1. Parties and scope
This Data Processing Agreement (“DPA”) is incorporated into the Terms of Service between TenderOS and the customer organisation (“Customer”). It governs the processing of personal data carried out by TenderOS on behalf of the Customer when providing the Service.
2. Roles and instructions
The Customer is the controller of personal data contained in Customer Data. TenderOS is the processor. We process Customer Data only on the Customer's documented instructions, which include the Terms of Service, this DPA, and any settings configured in the Service.
3. Subject matter, duration, nature
The subject matter is the provision of TenderOS to the Customer. The duration matches the subscription term plus any export and deletion period under §10. The nature of processing includes storage, retrieval, indexing with embeddings, vision-based extraction, LLM inference, and onward transmission to the subprocessors listed below.
Categories of data subjects include the Customer's employees, contractors, third-party personnel mentioned in CVs and project references, and authorised users named in RFP documents.
4. Subprocessors
The Customer authorises TenderOS to engage the subprocessors listed in the Privacy Policy. We will notify the Customer at least thirty (30) days before adding or replacing a subprocessor; the Customer may object on reasonable grounds within that window.
5. Security measures
We maintain technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Postgres Row-Level Security plus ABAC across all tenant rows.
- Quarterly access reviews and least-privilege role design.
- Vulnerability scanning on every container build.
- Annual penetration test by an independent firm.
- Immutable audit logs of every privileged action.
6. Personal data breach notification
We will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Data. The notification will include all information reasonably required for the Customer to discharge its own notification obligations.
7. International transfers
Where the processing of Customer Data involves a transfer of personal data outside the Customer's home jurisdiction, the parties agree that the Standard Contractual Clauses adopted by the European Commission (Module Two) apply, with the optional docking clause enabled. Region-specific terms (UK IDTA, Swiss FDPIC) are included where applicable.
8. Assistance with data subject rights
We will assist the Customer, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to requests for exercising data subject rights. Standard assistance is included in the subscription fee; non-standard, large-volume assistance may be billable at our then-current rates.
9. Audits
We make available to the Customer all information necessary to demonstrate compliance with this DPA. The Customer may, on at least thirty (30) days' written notice and not more than once per calendar year, request an audit conducted under reasonable confidentiality and security protections.
10. Return and deletion
On termination of the subscription, the Customer has thirty (30) days to export Customer Data using the in-product export. After that, we will delete Customer Data from primary systems within thirty (30) days and from backups within a further thirty (30) days, unless retention is required by applicable law.