1. Purpose and Scope

This Agreement governs the processing of personal data by General Agency AI, Inc ("Processor") on behalf of the user ("Controller") in connection with the services provided under the main service agreement (“Principal Agreement”).
Processor shall process personal data solely on Controller’s documented instructions and only for the purposes described in Annex I.

2. Roles and Responsibilities

Controller determines the purposes and means of processing.

Processor acts only under Controller’s instructions and ensures confidentiality, security, and compliance with applicable law, including the EU GDPR (2016/679), UK GDPR, and, where applicable, the U.S. HIPAA BAA framework.

Processor shall not engage another subprocessor without prior written authorization (general authorization granted in Annex III).

3. Data Processing Obligations

Processor shall:

• Process data only for the specified purposes and in accordance with Controller’s instructions.

• Ensure personnel are bound by confidentiality obligations.

• Implement appropriate technical and organizational measures as detailed in Annex II.

• Assist Controller in ensuring compliance with Articles 32–36 GDPR, including data-subject rights, DPIAs, and breach notifications.

• Maintain records of processing activities under Article 30(2) GDPR.

• Notify Controller without undue delay of any data breach or security incident.

4. Security and Confidentiality

Processor implements administrative, physical, and technical safeguards to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256); access is restricted by least-privilege controls and audited logs.

5. Subprocessing

Processor may engage subprocessors listed in Annex III.
Controller grants a general authorization for subprocessors, provided Processor ensures:

• A written DPA or equivalent safeguards (Art. 28 GDPR) are in place with each subprocessor;

• Subprocessors provide sufficient guarantees of appropriate technical and organizational measures;

• Controller is notified in advance of any intended addition or replacement of subprocessors and may object on reasonable grounds.

6. International Data Transfers

Where personal data is transferred outside the EEA/UK, the parties rely on Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR.
Supplementary safeguards include encryption, pseudonymization, and access-limitation protocols.
Transfers to the United States occur to Processor’s infrastructure located in San Francisco (US-SFO) for service provision and support.

7. Assistance with Data Subject Rights

Processor shall assist Controller in responding to data-subject requests under Articles 15–22 GDPR, including access, rectification, erasure, restriction, portability, and objection.
Processor shall promptly notify Controller of any such request and act only on Controller’s documented instructions.

8. Data Breach Notification

In the event of a personal-data breach, Processor shall notify Controller without undue delay (and no later than 72 hours after becoming aware).
The notification shall include the nature of the breach, likely consequences, and measures taken or proposed to mitigate possible adverse effects.

9. Data Retention and Deletion

Upon termination of the Principal Agreement, Processor shall, at Controller’s choice, delete or return all personal data (and delete all existing copies) unless applicable law requires retention.
Log data is retained for 90 days post-termination unless otherwise required by contract or regulation.

10. Audits and Inspections

Processor shall make available all information necessary to demonstrate compliance with this Agreement and shall allow for audits by Controller or an appointed independent auditor (subject to confidentiality).
Audits shall be limited to once annually unless triggered by a security incident.

11. Liability and Indemnity

Each party’s liability under this Agreement is subject to the limitations in the Principal Agreement, except that neither party excludes or limits liability for breaches of confidentiality or data-protection obligations that result in regulatory penalties or data-subject harm.

12. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State of California, United States, excluding conflict-of-law principles.
Any disputes shall be brought before the state or federal courts located in San Francisco County, California.

13. Duration

This Agreement remains in effect for as long as Processor processes personal data on behalf of Controller.

Annex I — Description of Processing

Subject Matter: Operation of the Tessa AI automation platform and related support services.
Nature of Processing: Storage, retrieval, execution of workflow automation, communication, and analytics.
Purpose: Provision of contracted services, technical maintenance, compliance reporting, and product improvement.
Types of Personal Data:

• User identifiers (name, email, account ID)

• Workflow configurations, OAuth tokens

• System logs and analytics metadata

• Constituent or health-related records (under BAA or public-sector contract)
  Data Subjects: Customers, government employees, constituents, patients (where applicable).
  Retention: During service term; logs 90 days post-account closure.

Annex II — Technical and Organizational Measures

• Encryption at rest (AES-256) and in transit (TLS 1.2+).

• Role-based access control with MFA.

• Regular vulnerability scanning and penetration testing.

• Continuous monitoring and security logging.

• Secure deletion protocols upon account termination.

• SOC 2 Type I & II controls (in progress).

• HIPAA-compliant security policies and audit trail maintenance.

• Employee confidentiality and data-protection training.

• Annual review of security measures and subprocessors.

Annex III — Authorized Subprocessors

A list of subprocessors may be found at: https://trust.delve.co/general-agency#subprocessors