TellsignSign in

Data Processing Agreement

Effective: 2026-05-30

This Data Processing Agreement ("DPA") supplements the Terms of Service for business customers who process personal data of third parties using the Service. It satisfies the requirements of Article 28 of the EU General Data Protection Regulation (GDPR). It is incorporated by reference into your Terms of Service the moment you accept those Terms.

1. Parties

Processor: VICTUM GROUP, s. r. o., IČO 47077662,Stropkovská 3, 821 03 Bratislava, Slovakia.

Controller: the Customer entity that holds the account, as identified by the agency name and billing details on record.

2. Subject matter and duration

We process personal data on the Controller's behalf for the sole purpose of delivering the Tellsign service as described in the Terms of Service, for the duration of the account, plus up to 30 days for return/deletion after termination.

3. Nature and purpose of processing

The Service:

  • discovers publicly available information about local businesses from third-party sources (Google Places, Meta Ad Library, public websites);
  • performs automated audits and scoring of those businesses on the Controller's instruction;
  • stores Controller-generated content such as campaigns, notes, and outreach drafts;
  • optionally transmits AI-generated draft outreach to the Controller via a third-party LLM provider, only when the Controller's users click "Enhance with AI".

4. Categories of data subjects

  • End users of the Controller (employees, contractors) who hold accounts in the Service.
  • Owners and authorized representatives of local businesses about whom public information is collected as part of audits.
  • Recipients of outreach communications, where the Controller uses the Service to send or draft such communications.

5. Types of personal data

  • Identification: name, email, phone, business name, address.
  • Public business profile: website, ratings, reviews, social media handles, hours, photos.
  • Technical: IP addresses, device data, server logs.
  • Communication: outreach drafts, notes, follow-up status.

6. Our obligations as processor

We will:

  • process personal data only on documented instructions from the Controller (the Terms of Service and configured features constitute the standing instructions);
  • ensure persons authorized to process personal data have committed themselves to confidentiality;
  • implement appropriate technical and organizational measures (see Annex 1);
  • assist the Controller with data-subject rights requests, DPIAs, and consultations with supervisory authorities, at the Controller's reasonable cost;
  • notify the Controller without undue delay (target: within 48 hours) after becoming aware of a personal-data breach;
  • at the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless retention is required by law;
  • make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (see section 9).

7. Sub-processors

The Controller authorizes us to engage sub-processors. The current list is published at /subprocessors. We will notify the Controller of any intended addition or replacement of sub-processors with at least 30 days' notice, during which the Controller may object on reasonable grounds related to data protection.

Each sub-processor is bound by data-protection obligations substantially equivalent to those in this DPA.

8. International transfers

Where personal data is transferred outside the EU/EEA, we ensure an adequate level of protection by means of the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework. The SCCs apply with Module 2 (Controller-to-Processor) or Module 3 (Processor-to- Processor), as relevant.

9. Audits

The Controller may, no more than once per year and on at least 30 days' written notice, request information necessary to verify our compliance with this DPA. Where the Controller can reasonably evidence that documentation alone is insufficient, we will permit an on-site audit by a mutually agreed independent auditor bound by confidentiality, at the Controller's expense and during normal business hours, minimizing disruption.

10. Liability

Liability under this DPA is subject to the limitations in the Terms of Service, except to the extent such limitations are unenforceable under GDPR (Article 82).

11. Term and termination

This DPA remains in force as long as we process personal data on the Controller's behalf. It terminates automatically with the Terms of Service.

12. Order of precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails on matters of data protection.

Annex 1 — Technical and organizational measures

  • Encryption. TLS 1.2+ in transit; full-disk encryption at rest at the hosting provider.
  • Access control. Least-privilege role-based access; production access limited to named engineers; all production access logged.
  • Authentication. Passwords hashed with bcrypt (cost factor ≥ 10); session cookies are httpOnly + secure + sameSite=lax; OAuth flows use CSRF state tokens.
  • Backups. Encrypted database backups retained for 30 days, restorable to point-in-time.
  • Monitoring. Real-time error tracking and uptime monitoring with alerting.
  • Patching. Security updates to dependencies applied within 30 days of release for critical CVEs.
  • Incident response. Documented procedure; notification of affected Controllers within 48 hours of confirmed breach.
  • Training. All staff with production access complete annual security and privacy training.
  • Vendor management. Sub-processors evaluated for security posture and bound by DPA terms.

How to sign

This DPA takes effect automatically when you accept the Terms of Service and use the Service in a business capacity. If your organization requires a signed copy with both signatures, email [email protected] with your legal entity name, registered address, and signatory details and we'll countersign within 5 business days.