Legal document

Data Processing Agreement (DPA)

Version 1.0 · Effective from May 1, 2026

Template available for all tiers. The signed version is delivered after contracting. For prior review, write to legal@tesseraai.cloud.

This document describes the content of the DPA that Tessera Cloud, S.L. signs with each customer processing third-party personal data through the API. The final version is signed electronically at the start of the commercial contract. This summary is binding in its content but does not replace the signed text.

1. Roles

The customer acts as data Controller. Tessera acts as data Processor. Tessera processes personal data solely on the customer’s documented instructions, except where required by applicable law.

2. Subject matter and duration

Processing takes place during the term of the commercial contract between the parties. It covers exclusively the personal data the customer processes through the Tessera API (api.tesseraai.cloud).

3. Nature of processing

Tessera processes data solely to: execute customer inference requests, maintain service logs for 90 days, and meet security and availability obligations. Data is not processed for model training, internal profiling or commercial analytics.

4. Data categories and data subjects

Specific categories depend on the customer’s use case. By default, Tessera processes the data sent in request bodies (text, audio, embeddings) without prior classification. If the customer sends Article 9 GDPR special categories, they must declare it beforehand and sign a specific schedule.

5. Subprocessors

Tessera uses the subprocessors listed at /subprocessors. Any change is notified to the customer with a minimum 30-day notice, during which the customer may object and terminate the contract without penalty if the objection is unresolved.

6. Technical and organisational measures

Tessera implements the following minimum measures:

Encryption in transit (TLS 1.3) on all API communications.
Encryption at rest (AES-256) for logs and persisted data.
Tenant isolation on Pro tiers and above; controlled multi-tenancy on Lite and Async.
Role-based access control (RBAC) and mandatory multi-factor authentication for internal personnel.
Centralised audit of access to customer data.
Documented business continuity and disaster-recovery plan with quarterly drills.
Vulnerability-management programme with patch SLA for critical CVEs.

7. Breach notification

Tessera notifies the customer of any security breach affecting their data without undue delay and within a maximum of 48 hours from awareness. The notification includes description, affected data, measures taken and DPO contact.

8. Cooperation and audit

Tessera cooperates with the customer in handling data subject rights, impact assessments (DPIA) and audits. Scale and Enterprise customers may request on-site audit with reasonable notice or accept equivalent external audit reports (SOC 2 when available).

9. Return and deletion at end of contract

Upon termination, Tessera returns the data to the customer in structured format for 30 days. After that period, data is irreversibly deleted, except where specific legal retention applies.

10. International transfers

If the customer contracts EU residency, data does not leave the EEA. For LATAM or US residency, transfers occur under European Commission Standard Contractual Clauses (Decision 2021/914) or equivalent adequacy decisions.

Contact

Request signable DPA template:: legal@tesseraai.cloud
Privacy and DPO:: dpo@tesseraai.cloud

Changelog

Version	Date	Changes
1.0	2026-05-01	Initial publication.