Data Processing Addendum — temporalBLOCK

Version 1.6.0 · Last updated 2026-06-05 · Last reviewed by counsel: NOT YET REVIEWED BY COUNSEL ⚠ This is a first draft published in good faith while attorney review is being arranged.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between [ENTITY NAME] ([ENTITY ADDRESS]) ("Processor," "we") and the entity that has agreed to those Terms ("Controller," "Customer," "you"). It governs the processing of Personal Data that the Processor performs on behalf of the Controller in providing the temporalBLOCK Service.

Capitalized terms not defined here have the meanings given in the Terms of Service, or, where applicable, in Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, or the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").

For Customers who do not require a separately-countersigned DPA, the terms below apply automatically by virtue of the Customer's acceptance of the Terms of Service. For Customers who require a countersigned copy, an executable PDF version with signature blocks is available on request from legal@temporalblock.com.

1. Roles and scope

The Controller determines the purposes and means of processing Personal Data submitted to the Service. The Processor processes that Personal Data solely on the documented instructions of the Controller, which instructions are set out in the Terms of Service, this DPA, and the Customer's use of the Service.

This DPA applies to all Personal Data processed by the Processor on behalf of the Controller in connection with the Service. It does not apply to information for which the Processor is itself the controller (waitlist signups, dashboard accounts, billing records — those are governed by the Privacy Policy at /privacy).

2. Processor obligations

The Processor will:

Process only on documented instructions from the Controller, except where required to do otherwise by Union or Member-State law applicable to the Processor, in which case the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest.
Ensure confidentiality by binding personnel authorized to process Personal Data to appropriate confidentiality obligations.
Implement and maintain technical and organizational security measures as described in Annex II below.
Assist the Controller, taking into account the nature of the processing and the information available, in fulfilling its obligations under Articles 32–36 of the GDPR (security, breach notification, data-protection impact assessments, prior consultation).
Assist the Controller in responding to data-subject rights requests by providing the dashboard's export and deletion tools and by responding to direct requests within a reasonable time.
Delete or return Personal Data at the end of the provision of the Service, at the Controller's choice, except where retention is required by applicable law (e.g. billing records).
Make available to the Controller all information necessary to demonstrate compliance with these obligations, and allow for and contribute to audits as described in §7 below.

3. Sub-processors

The Controller authorizes the Processor to engage sub-processors to process Personal Data on the Controller's behalf, subject to the conditions below.

3.1 Current sub-processor list

The current sub-processors are listed in Annex III. The list is also reproduced in the Privacy Policy at /privacy §3.1 for the convenience of data subjects.

3.2 Notice of new sub-processors

The Processor will give the Controller at least 30 days' advance notice of any addition or replacement of a sub-processor by updating the Annex III list, by bumping the version of this DPA in its CHANGELOG.md, and by emailing the address associated with the Controller's account.

3.3 Right to object

The Controller may object to a new sub-processor on reasonable data-protection grounds by replying to the notification email within the 30-day notice period. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service on written notice with a pro-rata refund of any prepaid fees for the unused portion of the term.

3.4 Sub-processor obligations

The Processor will impose on each sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable to the Controller for the acts and omissions of its sub-processors as if they were its own.

4. International data transfers

The Service is operated from Microsoft Azure regions in the United States. Where the Controller is established in the European Economic Area, the United Kingdom, or Switzerland, and Personal Data is transferred from those territories to the Processor or its sub-processors in a third country that has not been deemed adequate by the European Commission (or, for the UK, the Secretary of State), the transfer is governed by:

EEA / Switzerland: the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (controller-to-processor), which are incorporated by reference and form an integral part of this DPA. The Clauses are completed as set out in Annex IV.
United Kingdom: the International Data Transfer Addendum (ICO version A1.0, in force 21 March 2022) is incorporated by reference to extend the SCCs to UK transfers, with the table selections in Annex IV.

In the event of a conflict between this DPA and the SCCs or the UK Addendum, the SCCs / UK Addendum prevail.

5. Security

The Processor will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to. The specific measures are described in Annex II below, which is updated as security measures evolve; material changes will be communicated alongside DPA version bumps.

6. Personal data breach notification

The Processor will notify the Controller of any personal data breach affecting Controller Personal Data without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will, to the extent reasonably available at the time, include:

the nature of the breach, the categories and approximate number of data subjects and records affected;
the name and contact details of the Processor's contact point;
the likely consequences of the breach;
the measures taken or proposed to address the breach and mitigate adverse effects.

The Processor will keep the Controller updated as further information becomes available, and will cooperate with the Controller's regulator-notification obligations under Article 33 of the GDPR or equivalent law.

7. Audits

The Processor will, on the Controller's reasonable written request no more than once per twelve-month period (or more frequently if required by a supervisory authority or following a confirmed breach affecting the Controller's Personal Data), provide:

a copy of its most recent third-party audit reports (e.g. SOC 2 Type II, ISO 27001) where available; or
written responses to a reasonable security questionnaire; and
where the above is not sufficient to demonstrate compliance, the ability to conduct an on-site audit at a mutually agreed time during business hours, at the Controller's cost, conducted in a manner that does not disrupt the Service or risk the security of other customers' data.

Note: as of v1.0.0 of this DPA the Processor does not hold a SOC 2 Type II report; security-questionnaire responses are the available mechanism. The Security & Enterprise-Readiness Roadmap tracks the path to formal certification.

8. Term and termination

This DPA is effective from the date the Controller first uses the Service or signs the Terms of Service and continues until the Terms of Service terminate. On termination, the Processor will, at the Controller's choice, return or delete Controller Personal Data within 30 days, except where retention is required by applicable law or for the establishment, exercise, or defense of legal claims.

9. Liability

The Parties' liability under this DPA is subject to the limitations in the Terms of Service.

10. Governing law

This DPA is governed by the same law as the Terms of Service (California, USA), except that the EU SCCs are governed by the law of the EU Member State indicated in Annex IV, and the UK IDTA Addendum is governed by the laws of England and Wales.

Annex I — Details of processing

A. List of parties. Data exporter (Controller): the Customer. Data importer (Processor): [ENTITY NAME], [ENTITY ADDRESS], contact support@temporalblock.com.

B. Description of the processing.

Field	Detail
Categories of data subjects	The Customer's end users whose information appears in prompts submitted to the API, plus the Customer's own personnel who access the dashboard.
Categories of Personal Data	Whatever the Customer chooses to include in their prompts; the API does not require any specific category. Plus: API key prefixes, source IPs, `User-Agent` strings, request timing, and usage counters generated by the Customer's use of the Service.
Sensitive data	The Service is not designed for and should not be used to process special-category data under GDPR Art. 9 (health, biometric, racial / ethnic origin, political opinions, religious beliefs, sex life, sexual orientation) or criminal-conviction data. If you intend to process such data, contact us first.
Frequency of transfer	Continuous (on-demand, per API call).
Nature of the processing	Hosted REST API computing temporal context blocks; logging for security and billing; transit through sub-processor systems as listed in Annex III.
Purpose of the processing	Providing the Service to the Controller.
Retention	Per the Retention table in the Privacy Policy §9.
Sub-processor details	See Annex III.

C. Competent supervisory authority. The supervisory authority of the EEA Member State in which the Controller's EU representative is established, or where the Controller is itself established in the EEA, the supervisory authority of that Member State. For UK Controllers, the Information Commissioner's Office.

Annex II — Technical and organizational security measures

Domain	Measure
Transport encryption	TLS 1.3 minimum on `api.temporalblock.com`; ECDHE key exchange; AES-256-GCM bulk cipher; Azure-managed certificates with automatic rotation. See `/security` for detail.
Storage encryption	PostgreSQL encryption-at-rest using Azure-managed keys; backups encrypted with the same.
Authentication — customers	Clerk-managed authentication on the dashboard; password + OAuth (Google, GitHub). Session cookies are HttpOnly + Secure + SameSite=Lax.
Authentication — internal	Azure AD single-sign-on for operator access to production; MFA required.
Authorization	Tiered API keys (`lite` / `standard` / `pro` / `enterprise`) with per-tier rate limits and quota enforcement. Per-customer audit log of admin actions.
Secret handling	BYOK provider keys are pass-through-only: in-memory for the request lifetime, never written to durable storage, redacted from logs (locked-in by `tests/loggerRedaction.test.ts`).
Logging	Application logs to Azure Monitor (90-day retention); audit log for admin actions (90-day retention); usage aggregates (`usage_monthly`) indefinite for billing history.
Rate-limiting and abuse protection	Per-tier per-minute limits; per-IP authed and unauthed limits; auth-failure throttling; per-provider circuit breakers on upstream sync calls.
Backup	PostgreSQL automated backups via Azure Database for PostgreSQL (point-in-time restore, default 7-day window).
Vulnerability management	Dependency audit (`npm audit`) and static-analysis scans run on every release; security roadmap tracked in `.local/ops/security-roadmap.md`.
Incident response	Defined breach-notification workflow per §6; on-call rotation for the API service; security disclosures via `support@temporalblock.com`.
Physical security	Inherited from Microsoft Azure data-center controls (ISO 27001, SOC 2 Type II, FedRAMP High where applicable).
Personnel	All personnel with access to Controller Personal Data are bound by written confidentiality obligations and complete security-awareness training annually.
Disaster recovery	Stateless application tier; data-tier backed up as above; failover playbook tracked in the operations notes.

Annex III — Sub-processors

Sub-processor	Function	Location of processing
Microsoft Azure (Azure App Service, Azure Static Web Apps, Azure Monitor, Azure Database for PostgreSQL)	Cloud hosting, TLS termination, logging, database.	United States (configurable per Customer on request for Enterprise).
Clerk	Customer authentication for the dashboard.	United States.
Mailgun (a Sinch company)	Outbound transactional email.	United States.
Stripe	Payment processing for paid plans and PAYG.	United States.
OpenAI, Anthropic, Google, Perplexity, Brave, SerpAPI	Only when the Customer opts in by supplying a BYOK key for that provider — the Customer's prompt is forwarded to that provider on the Customer's behalf.	Per each provider's published infrastructure.

Annex IV — SCC and UK IDTA elections

SCCs — Module selected: Module 2 (controller-to-processor).

SCCs — Clause 7 (docking): does not apply unless and until an additional party joins.

SCCs — Clause 9 (sub-processors): Option 2 (general written authorization), with the 30-day prior-notice period set out in §3.2 of this DPA.

SCCs — Clause 11 (redress): the optional independent dispute-resolution body is not elected.

SCCs — Clause 17 (governing law): the laws of Ireland.

SCCs — Clause 18 (forum): the courts of Ireland.

SCCs — Annex I.A (Parties): as set out in this DPA's Annex I.A.

SCCs — Annex I.B (Description of transfer): as set out in this DPA's Annex I.B.

SCCs — Annex I.C (Competent supervisory authority): as set out in this DPA's Annex I.C.

SCCs — Annex II (Technical and organizational measures): as set out in this DPA's Annex II.

SCCs — Annex III (Sub-processors): as set out in this DPA's Annex III.

UK IDTA Addendum — Table 1 (Parties): as set out in this DPA's Annex I.A. UK IDTA Addendum — Table 2 (SCCs version): the Approved SCCs in force as referenced above. UK IDTA Addendum — Table 3 (Appendix Information): the SCC Annexes above. UK IDTA Addendum — Table 4 (Termination right): the Importer may terminate as set out in the Addendum.