Back to Tootela

Data Processing Agreement

This DPA is automatically incorporated into the Terms of Service when you process personal data through Tootela. It is GDPR Article 28 compliant and counter-signed in advance for all customers.

Last updated 2026-04-25
Need a counter-signed PDF? Email privacy@tootela.net with your legal entity name and we'll send a signed copy within 24 hours. This online version is legally binding.

1. Parties

This Data Processing Agreement ("DPA") is entered into between Tootela SAS ("Processor" or "Tootela") and the customer who has accepted the Tootela Terms of Service ("Controller" or "Customer"). It forms part of the Terms of Service and applies whenever Tootela processes Personal Data on behalf of the Customer.

2. Definitions

Capitalised terms used here have the meanings set out in the EU General Data Protection Regulation 2016/679 ("GDPR") unless otherwise stated. "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Subprocessor" follow the GDPR definitions. "Customer Content" has the meaning given in the Terms of Service.

3. Subject & duration

The subject matter, nature, purpose, types of Personal Data and categories of Data Subjects are described in Annex A. This DPA applies for the duration of the Customer's subscription, plus the post-termination period necessary to return or delete data as described in section 12.

4. Processing only on documented instructions

Tootela processes Personal Data only on the documented instructions of the Customer, which include the Terms of Service, the configuration choices made in the Customer's workspace, and any further instructions agreed in writing. Tootela will inform the Customer if it considers an instruction infringes the GDPR or other applicable data protection law.

Tootela does not transfer Personal Data outside the scope of this DPA, does not sell Personal Data, and does not use Customer Content to train AI models.

5. Confidentiality

Tootela ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and are trained on data protection.

6. Security measures

Tootela implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk. The current TOMs are described in Annex B. Tootela may update TOMs from time to time provided the level of protection is not reduced.

7. Subprocessors

The Customer authorises Tootela to engage Subprocessors listed in Annex C, and any other Subprocessor notified to the Customer at least 30 days before they begin processing Personal Data. The Customer may object to a new Subprocessor on reasonable grounds (data protection); if the parties cannot agree within 15 days, the Customer may terminate the affected service for convenience. Tootela imposes contractual obligations on every Subprocessor that are no less protective than those of this DPA.

8. Assistance with data subject rights

Tootela provides self-service tools (export, edit, delete) that allow the Customer to fulfil most Data Subject requests directly. For requests that require Tootela's support, Tootela will assist the Customer by appropriate technical and organisational measures, taking into account the nature of the processing.

If a Data Subject contacts Tootela directly with a request relating to the Customer's processing, Tootela will redirect the request to the Customer.

9. Personal data breach notification

Tootela notifies the Customer without undue delay (and in any case within 48 hours) after becoming aware of a Personal Data Breach affecting the Customer's data. The notification includes the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

10. International transfers

Personal Data is processed primarily in the European Union (default region: eu-west-3 (Paris, France)). When Personal Data is transferred outside the EEA, Tootela relies on:

  • An adequacy decision under Article 45 GDPR, or
  • EU Standard Contractual Clauses (Module 3, Processor-to-Processor for Subprocessors) approved by Commission Implementing Decision (EU) 2021/914, supplemented by appropriate technical and organisational measures (encryption, pseudonymisation, access controls).

The SCCs are incorporated by reference. The Customer accepts them as data exporter; Tootela accepts them as data importer for transfers to its non-EEA Subprocessors.

11. Audit rights

Tootela makes available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR. Audits are usually satisfied by:

  • This Security page, kept current
  • Tootela's third-party audit reports (e.g. SOC 2, when available) under NDA
  • Written responses to the Customer's reasonable security questionnaires

If those resources are insufficient, the Customer may request an on-site audit, conducted at the Customer's expense, on at least 30 days' written notice, at most once per year, during business hours, and subject to mutually agreed scope and confidentiality.

12. Return and deletion of data

On termination of the subscription, the Customer can export all Customer Content using the in-app export tools. Within 30 days of termination, Tootela deletes all Customer Personal Data from its production systems, except as required for legal retention (e.g. billing records). Backups are overwritten on rotation within 35 days.

13. Liability

The liability provisions of the Terms of Service apply equally to this DPA. Nothing in this DPA limits or excludes liability that cannot be excluded under applicable law.

Annex A : Description of the processing

Subject matter

Provision of the Tootela business operating system (chat, mail, calendar, documents, drive, projects, CRM, helpdesk, HR, AI assistant and related features).

Nature and purpose

Hosting, storing, transmitting, displaying, indexing, searching, processing and protecting Customer Content as configured by the Customer in their workspace.

Duration

For the duration of the Customer's subscription, plus 30 days for export, plus up to 35 days for backup rotation.

Categories of Data Subjects

  • The Customer's employees and contractors
  • The Customer's clients, prospects and contacts
  • Job applicants (if the Customer uses the recruitment app)
  • Any other Data Subjects whose Personal Data the Customer chooses to process via Tootela

Categories of Personal Data

  • Identification data (name, email, phone, role)
  • Professional data (employer, title, department)
  • Communications content (messages, emails, documents, comments, files)
  • Activity data (calendar events, tasks, deals, tickets)
  • Authentication data (hashed passwords, MFA seeds, session tokens)
  • Technical data (IP, browser, device, logs)
  • Special categories of data : only if the Customer chooses to upload them; Tootela does not require special-category data

Annex B : Technical and organisational measures

The current TOMs are documented on the Security page and incorporated here by reference. Headline controls:

  • TLS 1.2+ in transit; AES-256 at rest
  • Bcrypt password hashing; MFA available; SSO on Enterprise
  • Row-level security at the database level for tenant isolation
  • Production access limited, audited, MFA-required
  • Daily encrypted backups, 35-day retention, point-in-time recovery
  • Documented incident response process with 48h breach notification
  • Dependency scanning, code review, automated CI security checks
  • Vendor security review for every Subprocessor

Annex C : List of Subprocessors

Updated whenever this list changes; the current Subprocessors are:

SubprocessorPurposeRegion
Supabase Inc.Database, authentication, storageEU (Paris)
Vercel Inc.Application hosting, CDN, edge computeGlobal edge
Stripe Inc.Payment processingIreland (EU) + USA
Resend Inc.Transactional email deliveryUSA (with EU SCCs)
Google LLCGenerative AI (Gemini API) for the AI assistant : opt-in onlyUSA (with EU SCCs)
Anthropic PBCGenerative AI fallback : opt-in onlyUSA (with EU SCCs)