Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between:

(a) Processor:Fintechagency OÜ, a private limited company incorporated in the Republic of Estonia (registry code 16638667), with registered office at Kesklinna linnaosa, Vesivärava tn 50-301, 10152 Tallinn, Estonia, acting under the trade name “Tessera” (“Tessera” or “Processor”); and

(b) Controller: the legal entity that has accepted the Tessera Terms of Service and operates a Tessera account (“Controller”).

This DPA forms part of, and is governed by, the Tessera Terms of Service. In the event of conflict between this DPA and the Terms, this DPA prevails with respect to processing of personal data.

Capitalised terms not defined in this DPA have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”). “Personal Data,” “processing,” “data subject,” “controller,” “processor,” and “sub-processor” have the meanings ascribed in the GDPR.

The subject matter of processing is the operation of the Tessera Optimize Layer — a substrate proxy that sits in the Controller's LLM request path and applies auto-route, auto-cache, auto-compress, and auto-batch optimisations — together with the measurement of Ongoing Savings, generation of Monthly Joint Readings, and optional optimisation recommendations.

The duration of processing is the period during which the Controller maintains a Tessera account, plus the retention periods set out in Section 11 below.

Tessera processes Personal Data on behalf of the Controller solely for the purposes of: (i) routing the Controller's LLM API requests through the Tessera proxy and applying the four optimisations described in §3 of the Terms; (ii) computing baselines, readings, and optional recommendations; (iii) generating the Monthly Joint Reading and supporting invoice / balance debit; and (iv) communicating with the Controller's authorised contacts in connection with the account.

Tessera does not process Personal Data for any purpose other than the purposes set out above and the Controller's documented instructions, except where required by EU or Member State law (in which case Tessera will inform the Controller of that requirement before processing, unless prohibited by law).

Categories of data subjects:the Controller's authorised operators, sponsors, and billing-contact personnel who interact with Tessera through the dashboard, proxy, or email.

Types of Personal Data: business email addresses, names, professional titles, telephone numbers, IP addresses, browser metadata, and authentication identifiers (Supabase auth tokens) associated with the foregoing individuals.

Tessera proxy traffic: prompt text and completion text traverse the Tessera proxy in transit to upstream providers. By default, Tessera retains only token-count and cost-metadata derived from each request — not the prompt or completion content. Where the Controller has explicitly opted in to prompt-logging for debugging purposes, Tessera retains the prompt and completion for the period configured by the Controller. The Controller is the Controller for any end-user personal data within prompts and assumes responsibility for end-user consent and lawful basis.

Tessera does not process: source code, production credentials beyond what is necessary to operate the proxy, advertising identifiers, or cross-site tracking signals.

In addition to the obligations imposed by Article 28(3) GDPR, Tessera shall:

• (a) process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by EU or Member State law;
• (b) ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• (c) take all measures required pursuant to Article 32 GDPR (security of processing) — see Section 9 below;
• (d) respect the conditions in Article 28(2) and 28(4) GDPR for engaging sub-processors — see Section 7 below;
• (e) taking into account the nature of the processing, assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR;
• (f) assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to Tessera;
• (g) at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless EU or Member State law requires storage of the Personal Data (see Section 11);
• (h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller — see Section 12 below.

The Controller grants Tessera a general written authorisation to engage the sub-processors listed below to support the operation of the Tessera Optimize Layer. Each sub-processor is bound by a written data-protection agreement compliant with Article 28 GDPR.

Current sub-processors (as of the effective date):

• · Supabase Inc. (United States; EU-region instance for Tessera) — database, authentication, object storage
• · Vercel Inc. (United States) — web hosting, edge runtime
• · Cloudflare Inc. (United States) — DNS, CDN, email routing, edge security
• · Resend, Inc. (United States; outbound via Amazon SES) — transactional email
• · Functional Software, Inc. d/b/a Sentry (United States; EU-region instance) — application-error monitoring
• · PostHog, Inc. (United Kingdom / United States; EU-region instance) — product analytics, consent-gated
• · Anthropic, PBC (United States) — narrative synthesis, recommendation drafting
• · OpenAI, L.L.C. (United States) — fallback narrative synthesis, embedding generation
• · Google LLC (Ireland / United States) — Gemini API for select recommendation paths

Tessera shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes within thirty (30) days of notice. Notice is delivered via email to the Controller's account-owner address and published in the public Tessera Changelog. If the Controller objects on reasonable grounds related to data protection, the parties will work in good faith to find an alternative arrangement; failing which, the Controller may terminate the Tessera account without penalty and withdraw any unspent prepaid balance per §15 of the Terms.

Where any sub-processor fails to fulfil its data-protection obligations, Tessera remains fully liable to the Controller for the performance of that sub-processor's obligations.

Where Tessera transfers Personal Data outside the European Economic Area, such transfer is carried out pursuant to one of the lawful transfer mechanisms in Chapter V of the GDPR, including in particular the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), supplemented by additional technical and organisational safeguards as required by judgment of the Court of Justice of the European Union in case C-311/18 (Schrems II).

Tessera maintains the Standard Contractual Clauses with each non-EEA sub-processor and provides copies of relevant transfer documentation to the Controller on request.

Tessera implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

• (a) Encryption — TLS 1.2 or higher in transit; AES-256 at rest via Supabase managed encryption
• (b) Access control — Row-Level Security on every Tessera application table with strict operator-vs-sponsor-vs-anonymous policy separation; least-privilege service-role keys; SECURITY DEFINER helpers with locked search_path
• (c) Authentication — Magic-link and OTP authentication via Supabase Auth; no plain passwords stored
• (d) Logging and monitoring — Application-error events captured by Sentry (PII-scrubbed: Authorization and Cookie headers stripped server-side before transmission); access logs retained on a need-to-know basis
• (e) Backups — Automated daily backups of database content with point-in-time recovery via Supabase
• (f) Audit immutability — Joint Baseline anchors and Monthly Joint Readings are stored with pricing-snapshot version identifiers and are not retroactively mutated; corrections are made by issuing superseding versions, not by overwriting
• (g) Personnel — Tessera personnel access Controller data only on a need-to-know basis under written confidentiality obligations
• (h) Vendor security review — Periodic security advisor review of database posture via Supabase Advisor; periodic dependency review

In assessing the appropriate level of security, Tessera takes account of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

Tessera notifies the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data breach affecting Controller data. The notification will, at a minimum:

• (a) describe the nature of the breach, including the categories and approximate number of data subjects and records affected;
• (b) communicate the name and contact details of the data-protection contact at Tessera (privacy@tesseraai.io);
• (c) describe the likely consequences of the breach; and
• (d) describe the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Tessera will cooperate with the Controller to enable the Controller to meet its own notification obligations under Articles 33 and 34 GDPR.

On termination of the Tessera account Tessera will:

• (a) cease processing Personal Data for the purposes of operating the proxy;
• (b) delete raw workload-metadata snapshots and any optionally retained prompt/completion logs within thirty (30) days;
• (c) retain Joint Baseline anchors, Monthly Joint Readings, balance-transaction history, and invoices for the seven (7) year period mandated by Estonian accounting law (Raamatupidamise seadus § 12). These records remain in scope of the security measures of Section 9 but are no longer actively processed; and
• (d) return to the Controller copies of any Controller-specific deliverables on written request.

After the seven-year retention period, all remaining Personal Data is irreversibly deleted.

Tessera makes available to the Controller, upon reasonable written request and subject to confidentiality obligations, all information necessary to demonstrate compliance with this DPA. Subject to a minimum of thirty (30) days' advance notice, no more than once per twelve-month period (save where required by a supervisory authority or in response to a Personal Data breach), the Controller or an independent auditor mandated by the Controller may conduct an audit limited in scope to verification of compliance with this DPA. The Controller bears the cost of any such audit unless the audit reveals material non-compliance, in which case the cost is borne by Tessera.

The liability of each party under this DPA is subject to the limitations of liability set out in §13 of the Terms of Service. Nothing in this DPA limits any liability that cannot lawfully be limited under applicable law, including the liability of a controller or processor under Article 82 GDPR vis-à-vis a data subject.

This DPA is governed by the laws of the Republic of Estonia, save where mandatory provisions of the Controller's jurisdiction apply. Disputes arising out of or in connection with this DPA are resolved in accordance with the dispute-resolution provisions of the Terms of Service (§17).

Tessera may update this DPA to reflect changes in law, sub-processor lists, or technical measures. Material updates are published with at least thirty (30) days' notice via the Tessera Changelog and by email to the Controller's notice contact. Non-material updates (clarifications, typographical corrections) are reflected in the effective-date field above and apply on publication.