Data Processing Agreement (DPA)

Version 1.5 – Last updated: January 26, 2026

For TensorPM Paid Services (AI Proxy and Cloud Sync)

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Simon Schwer ("Processor" or "Service Provider") and the subscribing user of TensorPM paid services ("Controller" or "Customer").

1. Definitions

Terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined shall have the meaning given to them in the Agreement. The following definitions apply in this DPA:

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, including any implementations or adoptions of GDPR in the member states of the European Union.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller as part of the provision of the Services; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Services" means the TensorPM paid services (Cloud and Pro) provided by the Service Provider to the Customer under the Agreement (including AI proxy features and Cloud Sync features).

"Sub-processor" means any data processor (including any third party) appointed by the Processor to process Personal Data on behalf of the Controller.

"Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries adopted by the European Commission under Decision 2021/914/EU, or any subsequent version thereof.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services under the Agreement. The purpose of the Processing is to provide Pro features, including AI-enhanced functionality via the proxy service and, if enabled by the Controller, Cloud Sync functionality to synchronize selected project data across devices.

3. Duration

This DPA shall commence on the date the Controller subscribes to the TensorPM Pro Subscription Service and shall continue until the subscription is terminated. After termination of the subscription, this DPA shall remain in effect for as long as the Processor retains any Personal Data of the Controller in accordance with the retention periods specified in the Privacy Statement.

4. Nature and Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the Services under the Agreement, and in accordance with the Controller's documented instructions.

The primary purpose of Processing is to facilitate AI-enhanced project management, specifically:

  • Transmitting project data and context information to third-party AI providers via the Processor's proxy server
  • Temporarily processing project data to fulfill AI requests
  • Authentication and account management
  • Sending authentication emails for account access and security

If Cloud Sync is enabled by the Controller, Processing also includes:

  • Transmitting selected project/workspace data to the Processor's servers
  • Storing and syncing that data across the Controller's devices and (if used) shared workspace members

Cloud Sync is implemented using PowerSync synchronization technology; the PowerSync service is operated by the Processor on its own infrastructure.

The Processor confirms that this purpose is within its lawful business activities and will not process the Personal Data for any other purpose.

5. Categories of Personal Data and Data Subjects

5.1 Categories of Data Subjects

The Personal Data processed may concern the following categories of Data Subjects:

  • Controller's employees, contractors, and other staff
  • Controller's clients and customers
  • Project stakeholders
  • Other individuals whose Personal Data is included in project materials

5.2 Categories of Personal Data

The Personal Data processed may include the following categories:

  • User account information (email address, encrypted password)
  • Names, contact details, or other identifiers contained in project materials
  • Professional information included in project materials
  • Authentication data (JWT tokens, login timestamps)
  • Any other Personal Data that the Controller chooses to include in project materials

6. Controller's Rights and Obligations

6.1 Instructions

The Controller shall ensure that its instructions for the Processing of Personal Data comply with applicable data protection laws. The Controller is responsible for ensuring it has all necessary rights and has obtained all necessary consents to process the Personal Data.

The Controller's instructions are initially set out in this DPA and the Agreement. The Controller may issue additional instructions regarding the type and manner of Processing as it deems necessary for the purposes of compliance with applicable data protection law or otherwise. Such additional instructions are to be provided in writing.

6.2 Technical and Organizational Measures

The Controller is responsible for implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk on its own systems and with respect to any Personal Data it uploads or transmits to the Services.

6.3 Data Subject Requests

The Controller is responsible for responding to Data Subject requests. The Processor shall provide reasonable assistance to enable the Controller to respond to such requests.

6.4 Instructions Requiring Additional Processing

If the Controller's instructions require processing beyond the scope of this DPA, the parties shall negotiate in good faith the costs of such additional processing.

7. Processor's Obligations

7.1 Processing Limitations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries or international organizations
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Not use Personal Data for any purpose other than providing the Services
  • Not disclose the Personal Data to any third party except as authorized by the Controller, required by law, or as strictly necessary for the provision of the Services

7.2 Technical and Organizational Measures

The Processor shall implement appropriate technical and organizational measures to protect Personal Data, including:

  • HTTPS/TLS 1.3 encryption for all data transfers
  • Password hashing using PBKDF2 (100,000 iterations, SHA-512, 32-byte random salt)
  • JWT token-based authentication with access tokens (valid for 60 minutes) and locally stored refresh tokens (encrypted via OS secure storage where available; fallback local unencrypted storage if OS encryption unavailable)
  • OS-level encryption for storing sensitive data such as API keys and refresh tokens on the user's device when available (safeStorage / Keychain / DPAPI); fallback clarified: unencrypted local storage never transmitted to Processor
  • Server database storage with disk-level encryption at rest
  • Regular security updates (at least monthly)
  • Access restrictions to Personal Data based on the principle of least privilege
  • Security monitoring and access logging
  • Documented incident response procedures

The Processor shall regularly test, assess, and evaluate the effectiveness of these measures to ensure the security of the Processing.

7.3 Sub-processors

The Processor may use the following Sub-processors for the provision of the Services:

  • Google Cloud / Vertex AI (AI services – for Gemini models)
  • Mistral AI (AI services – for Mistral models; headquartered in Paris, France; processes data within the EU)
  • SendGrid (authentication emails)
  • Stripe (payment processing)
  • Hetzner Online GmbH (server infrastructure in Nuremberg, Germany)
  • INWX GmbH & Co. KG (domain registration in Berlin, Germany)

Clarification on BYOK (Bring Your Own Key) providers: When the Controller optionally uses its own API keys for AI providers (e.g. Google AI, Anthropic (Claude), OpenAI, Mistral AI) and such connections are not routed through the Processor's proxy infrastructure, those providers are NOT engaged by the Processor and therefore are not Sub-processors under this DPA. In those cases, the Controller establishes a direct controller–processor (or controller–controller, as applicable) relationship outside the scope of this DPA. The Processor does not transmit, access, or store prompts or API keys for such direct connections.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by providing at least 30 days' prior written notice. The Controller has the right to object to such changes within 10 days of notification.

If the Controller objects to a new Sub-processor, and the Processor cannot reasonably accommodate the Controller's objection, the Controller may terminate the subscription with a pro-rated refund for any prepaid but unused service period.

The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

The Processor confirms that it has entered into written agreements with all Sub-processors that contain data protection obligations no less protective than those in this DPA.

7.4 Data Subject Rights

The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under the GDPR and shall provide all reasonable cooperation and assistance in relation to such request.

The Processor shall not respond to any Data Subject request without the Controller's prior written consent, except to confirm that the request relates to the Controller and to recommend that the Data Subject submit the request directly to the Controller.

The Processor shall provide the necessary assistance to the Controller to fulfill its obligation to respond to Data Subject requests within the timeframes required by applicable law.

7.5 Personal Data Breach

The Processor shall notify the Controller without undue delay, and in any case within 24 hours, after becoming aware of a Personal Data breach. The notification shall include at least:

  • The nature of the breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach, including measures to mitigate possible adverse effects
  • Contact details for further information

The Processor shall document all Personal Data breaches, including the facts relating to the breach, its effects, and the remedial action taken, and make this documentation available to the Controller upon request.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data breach.

7.6 Data Protection Impact Assessment

Upon the Controller's request, the Processor shall provide reasonable assistance with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under the GDPR.

This assistance may include:

  • Providing information about the processing operations
  • Assessing the necessity and proportionality of processing operations
  • Assessing the risks to the rights and freedoms of Data Subjects
  • Implementing measures to mitigate those risks

7.7 Deletion or Return of Data

Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless legally required to store the Personal Data.

If the Controller does not specify its preference within 30 days of termination, the Processor will securely delete all Personal Data in its possession except to the extent required by applicable law.

Upon request, the Processor will provide a written certification of deletion of all Personal Data.

7.8 Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The audit rights include:

  • The right to conduct on-site inspections of the Processor's facilities with reasonable advance notice (at least 14 days)
  • The right to review relevant documentation related to the Processing activities
  • The right to interview relevant personnel

Audits shall be conducted during regular business hours, subject to the Processor's policies, and will not unreasonably interfere with the Processor's business activities.

The Controller shall bear any costs related to audits unless an audit reveals a material breach of this DPA, in which case the Processor shall bear the reasonable costs of the audit.

The Controller shall not conduct more than one audit per year unless required by a regulatory authority or following a Personal Data breach.

Any third-party auditor appointed by the Controller must be subject to confidentiality obligations.

7.9 Records of Processing Activities

The Processor shall maintain records of its processing activities in accordance with Article 30(2) of the GDPR and make these records available to the Controller upon request.

8. International Data Transfers

Any transfer of Personal Data to a third country or international organization shall be done with appropriate safeguards in place as required by the GDPR.

For transfers to third-party service providers (Sub-processors) located outside the European Economic Area (EEA), the Processor ensures that such transfers are protected by appropriate safeguards, which consist of:

  • EU Standard Contractual Clauses (2021 version) for transfers to Google Cloud / Vertex AI, SendGrid (Twilio), and Stripe
  • Additional technical measures including:
    • Encryption in transit (HTTPS/TLS)
    • Immediate deletion or minimisation after processing where feasible
    • Contractual assurances that data will not be used for general AI model training or the Sub-processors' own purposes

The Processor assesses the requirements for international transfers and implements appropriate safeguards and supplementary measures where necessary.

If the legal mechanism enabling the lawful transfer of Personal Data to a third country is deemed invalid or inadequate, the Processor will promptly notify the Controller and work with the Controller to implement an alternative solution.

9. Limitation of Liability

The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.

Nothing in this DPA shall exclude or limit the liability of either party for:

  • Death or personal injury resulting from negligence
  • Fraud or fraudulent misrepresentation
  • Any other liability which cannot be excluded or limited under applicable law

10. Miscellaneous

10.1 Conflict

In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of this DPA shall prevail with respect to the parties' data protection obligations.

10.2 Changes to Data Protection Law

The parties agree to negotiate modifications to this DPA if changes to applicable data protection law require such modification.

10.3 Severability

Should any provision of this DPA be invalid or unenforceable, the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes closest to the intention underlying the invalid provision.

10.4 No Third-Party Beneficiaries

This DPA is for the benefit of the parties and their respective permitted successors and assignees only, and is not intended to confer any rights or benefits on any third party.

10.5 DPA Updates

This DPA may be updated from time to time. The Controller will be notified of any material changes at least 30 days in advance. Continued use of the Services after such notification constitutes acceptance of the updated DPA.

10.6 Indemnification

The Processor shall indemnify the Controller for any losses, damages, costs, claims, or expenses incurred by the Controller arising from a breach by the Processor of this DPA, subject to the limitations and exclusions set forth in the Agreement.

10.7 Contact Information

For questions regarding data protection, please contact:

Simon Schwer
Wolfringstraße 14
90765 Fürth, Germany
Email: info@tensorpm.com

Version: 1.5 Last updated: January 26, 2026