Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement (DPA) forms part of the Terms of Service between Tempered, a trading style of Your Systems Team Limited, as provider of Tempered (the "Platform"), a decision-enrichment service (the "Processor"), and you (the "Controller"), and governs the processing of personal data in connection with the Platform.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1)
Processing: Any operation performed on personal data, as defined in UK GDPR Article 4(2)
Sub-processor: A third party engaged by Tempered to process personal data on behalf of the Controller

2. Scope of Processing

Aspect	Detail
Subject matter	Providing AI-powered decision-enrichment analysis through the Platform
Duration	For the term of your subscription plus 30 days
Nature and purpose	Processing evaluation requests submitted by the Controller through AI vendor APIs and returning structured enrichment data (dimensional analysis, multi-model perspectives, preflight checks, outstanding questions) for use by the Controller in its own decision-making. The Platform does not make decisions on behalf of the Controller; the Controller remains the decision-maker.
Types of personal data	Any personal data contained in evaluation requests submitted by the Controller
Categories of data subjects	Determined by the Controller based on the content submitted for evaluation

3. Controller Obligations

You acknowledge that:

You are responsible for the lawfulness of any personal data included in evaluation requests
You have obtained any necessary consents or have another lawful basis for sharing data with Tempered
You will not submit special category data (Article 9) unless you have explicit consent or another applicable exemption

4. Processor Obligations

Tempered will:

Process personal data only on documented instructions from the Controller
Ensure that persons authorised to process personal data are bound by confidentiality obligations
Implement appropriate technical and organisational security measures (see Section 6)
Not engage sub-processors without prior notice to the Controller (see Section 5)
Assist the Controller in responding to data subject rights requests
Delete or return all personal data upon termination, at the Controller's choice
Make available all information necessary to demonstrate compliance

5. Sub-processors

Tempered uses the following sub-processors to deliver the Platform:

Sub-processor	Role	Data Shared	Location	DPA
Anthropic	AI vendor (Claude)	Evaluation request content	US (EU adequacy)	In place
OpenAI	AI vendor (GPT)	Evaluation request content	US	In place
Google (Gemini)	AI vendor	Evaluation request content	US / EU	In place
Cohere	AI vendor (Command R+)	Evaluation request content	Canada	In place
Stripe	Payment processing	Billing contact details only	US	In place
Cloudflare	Cloudflare Tunnel + DNS	TLS metadata, request headers	Global	In place
Backblaze B2	Offsite encrypted backups	Encrypted database backups (client-side encrypted via Restic)	US	In place
Sentry	Error tracking (PII scrubbed)	Crash context with PII redacted before transmission	US	In place
Google Workspace	Inbound support and privacy email	Any customer email sent to [email protected] or [email protected]	US / EU	In place

All sub-processors have a Data Processing Agreement in place. We will notify you of any changes to sub-processors with at least 30 days' notice. You may object to a new sub-processor, in which case we will work with you to find a resolution or you may terminate the affected Platform access.

6. Security Measures

Tempered implements the following technical and organisational measures:

Encryption in transit: TLS 1.2+ on all connections
Encryption at rest: AES-256 for stored data
Tenant isolation: Logical separation of customer data using contextvar-based isolation with per-query enforcement
Access control: Role-based access control, API key authentication with SHA-256 hashed storage
Monitoring: Continuous security monitoring, intrusion detection, and audit logging
Secret management: HashiCorp Vault for credential storage with automated rotation
Infrastructure: Hardened hosts following CIS benchmarks

7. Data Breach Notification

In the event of a personal data breach, Tempered will:

Notify the Controller without undue delay and in any event within 72 hours of becoming aware
Provide details of the nature of the breach, categories of data affected, and measures taken
Cooperate with the Controller's obligations under UK GDPR Articles 33 and 34

8. International Transfers

Where personal data is transferred to AI vendor APIs outside the UK, Tempered ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or processing in jurisdictions with adequacy decisions.

9. Audit Rights

The Controller has the right to audit Tempered's compliance with this DPA. Tempered will cooperate with reasonable audit requests, subject to confidentiality obligations and reasonable notice.

10. Termination

Upon termination of the Platform:

All personal data will be deleted within 30 days unless legal retention obligations apply
The Controller may request data export before deletion
Tempered will provide written confirmation of deletion upon request

11. Contact

For DPA-related enquiries, including data subject rights requests and sub-processor objections:

Tempered, a trading style of Your Systems Team Limited (Company No. 06798860)
ICO Registration: ZC102414
Registered address: 1 Peach Street, Wokingham, England, RG40 1XJ
Email: [email protected]