Teamistry: Data Processing Agreement
Version 1.0, effective 8 July 2026
This Data Processing Agreement ("DPA") forms part of the Teamistry Terms of Service (the "Agreement") between Teamistry Ltd, a company incorporated in the Republic of Cyprus with registration number HE 469419 and registered office at 16 Konstantinopoleos, Aglantzia, Nicosia, Cyprus ("Teamistry", the "Processor") and the Customer identified in the Agreement (the "Customer", the "Controller").
This DPA applies where and to the extent Teamistry processes Personal Data on behalf of the Customer in connection with the Service and reflects the parties' agreement pursuant to Article 28 of Regulation (EU) 2016/679 (the "GDPR").
1. Definitions
Terms defined in the Agreement have the same meaning here. "Personal Data", "Special Categories of Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach" and "Supervisory Authority" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data contained in Customer Data that Teamistry processes on the Customer's behalf. "Subprocessor" means a third party engaged by Teamistry to process Customer Personal Data. "Data Protection Law" means the GDPR, the Cyprus Law 125(I)/2018 and any other data protection law applicable to a party's processing under this DPA.
2. Roles and Scope
2.1 The parties acknowledge that, for Customer Personal Data, the Customer is the Controller and Teamistry is the Processor. Where the Customer acts as a processor for a third-party controller, the Customer warrants that its instructions to Teamistry are consistent with that controller's instructions and Teamistry acts as subprocessor.
2.2 The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data and the categories of Data Subjects are set out in Annex 1.
2.3 This DPA does not apply to Personal Data for which Teamistry is an independent controller (such as Customer account and billing data), as described in the Teamistry Privacy Policy.
3. Customer Instructions and Responsibilities
3.1 Teamistry will Process Customer Personal Data only on the Customer's documented instructions, including with regard to transfers to third countries, unless required to do otherwise by European Union or Member State law, in which case Teamistry will inform the Customer of that legal requirement before Processing unless the law prohibits this on important grounds of public interest.
3.2 The Customer's instructions consist of: (a) the Agreement and this DPA; (b) the Customer's and its Authorised Users' configuration and use of the Service (including roles, permissions, features enabled and integrations connected); and (c) any further written instructions agreed by the parties. Teamistry will inform the Customer if, in its opinion, an instruction infringes Data Protection Law.
3.3 The Customer is responsible for: (a) the accuracy, quality and lawfulness of Customer Personal Data and of the means by which it was obtained; (b) establishing a valid legal basis for the Processing, including for Special Categories of Personal Data (such as data revealing health that may be contained in wellbeing check-ins, sickness absence records, or uploaded documents); (c) providing Data Subjects with all required information and notices; and (d) configuring the Service (including Sync-In visibility, Analytics, Documents access and permissions) in accordance with its obligations to Data Subjects.
4. Confidentiality
Teamistry will ensure that all persons it authorises to Process Customer Personal Data are subject to binding obligations of confidentiality (contractual or statutory) and Process the data only as needed to perform under the Agreement.
5. Security
5.1 Teamistry will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risks to Data Subjects. The current measures are described in Annex 2.
5.2 Teamistry may update the measures in Annex 2 from time to time, provided the updates do not materially reduce the overall level of protection.
6. Subprocessing
6.1 The Customer provides general written authorisation for Teamistry to engage Subprocessors. The Subprocessors engaged at the date of this DPA are listed in Annex 3 and at teamistry.ai/legal/subprocessors.
6.2 Teamistry will give the Customer at least 30 days' prior notice (by email to account administrators) before adding or replacing a Subprocessor. The Customer may object on reasonable data protection grounds within 14 days of notice. The parties will discuss the objection in good faith; if it cannot be resolved, the Customer may terminate the affected part of the Service, or the Agreement if the affected part is material and receive a refund of prepaid unused fees.
6.3 Teamistry will impose on each Subprocessor, by written contract, data protection obligations materially equivalent to those in this DPA and remains fully liable to the Customer for the performance of each Subprocessor's obligations.
7. International Transfers
7.1 Customer Personal Data is hosted and stored on infrastructure located in the European Union. Teamistry will not transfer Customer Personal Data outside the European Economic Area except: (a) to Subprocessors listed in Annex 3; or (b) on the Customer's documented instructions (including through the Customer's or its Authorised Users' use of integrations).
7.2 Where a transfer to a third country is made, Teamistry will ensure a valid transfer mechanism under Chapter V GDPR is in place, including: an adequacy decision (such as the EU-US Data Privacy Framework, where the recipient is certified); or the European Commission's Standard Contractual Clauses (Module 3, processor-to-processor, or the applicable module), together with supplementary measures where required, including the data minimisation and pseudonymisation measures described in Annex 2 for AI model providers.
8. Assistance to the Customer
8.1 Data Subject requests. Taking into account the nature of the Processing, Teamistry will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection). If Teamistry receives a request directly from a Data Subject relating to Customer Personal Data, it will promptly forward the request to the Customer and will not respond substantively except on the Customer's instructions or where legally required.
8.2 Security, breach, DPIA. Taking into account the nature of the Processing and the information available to it, Teamistry will assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 GDPR, including reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities that relate to the Service.
8.3 Assistance beyond the standard functionality of the Service and reasonable cooperation may be charged at Teamistry's then-current reasonable rates, except where the need for assistance arises from Teamistry's breach of this DPA.
9. Personal Data Breach
9.1 Teamistry will notify the Customer without undue delay and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate numbers of Data Subjects and records concerned, the likely consequences, the measures taken or proposed to address it and a contact point; information may be provided in phases as it becomes available.
9.2 Teamistry will take reasonable steps to contain, investigate and mitigate the breach and will cooperate with the Customer's reasonable requests in connection with the Customer's own notification obligations. Teamistry's notification of a breach is not an acknowledgement of fault or liability.
10. Deletion and Return
10.1 During the term, the Customer may delete Customer Personal Data through the functionality of the Service or by written instruction.
10.2 Upon termination or expiry of the Agreement, Teamistry will make Customer Personal Data available for export for 30 days and thereafter delete all Customer Personal Data within 90 days, unless European Union or Member State law requires storage. Data in encrypted backups is deleted or overwritten in the ordinary rotation of backup cycles, within 90 days and is not restored to production except for disaster recovery.
10.3 On written request, Teamistry will confirm deletion in writing.
11. Audits and Information
11.1 Teamistry will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR, including responses to reasonable written security questionnaires and copies of relevant certifications, summaries of penetration tests, or third-party audit reports where available.
11.2 Where the information under 11.1 is not sufficient to demonstrate compliance, the Customer (or an independent auditor mandated by it that is not a competitor of Teamistry) may audit Teamistry's compliance with this DPA, no more than once per 12-month period (except following a Personal Data Breach or where required by a Supervisory Authority), on at least 30 days' written notice, during business hours, without disrupting operations, subject to confidentiality obligations and at the Customer's cost.
12. Liability, Precedence and General
12.1 Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability in the Agreement, except to the extent liability cannot be limited under Data Protection Law. Nothing in this DPA limits a Data Subject's rights under the GDPR.
12.2 In the event of conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails. If the Standard Contractual Clauses apply to a transfer and conflict with this DPA, the Standard Contractual Clauses prevail for that transfer.
12.3 This DPA takes effect on the effective date of the Agreement and remains in force for as long as Teamistry processes Customer Personal Data. Sections 9, 10 and 12 survive until deletion is complete.
12.4 This DPA is governed by the laws of the Republic of Cyprus and the courts of Nicosia have exclusive jurisdiction, as set out in the Agreement.
Annex 1: Details of Processing
Subject matter: Provision of the Teamistry team management platform and related support.
Duration: The term of the Agreement, plus the export and deletion periods in Section 10.
Nature and purpose: Hosting, storage, retrieval, display, analysis, notification and related processing operations required to provide the features of the Service, including dashboards, profiles, weekly check-ins (Sync-In), performance management (Elevate), idea management (Spark Zone), analytics, leave management, document storage, calendar-based availability and meeting-load analytics, integrations (Slack, Microsoft Teams, Google Calendar, Outlook), notifications and the AI Assistant.
Categories of Data Subjects: The Customer's employees, contractors and other Authorised Users; individuals referenced in Customer Data (for example, in documents or free-text fields).
Categories of Personal Data:
- Identification and profile data: name, work email, role, team, skills, interests, career background, photo.
- Check-in and engagement data: mood, workload, planned attendance, priorities, challenges, shout outs and related trends.
- Performance data: goals, progress, self-assessments, manager assessments and reviews.
- Leave data: requests, types (including sickness absence), balances, history, approvals.
- Documents: files uploaded to the Service, which may include employment contracts, payslips and other HR documents containing salary, financial, identification and contractual information.
- Calendar data (where connected): event start/end times, event status, whether an event has other attendees (boolean) and the user's response status. Event titles, descriptions, locations and other attendees' identities are processed transiently and not retained.
- Collaboration and usage data: ideas, comments, likes, notifications, AI Assistant conversations, log and usage data.
Special Categories of Personal Data: Data revealing health may be processed where contained in wellbeing/mood responses, sickness absence records, or documents uploaded by the Customer. The Customer is responsible for the legal basis and Article 9 GDPR condition for such data.
Annex 2: Technical and Organisational Measures
- Hosting and storage: All Customer Personal Data is hosted and stored in the European Union (Railway, EU region), with logical separation between customers.
- Encryption: Data encrypted in transit (TLS) and at rest.
- Access control: Role-based access controls within the Service mirroring the Customer's configured permission structure; access to production systems restricted to authorised Teamistry personnel on a need-to-know basis, with two-factor authentication and access logging.
- Data minimisation for AI processing: Before Customer Personal Data is sent to the AI model provider, Teamistry applies data minimisation measures, including removal or pseudonymisation of direct identifiers where feasible, so the provider receives only what is necessary to generate the response. AI inference is performed exclusively on infrastructure located in the EU by a provider that does not retain prompts or responses and is engaged on terms that do not permit use of the data to train AI models.
- Calendar data minimisation: Only the minimal calendar fields listed in Annex 1 are retained; content fields are discarded immediately after processing.
- Backups and resilience: Regular encrypted backups within the EU, with defined rotation and restoration procedures.
- Personnel: Confidentiality obligations for all personnel; security awareness practices.
- Incident response: Procedures for detecting, containing and notifying Personal Data Breaches in accordance with Section 9.
- Development practices: Code changes are reviewed before deployment and staging environments are separated from production.
Annex 3: Authorised Subprocessors
| Subprocessor | Purpose | Location / transfer mechanism |
|---|---|---|
| Railway Corporation | Infrastructure, hosting and storage | Data hosted in EU region; US entity. Standard Contractual Clauses (per Railway's DPA) |
| Google (Google Workspace) | Transactional email delivery | USA/EU. EU-US Data Privacy Framework (certified) |
| Mixpanel, Inc. | Product usage analytics | EU data residency; US entity. Standard Contractual Clauses with transfer impact assessment (per Mixpanel's DPA) |
| TensorX | AI model provider (AI Assistant) | EU (Irish entity; inference in Dublin and Helsinki). No third-country transfer; zero retention of prompts and responses |
| Langfuse GmbH | AI Assistant observability and diagnostics | EU (German entity; EU-hosted). No third-country transfer |
The current list is maintained in this Annex and at teamistry.ai/legal/subprocessors. Changes are notified in accordance with Section 6.
Teamistry Ltd · 16 Konstantinopoleos, Aglantzia, Nicosia, Cyprus · HE 469419 · alexandros@teamistry.ai