Tessera
ES EN
See pricing

Legal document

GDPR Compliance

Version 1.0 · Effective from May 1, 2026

EU Regulation 2016/679 General Data Protection Regulation. Applies to Tessera and to customers processing data of natural persons in the EU.

Tessera takes on its GDPR obligations from service design onwards: EU data residency on request, public subprocessor list, DPA available across all tiers and an accessible Data Protection Officer (DPO). This document details what that means in practice.

1. Roles under GDPR

Tessera acts as data controller for its customers’ personal data (account, billing, usage). Tessera acts as processor when the customer processes third-party personal data through the API; in this case, the customer is the controller and the relationship is governed by the DPA at /dpa.

2. Data subject rights

Any natural person whose data is processed by Tessera has the following rights:

  • Access: confirmation and copy of processed data.
  • Rectification: correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): deletion when data is no longer necessary or consent is withdrawn.
  • Objection: objection to processing based on legitimate interest.
  • Restriction: temporary restriction of processing.
  • Portability: receive data in a structured, readable format.
  • Not to be subject to automated decisions with significant legal effects.

3. How to exercise rights

The customer or data subject sends an email to privacy@tesseraai.cloud or dpo@tesseraai.cloud identifying themselves with reasonable certainty (no official ID required except in justified fraud cases). Tessera responds within a maximum of one calendar month, extendable by two additional months in complex cases with prior notice. The response is free except for manifestly unfounded or excessive requests.

4. International transfers

When a customer contracts EU residency, data does not leave the European Economic Area. For customers contracting other regions (LATAM, US), transfers occur under European Commission Standard Contractual Clauses or equivalent adequacy decisions, documented in the DPA.

5. Breach notification

In the event of a security breach that may pose risk to rights and freedoms, Tessera will notify the competent supervisory authority within a maximum of 72 hours, and the affected customer without undue delay when applicable. The notification includes incident description, affected data, measures taken and DPO contact.

6. Data Protection Officer

Tessera formally designates a DPO reachable at dpo@tesseraai.cloud. The DPO supervises GDPR compliance, handles data subject requests, and cooperates with the Spanish Data Protection Agency (AEPD).

7. Supervisory authority

Tessera’s lead supervisory authority is the Spanish Data Protection Agency (aepd.es). Any data subject may file a complaint directly with the AEPD or with the supervisory authority in their country of residence.

Contact

Changelog

Version Date Changes
1.0 2026-05-01 Initial publication.