This Data Processing Addendum ("DPA") forms part of the Terms of Service between:

TEGRALAB S.R.L.
B-dul Dacia nr. 133, Sc. D, Sector 2, București, Romania
CUI: 52851778
("Processor")

and the Customer entity ("Controller").

If there is any conflict between this DPA and the Terms, this DPA prevails with respect to personal data processing.

1. Roles of the Parties

For Customer Data processed through StrainSignal:

• Customer is the Controller
• TEGRALAB S.R.L. is the Processor

Processor processes personal data solely on documented instructions from Controller.

2. Subject Matter and Duration

Subject Matter: Provision of the StrainSignal burnout risk monitoring and behavioral analytics service.

Duration: Processing continues for the duration of the subscription and until deletion upon termination or uninstall.

3. Nature and Purpose of Processing

Processing consists of:

• Receiving Slack event data
• Performing transient pattern matching to detect @mentions
• Generating behavioral metrics
• Producing statistical risk indicators
• Maintaining alert and dashboard functionality

Message content is processed transiently and immediately discarded. It is not stored.

4. Categories of Data Subjects

• Employees
• Contractors
• Slack workspace members
• Administrators

5. Categories of Personal Data

• Slack User ID
• Workspace ID
• Channel identifiers
• Email address
• Display name
• Profile picture
• Message timestamps
• @mention metadata
• Activity frequency metrics
• Derived behavioral metrics
• Risk scores
• Alert history
• Administrative configuration data

6. Processor Obligations

Processor shall:

• Process personal data only on documented instructions of Controller.
• Ensure confidentiality of personnel authorized to process data.
• Implement appropriate technical and organizational security measures.
• Assist Controller in responding to data subject rights requests.
• Assist with GDPR Articles 32–36 obligations where applicable.
• Delete or return personal data upon termination.
• Make available information necessary to demonstrate compliance.

Processor shall not:

• Use personal data for its own marketing purposes.
• Sell personal data.
• Retain message content.

7. Security Measures

Processor implements:

• Encryption in transit (TLS/HTTPS)
• Role-based access control
• Restricted internal access
• Logical isolation of customer environments
• Access logging

Security measures are subject to technical evolution.

8. Subprocessors

Controller authorizes Processor to engage subprocessors, including:

• Hetzner (EU hosting)
• Stripe (billing)
• SendGrid (email delivery)
• Google Analytics (website analytics)
• Cloudflare (CDN/security)

Processor shall:

• Impose data protection obligations on subprocessors.
• Remain liable for subprocessors' compliance.

Controller may object to new subprocessors on reasonable data protection grounds.

9. International Transfers

Where personal data is transferred outside the EEA, Processor shall rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms.

10. Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Data.

Notification shall include:

• Nature of breach
• Categories of data affected
• Likely consequences
• Measures taken or proposed

11. Data Deletion

Upon termination or uninstall:

• All Customer Data is permanently deleted without undue delay.
• No archived copies are retained.
• Backups containing personal data are not preserved beyond deletion processes.

12. Audits

Controller may request reasonable information to verify compliance. On-site audits are limited to situations required by law and subject to reasonable notice and confidentiality.

13. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service.