion, an instruction infringes Data Protection Law. The nature, purpose, subject matter, and duration of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

We ensure that persons authorized to process Customer Personal Data are bound by an appropriate duty of confidentiality and process the data only as necessary to provide the Service.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are described in Annex II.

The Customer provides general authorization for Tseha to engage the subprocessors listed in Annex IIIto process Customer Personal Data. We impose data protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain liable to the Customer for a subprocessor’s performance of its obligations.

We will give the Customer prior notice of any intended addition or replacement of a subprocessor by updating Annex III and, where the Customer has subscribed to notifications, by email. The Customer may object to a change on reasonable data protection grounds within 30 days; if the parties cannot resolve the objection, the Customer may terminate the affected part of the Service.

Taking into account the nature of the processing, we assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). The Service also provides self-service tools that allow the Customer to access, export, correct, and delete Customer Personal Data directly.

We further assist the Customer in ensuring compliance with its obligations regarding security of processing, Personal Data Breach notification, data protection impact assessments, and prior consultation (Articles 32 to 36 of the GDPR), taking into account the nature of the processing and the information available to us.

We notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide the information reasonably available to us to help the Customer meet its own breach-notification obligations.

On termination of the Service, and at the Customer’s choice, we delete or return all Customer Personal Data and delete existing copies, unless EU or Member State law requires further storage. Customer Personal Data is deleted within 30 days of account closure; residual copies in encrypted backups are overwritten on the schedule described in our Privacy Policy.

We make available to the Customer the information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits are limited to once per year (absent a Personal Data Breach or a regulator’s request), subject to reasonable notice, confidentiality undertakings, and our security policies, and may be satisfied by our providing relevant documentation or third-party attestations.

Our hosting is in the EU. Where a subprocessor processes Customer Personal Data outside the European Economic Area, the transfer is protected by an appropriate safeguard under Chapter V of the GDPR, such as the European Commission’s Standard Contractual Clauses or an adequacy decision. Subprocessor locations are noted in Annex III.

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails. This DPA is governed by the laws of the Republic of Poland.

• Subject matter: provision of the Tseha governed-development-context platform and its MCP server to the Customer.
• Duration:for the term of the Customer’s subscription, plus the retention periods set out in the Privacy Policy.
• Nature and purpose:hosting, storing, serving, and processing the Customer’s engineering standards, components, and configuration so they can be queried by the Customer’s AI coding agents over MCP; authentication, account administration, and the optional AI features.
• Types of Personal Data:account and profile data of the Customer’s members (name, email address, role), authentication identifiers, and technical data such as IP addresses and log data. Customer Content (standards, components, tokens) is not intended to contain Personal Data, but may do so if the Customer chooses to include it.
• Categories of Data Subjects:the Customer’s members and other users it authorizes to access the Service.

• Encryption of Customer Content at rest and of all data in transit (TLS).
• Integration secrets (for example Figma tokens) encrypted at rest with authenticated encryption (AES-256-GCM), each record using a unique initialization vector.
• Logical tenant isolation: every data access is scoped to the requesting organization, and membership and role are re-checked on each MCP request.
• Authentication via Google sign-in; agent access over OAuth with PKCE, with tokens scoped to organization and role and revocable at any time.
• Role-based access control (Owner, Admin, Developer, User) and per-project access scoping.
• Audit logging of administrative and token actions.
• Hosting on EU infrastructure with regular encrypted backups.
• Least-privilege access for personnel and confidentiality obligations.

Measures evolve with the state of the art; we may update them provided the level of protection is not reduced.

Transfers outside the EEA are covered by the European Commission’s Standard Contractual Clauses or an applicable adequacy decision.