Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms of Service between Tome Robot and the customer ("Customer") and applies to any processing of Personal Data by Tome Robot on behalf of Customer in connection with the Service. It is drafted to meet Article 28 of the EU General Data Protection Regulation (GDPR) and the equivalent UK GDPR. Where Customer is subject to the California Consumer Privacy Act (CCPA / CPRA), Tome Robot acts as a "service provider" and will not sell or share Personal Data or use it outside the direct business purpose of providing the Service.

A signed countersigned copy is available on request for Business and Enterprise plans. Using the Service while this DPA is in force constitutes acceptance.

Customer is the Controller of Personal Data it uploads or generates through the Service. Tome Robot is the Processor acting on Customer's documented instructions, which are: (a) these Terms and DPA, (b) the configuration choices Customer makes in the web app, and (c) any further written instructions Customer gives that are consistent with the Service.

Subject matter: providing the Tome Robot Service to Customer.
Nature and purpose:capturing screen walkthroughs via a Chrome extension, storing and processing recordings, generating help articles and AI narration, and making the resulting content searchable for Customer's authorized users.
Categories of data subjects:Customer's employees, contractors, and other authorized users of the Service, and any individuals who appear incidentally in recorded screens.
Categories of Personal Data: name, email address, workspace role, hashed authentication credentials or OAuth identifiers, recorded screen and tab video, click and keyboard event metadata, page URLs, DOM snippets, OCR text, optional microphone narration, and AI-generated text derived from the above.
Duration: the term of the subscription, plus the deletion windows described below.

• Process Personal Data only on Customer's documented instructions, including for international transfers.
• Ensure personnel authorized to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (see below).
• Assist Customer, taking into account the nature of processing, in responding to data-subject requests.
• Assist Customer with data protection impact assessments and prior consultations with supervisory authorities where required.
• Delete or return Personal Data at the end of the subscription, as described below.
• Make available the information necessary to demonstrate compliance with Article 28 and allow for audits as described below.

Tome Robot maintains the technical and organizational measures set out in our Security overview, including: encryption in transit (TLS 1.2+) and at rest; per-tenant query scoping; role-based access control for customer admins; least privilege for Tome Robot personnel; secret management via the hosting provider; audit logging of privileged actions; regular dependency and vulnerability scanning; and documented incident response.

Customer authorizes Tome Robot to engage the sub-processors listed in our Privacy Policy. As of the effective date these are Cloudflare, Inc. (hosting, storage, and Workers AI inference), Microsoft (Azure Cognitive Services Speech for text-to-speech), Google LLC (only if Customer enables Google sign-in), and Pushmail (transactional email). Tome Robot will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for their acts and omissions to the extent required by GDPR Article 28(4).

Tome Robot will give Customer at least 30 days' notice before adding or replacing a sub-processor that processes Customer Personal Data. If Customer reasonably objects on data-protection grounds, Customer may terminate the affected subscription.

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum by reference, with Tome Robot as data importer and Customer as data exporter. Docking, options, and governing law follow the defaults in those clauses unless otherwise agreed in writing.

Tome Robot will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer's obligation to respond to requests from data subjects exercising their rights under applicable law. Most access, export, and deletion requests can be handled by Customer directly in the web app. For anything else, Customer can contact sean@inventivehq.com.

Tome Robot will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer's Personal Data. The notification will describe (to the extent known) the nature of the breach, the categories and approximate number of affected data subjects and records, the likely consequences, and the measures taken or proposed to address it.

Tome Robot will make available to Customer, on written request and subject to confidentiality, the information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports and security summaries. Where applicable law requires an on-site audit, the parties will agree on scope, timing and cost in advance.

On termination or expiration of the subscription, Tome Robot will delete Customer Personal Data from active systems within 30 days and from routine backups within 90 days, unless law requires longer retention. Customer may export its data before deletion using the REST API or the web app.

Privacy and data protection questions: sean@inventivehq.com.