Data Processing Agreement
Last updated: April 2026
This Data Processing Agreement (DPA) forms part of the Terms of Service between Tempered, a trading style of Your Systems Team Limited, as provider of Tempered (the “Platform”), a decision-enrichment service (the “Processor”), and you (the “Controller”), and governs the processing of personal data in connection with the Platform.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1)
- Processing: Any operation performed on personal data, as defined in UK GDPR Article 4(2)
- Sub-processor: A third party engaged by Tempered to process personal data on behalf of the Controller
2. Scope of Processing
| Aspect | Detail |
|---|---|
| Subject matter | Providing AI-powered decision-enrichment analysis through the Platform |
| Duration | For the term of your subscription plus 30 days |
| Nature and purpose | Processing evaluation requests submitted by the Controller through AI vendor APIs and returning structured enrichment data (dimensional analysis, multi-model perspectives, preflight checks, outstanding questions) for use by the Controller in its own decision-making. The Platform does not make decisions on behalf of the Controller; the Controller remains the decision-maker. |
| Types of personal data | Any personal data contained in evaluation requests submitted by the Controller |
| Categories of data subjects | Determined by the Controller based on the content submitted for evaluation |
3. Controller Obligations
You acknowledge that:
- You are responsible for the lawfulness of any personal data included in evaluation requests
- You have obtained any necessary consents or have another lawful basis for sharing data with Tempered
- You will not submit special category data (Article 9) unless you have explicit consent or another applicable exemption
4. Processor Obligations
Tempered will:
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 6)
- Not engage sub-processors without prior notice to the Controller (see Section 5)
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data upon termination, at the Controller’s choice
- Make available all information necessary to demonstrate compliance
5. Sub-processors
Tempered uses the following sub-processors to deliver the Platform:
| Sub-processor | Role | Data Shared | Location | DPA |
|---|---|---|---|---|
| Anthropic | AI vendor (Claude) | Evaluation request content | US (EU adequacy) | In place |
| OpenAI | AI vendor (GPT) | Evaluation request content | US | In place |
| Google (Gemini) | AI vendor | Evaluation request content | US / EU | In place |
| Cohere | AI vendor (Command R+) | Evaluation request content | Canada | In place |
| Stripe | Payment processing | Billing contact details only | US | In place |
| Cloudflare | Cloudflare Tunnel + DNS | TLS metadata, request headers | Global | In place |
| Backblaze B2 | Offsite encrypted backups | Encrypted database backups (client-side encrypted via Restic) | US | In place |
| Sentry | Error tracking (PII scrubbed) | Crash context with PII redacted before transmission | US | In place |
| Google Workspace | Inbound support and privacy email | Any customer email sent to support@temperedrisk.ai or privacy@temperedrisk.ai | US / EU | In place |
All sub-processors have a Data Processing Agreement in place. We will notify you of any changes to sub-processors with at least 30 days’ notice. You may object to a new sub-processor, in which case we will work with you to find a resolution or you may terminate the affected Platform access.
6. Security Measures
Tempered implements the following technical and organisational measures:
- Encryption in transit: TLS 1.2+ on all connections
- Encryption at rest: AES-256 for stored data
- Tenant isolation: Logical separation of customer data using contextvar-based isolation with per-query enforcement
- Access control: Role-based access control, API key authentication with SHA-256 hashed storage
- Monitoring: Continuous security monitoring, intrusion detection, and audit logging
- Secret management: HashiCorp Vault for credential storage with automated rotation
- Infrastructure: Hardened hosts following CIS benchmarks
7. Data Breach Notification
In the event of a personal data breach, Tempered will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware
- Provide details of the nature of the breach, categories of data affected, and measures taken
- Cooperate with the Controller’s obligations under UK GDPR Articles 33 and 34
8. International Transfers
Where personal data is transferred to AI vendor APIs outside the UK, Tempered ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or processing in jurisdictions with adequacy decisions.
9. Audit Rights
The Controller has the right to audit Tempered’s compliance with this DPA. Tempered will cooperate with reasonable audit requests, subject to confidentiality obligations and reasonable notice.
10. Termination
Upon termination of the Platform:
- All personal data will be deleted within 30 days unless legal retention obligations apply
- The Controller may request data export before deletion
- Tempered will provide written confirmation of deletion upon request
11. Contact
For DPA-related enquiries, including data subject rights requests and sub-processor objections:
- Tempered, a trading style of Your Systems Team Limited (Company No. 06798860)
- ICO Registration: ZC102414
- Registered address: 1 Peach Street, Wokingham, England, RG40 1XJ
- Email: privacy@temperedrisk.ai