Skip to main content

Data Processing Addendum

Version: 2026.05.27  |  Effective Date: May 27, 2026  |  Last Updated: May 27, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between Tellus EHS ("Tellus," "we," "us") and the customer organization ("Customer," "you") that has accepted the Agreement and uses the Tellus EHS Platform (the "Service").

This DPA applies when, in providing the Service, Tellus processes Personal Data on Customer's behalf. It is designed to satisfy the contractual requirements of (i) the EU General Data Protection Regulation 2016/679 ("GDPR"), (ii) the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), (iii) the Swiss Federal Act on Data Protection ("FADP"), and (iv) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), to the extent those laws apply to Customer's use of the Service.

To execute this DPA, an authorized signatory of Customer may countersign by emailing dpa@tellusehs.com with the company name, signatory name and title, and date. Tellus will return a countersigned copy. Customers who use the Service without signing this DPA are nevertheless protected by the obligations set out below to the extent applicable laws require.

If anything in this DPA conflicts with the Agreement, this DPA controls with respect to the processing of Personal Data. In all other respects, the Agreement remains in full force.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in the applicable Data Protection Law.

  • "Affiliate" means any entity that controls, is controlled by, or is under common control with a party.
  • "Customer Data" has the meaning given in the Agreement.
  • "Customer Personal Data" means Personal Data contained within Customer Data that Tellus processes on Customer's behalf in providing the Service.
  • "Data Protection Law" means all data-protection and privacy laws applicable to a party's processing of Customer Personal Data under this DPA, including the GDPR, UK GDPR, FADP, and CCPA.
  • "Data Subject Request" means a request by a Data Subject to exercise any right under Data Protection Law (including access, deletion, correction, portability, restriction, objection, opt-out of sale/sharing, and limit-use-of-sensitive-PI).
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Tellus or a Subprocessor.
  • "Standard Contractual Clauses" or "SCCs" means the clauses annexed to European Commission Decision 2021/914 of 4 June 2021 (Modules 2 and 3, as applicable), as supplemented for the UK by the UK Information Commissioner's International Data Transfer Addendum ("UK Addendum") and for Switzerland by the FDPIC's adaptations.
  • "Subprocessor" means any third-party processor engaged by Tellus to process Customer Personal Data in connection with the Service.
  • The terms "Controller," "Processor," "Personal Data," "Processing," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR. The terms "Business," "Service Provider," "Sale," "Share," "Personal Information," and "Consumer" have the meanings given in the CCPA.

2. Roles and scope

2.1. Roles. For Customer Personal Data, Customer is the Controller (or Business, under CCPA) and Tellus is the Processor (or Service Provider, under CCPA). Where Customer acts on behalf of another organization (for example, a Tellus consultant customer servicing its own client), Customer warrants that it has the legal basis and contractual authority to instruct Tellus's processing for that other organization.

2.2. Tellus as Controller. Tellus acts as an independent Controller for a limited set of data necessary to operate the Service as a business — including account billing and contact details, product-usage telemetry, security and audit logs, and aggregated, de-identified analytics. Tellus's processing of that data is governed by the Privacy Policy, not this DPA.

2.3. Scope of processing. Tellus will process Customer Personal Data only to: (a) provide, secure, and maintain the Service; (b) carry out Customer's documented instructions (the Agreement, configurations Customer makes in the Service, and any further written instructions Customer gives that Tellus accepts in writing); (c) comply with applicable law; and (d) as set out in Annex I.

2.4. Customer's instructions. Customer's use of the Service constitutes complete documented instructions for Tellus's processing of Customer Personal Data. Tellus will notify Customer if, in its opinion, an instruction violates Data Protection Law (without obligation to actively monitor compliance with laws applicable to Customer).

3. Customer obligations

3.1. Lawful basis. Customer is responsible for the accuracy, quality, and legality of Customer Personal Data, the means by which it was collected, and Customer's lawful basis for processing it (including obtaining all necessary consents and notices from Data Subjects).

3.2. Sensitive data. Customer is responsible for determining what data is appropriate to enter into the Service. Customer must not submit Customer Personal Data that is regulated as "special categories of personal data" under GDPR Article 9 (e.g., health data, biometric data, data revealing racial or ethnic origin), Personal Health Information regulated by HIPAA, payment-card data subject to PCI DSS, or government-issued identification numbers (Social Security, driver's license, passport), except where: (a) the Service is designed to accept that data; (b) Customer has the legal basis to do so; and (c) Customer has notified Tellus in writing and accepted any additional terms Tellus requires for that data category.

3.3. Access controls. Customer is responsible for configuring user roles, permissions, sites, and tenancy boundaries within the Service to enforce its own access-control policies, and for promptly deactivating Authorized User accounts when they no longer require access.

4. Confidentiality of personnel

Tellus will ensure that any person (including employees and contractors) authorized to process Customer Personal Data is bound by appropriate confidentiality obligations, whether by contractual agreement or statutory duty, and that access is limited to personnel who need it to perform their role.

5. Security

5.1. Security measures. Tellus will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are described in Annex II.

5.2. Updates. Tellus may update its security measures from time to time. Any update will not materially diminish the overall level of protection of Customer Personal Data.

5.3. State of the art. The parties acknowledge that security is a process, not a state — Tellus will take into account the state of the art, the cost of implementation, and the nature, scope, context, and purpose of processing, as required by GDPR Article 32.

6. Subprocessors

6.1. General authorization. Customer provides general written authorization for Tellus to engage Subprocessors, subject to this Section.

6.2. List of Subprocessors. The current list of Subprocessors engaged by Tellus is published at docs.tellusehs.com/legal/subprocessors ("Subprocessor Page") and forms Annex III to this DPA.

6.3. Notice of changes. Tellus will provide notice of new or replacement Subprocessors by updating the Subprocessor Page at least thirty (30) days before the new Subprocessor begins processing Customer Personal Data. Customer may subscribe to change notifications by emailing dpa@tellusehs.com. The thirty-day notice period may be reduced where prompt engagement of a Subprocessor is required to remediate a security incident or to comply with applicable law.

6.4. Objection. Within the thirty-day notice period, Customer may object in writing to a new Subprocessor on reasonable data-protection grounds. The parties will work in good faith to address Customer's objection. If the parties cannot resolve the objection within thirty (30) days of Tellus's receipt of it, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience and receive a pro-rata refund of fees prepaid for the unused period.

6.5. Flow-down. Tellus will enter into a written contract with each Subprocessor that imposes data-protection obligations on the Subprocessor that are no less protective of Customer Personal Data than this DPA, including the obligations applicable under GDPR Article 28(3) where applicable. Tellus remains liable to Customer for the acts and omissions of its Subprocessors to the same extent it would be liable for its own acts and omissions under this DPA.

7. Data Subject Requests

7.1. Routing. The Service includes features that allow Customer to access, correct, delete, and export Customer Personal Data within its workspace. Customer is responsible for responding to Data Subject Requests using those features.

7.2. Assistance. Where Customer cannot fulfill a Data Subject Request using the Service's self-service features, Tellus will provide reasonable assistance — taking into account the nature of the processing — to enable Customer to respond within the timelines required by Data Protection Law. Tellus may charge a reasonable fee for assistance beyond what is reasonably foreseeable.

7.3. Direct requests. If Tellus receives a Data Subject Request directly from a Data Subject who is a User of Customer's workspace, Tellus will, without undue delay, forward the request to Customer and will not respond to the Data Subject directly except to acknowledge receipt and refer the Data Subject back to Customer.

8. Personal Data Breach notification

8.1. Notice. Tellus will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

8.2. Contents of notice. The notice will describe, to the extent then known: (a) the nature of the breach, including categories and approximate number of Data Subjects and records affected; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate its effects; and (d) a contact point for further information.

8.3. Ongoing updates. Where information is not all available at the time of the initial notice, Tellus will provide it in good faith as soon as reasonably practicable thereafter.

8.4. No admission. A notice under this Section is not an admission of fault, liability, or violation of Data Protection Law.

8.5. Cooperation. Tellus will reasonably cooperate with Customer's investigation, notification to Supervisory Authorities or Data Subjects, and remediation of the breach.

9. Deletion or return of Customer Personal Data

9.1. On termination. Following termination or expiration of the Agreement, Tellus will, at Customer's election made within thirty (30) days of termination, either: (a) return Customer Personal Data to Customer in a commonly used machine-readable format via the Service's export functionality; or (b) delete Customer Personal Data from active production systems.

9.2. Default. If Customer does not make an election within the thirty-day window, Tellus will delete Customer Personal Data from active production systems.

9.3. Backups. Backup copies of Customer Personal Data may persist in encrypted, time-limited backup snapshots in the ordinary course of Tellus's backup-and-retention schedule and will be overwritten in accordance with that schedule (typically within 35 days of deletion from active systems). During that retention period, Tellus will not actively process those backups except as required to restore the Service after an incident.

9.4. Legal hold. Tellus may retain Customer Personal Data to the extent required by applicable law or to defend or assert legal claims, in which case Tellus will isolate and protect that data and process it only for the purpose of compliance with the legal obligation.

10. Demonstrations of compliance and audits

10.1. Documentation. Tellus will make available to Customer information reasonably necessary to demonstrate Tellus's compliance with this DPA, including its current security-program summary, subprocessor list, and (when available) third-party certifications or audit reports (e.g., SOC 2). Customer may request these by emailing security@tellusehs.com.

10.2. Audits. To the extent the foregoing is not sufficient to satisfy Customer's audit obligations under GDPR Article 28(3)(h) or equivalent Data Protection Law, Customer may request an audit of Tellus's processing operations relevant to this DPA, subject to the following:

(a) the request must be in writing with at least sixty (60) days' advance notice; (b) audits will be conducted no more than once per twelve (12) month period (except where there has been a confirmed Personal Data Breach or where required by a Supervisory Authority); (c) audits will be limited to information reasonably necessary to verify Tellus's compliance with this DPA and will not disclose information of other Tellus customers, source code, or commercially sensitive information; (d) Customer will bear all costs of the audit, including Tellus's reasonable time and expenses; (e) audits will be conducted during normal business hours and in a manner that minimizes disruption to the Service; and (f) any auditor must be bound by appropriate confidentiality obligations and must not be a competitor of Tellus.

11. International data transfers

11.1. Primary processing location. Customer Personal Data is primarily stored and processed in the United States. The current locations of Subprocessor processing are listed on the Subprocessor Page.

11.2. SCCs (EU). Where Customer transfers Customer Personal Data subject to the GDPR from the European Economic Area to Tellus in a country that has not been the subject of an adequacy decision, the EU Standard Contractual Clauses (Module 2: Controller to Processor; or Module 3: Processor to Sub-processor, as applicable) are incorporated by reference into this DPA, with the following selections:

  • Clause 7 (Docking): Optional Docking Clause does not apply.
  • Clause 9 (Subprocessors): Option 2 (general written authorization) applies; the timing of advance notice for changes is thirty (30) days, consistent with Section 6.3.
  • Clause 11 (Redress): Optional independent dispute resolution language does not apply.
  • Clause 17 (Governing law): The laws of Ireland.
  • Clause 18 (Forum and jurisdiction): The courts of Ireland.
  • Annex I.A (List of Parties): Customer is the data exporter; Tellus is the data importer. Contact details: each party's notice address under the Agreement, with privacy contact for Tellus at dpa@tellusehs.com.
  • Annex I.B (Description of transfer): As set out in Annex I to this DPA.
  • Annex I.C (Competent supervisory authority): The supervisory authority of the EU member state where the data exporter is established (or, where the data exporter is outside the EEA, the supervisory authority of the EEA member state where Data Subjects whose Personal Data is transferred are located).
  • Annex II (Technical and organizational measures): As set out in Annex II to this DPA.
  • Annex III (Subprocessors): As listed on the Subprocessor Page.

11.3. UK transfers. Where Customer transfers Customer Personal Data subject to the UK GDPR, the UK Addendum to the EU SCCs is incorporated by reference, with Table 1 populated by the same parties as the SCCs, Table 2 selecting the Approved EU SCCs in their entirety (Modules 2 or 3 as applicable), and Table 3 selecting the Annexes set out in this DPA. Table 4 (ending the Addendum when Approved Addendum changes) — neither party may end the Addendum upon change to the Approved Addendum.

11.4. Swiss transfers. Where Customer transfers Customer Personal Data subject to the FADP, the EU SCCs apply with the following adaptations: (a) references to the GDPR are deemed to include the FADP; (b) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) for FADP-only transfers, or both the FDPIC and the EU supervisory authority for dual-regime transfers; and (c) until the entry into force of the revised FADP, the term "Member State" includes Switzerland.

11.5. Alternative mechanisms. If a Supervisory Authority, court, or legislature determines that the SCCs (or UK Addendum, or Swiss adaptations) are no longer a valid transfer mechanism, the parties will cooperate in good faith to implement an alternative lawful transfer mechanism.

12. CCPA / CPRA service-provider provisions

This Section applies to Customer Personal Data that constitutes Personal Information under the CCPA. Where this Section conflicts with another Section of this DPA, this Section controls with respect to CCPA Personal Information.

12.1. Service Provider role. Tellus is a Service Provider to Customer (the Business) under the CCPA. Customer does not sell or share Personal Information to Tellus in exchange for monetary or other valuable consideration.

12.2. Permitted purposes. Tellus will process Personal Information solely for the "Business Purposes" set forth in the Agreement and this DPA — namely, to provide the Service. Tellus will not:

(a) Sell or Share (as those terms are defined under the CCPA) the Personal Information; (b) Retain, use, or disclose the Personal Information for any purpose other than the Business Purposes specified in the Agreement, including for any commercial purpose other than providing the Service; (c) Retain, use, or disclose the Personal Information outside of the direct business relationship between Customer and Tellus; or (d) Combine Personal Information received from Customer with Personal Information that Tellus receives from other sources, except as expressly permitted by the CCPA (e.g., for security, fraud prevention, or other purposes authorized by 11 C.C.R. § 7050(b)).

12.3. Certification. By accepting this DPA, Tellus certifies that it understands the restrictions set out in Section 12.2 and will comply with them.

12.4. Compliance. Tellus will notify Customer if it determines that it can no longer meet its CCPA Service-Provider obligations. Customer may, on reasonable notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

12.5. Sub-service-providers. Subprocessors engaged under Section 6 of this DPA are Customer's "Service Providers" or "Contractors" under the CCPA, and Tellus will flow down the obligations of this Section to them.

12.6. Sensitive Personal Information. Tellus will not use Sensitive Personal Information for any purpose other than the limited purposes set out at 11 C.C.R. § 7027(m).

13. Liability

Each party's total aggregate liability arising out of or related to this DPA — whether in contract, tort, or otherwise — is subject to, and forms part of, the limitations of liability set forth in the Agreement. Where the SCCs apply, nothing in the Agreement or this DPA limits liability to Data Subjects or Supervisory Authorities to the extent the SCCs do not permit limitation.

14. Order of precedence

In the event of a conflict between this DPA, the Agreement, and the SCCs (where they apply): (a) the SCCs prevail with respect to Personal Data transferred from the EEA, UK, or Switzerland under the SCCs; (b) this DPA prevails with respect to all other processing of Customer Personal Data; and (c) the Agreement prevails as to all other matters.

15. Term, modification, and termination

15.1. Term. This DPA takes effect on the later of (a) the Effective Date set out at the top of this page or (b) the date Customer first uses the Service, and continues for as long as Tellus processes Customer Personal Data on Customer's behalf.

15.2. Modification. Tellus may update this DPA from time to time. If a change materially reduces Customer's rights or Tellus's obligations under this DPA, Tellus will notify Customer at least thirty (30) days in advance via email to the account's primary contact and via the Service. Customer's continued use of the Service after the effective date of the updated DPA constitutes acceptance.

15.3. Survival. Sections 8 (Breach notification — for breaches occurring before termination), 9 (Deletion / return), 13 (Liability), and 14 (Order of precedence), together with any Annexes referenced by those Sections, survive termination of this DPA.

16. Contact

Annex I — Description of processing

A. Parties

Data Exporter (Controller)Data Importer (Processor)
NameCustomer (as identified in the Agreement)Tellus EHS
ContactAccount primary contact and any privacy contact identified by Customerdpa@tellusehs.com
Activities relevant to data transferUse of the Service as a Controller for its own EHS / HazCom compliance programProvision of the Service
RoleControllerProcessor

B. Categories of Data Subjects

Customer's employees, contractors, consultants, students, trainees, and other Authorized Users whose Personal Data Customer chooses to submit to the Service.

C. Categories of Personal Data

  • Identification and contact data: full name, work email address, phone number, job title, role assignment, site assignment.
  • Authentication data: hashed passwords, JWT session tokens, login timestamps, IP addresses for security logging.
  • Workplace / compliance data: chemical inventory entries, training records and certifications, HazCom plan attribution, audit-log actor identifiers, e-signature attestations.
  • Customer-uploaded content that may incidentally contain Personal Data (e.g., names embedded in SDS documents, photos of labels, training-completion certificates).

D. Sensitive Data

The Service is not designed to receive special categories of Personal Data, PHI, payment-card data, or government-issued identification numbers. Customer must not submit such data unless expressly authorized in writing by Tellus.

E. Frequency of transfer

Continuous, for the duration of the Agreement.

F. Nature of processing

Collection, storage, structuring, retrieval, use (including AI-assisted content generation), disclosure to Subprocessors, transmission, deletion.

G. Purpose of transfer

To provide, secure, and maintain the Service as described in the Agreement.

H. Retention

Customer Personal Data is retained for the duration of the Agreement and for the limited periods after termination described in Section 9. Backups follow the schedule described in Section 9.3.

I. Transfers to Subprocessors

See Section 6 and the Subprocessor Page (Annex III).

Annex II — Technical and organizational measures

1. Confidentiality, integrity, availability, and resilience of processing systems

  • All Customer Personal Data is encrypted in transit using TLS 1.2 or higher.
  • All Customer Personal Data at rest is stored in managed PostgreSQL clusters with encryption-at-rest enabled by the cloud provider (DigitalOcean managed PostgreSQL), and in object storage (AWS S3) with server-side encryption (AES-256).
  • Passwords are never stored in plaintext; authentication is delegated to Supabase Auth, which applies industry-standard password hashing (bcrypt).
  • Production infrastructure is hosted on hardened cloud platforms (DigitalOcean, AWS) that maintain SOC 2 / ISO 27001 certifications for the underlying environment.
  • Access to production systems is restricted to a small number of named administrators, requires multi-factor authentication, and is logged.

2. Pseudonymization and encryption

  • All sensitive identifiers used in URLs (such as resource IDs) are UUIDs, not sequential integers.
  • AI inference requests sent to Subprocessors (Anthropic, OpenAI, Perplexity) transmit only the minimum content necessary and are not used to train Subprocessors' general models.

3. Ability to restore availability and access after an incident

  • Production databases are backed up by the cloud provider on a continuous basis with point-in-time recovery for the most recent rolling window.
  • Tellus performs application-level snapshots in addition to provider backups.

4. Process for regularly testing, assessing, and evaluating effectiveness

  • Tellus monitors application and infrastructure logs via Sentry and the cloud provider's native observability tooling.
  • Security-relevant code changes are reviewed before deployment.
  • Tellus reviews this DPA and its security posture at least annually.

5. Identification and authorization

  • All Authorized Users authenticate via Supabase Auth with email and password, with email-verification required.
  • Multi-company users (e.g., consultants) maintain a single identity with role assignments per company; cross-company access is blocked at the application layer by company-scoped queries on every request.
  • Customer is responsible for managing its own role assignments, deactivating users who no longer need access, and enforcing its own password and session-management policies through the configuration options the Service exposes.

6. Data minimization

  • The Service collects only the data needed to provide the contracted functionality.
  • Logs and telemetry are retained for limited periods consistent with the Privacy Policy.

7. Data quality

  • Customer controls the accuracy of Customer Data through the Service's editing, review, and approval workflows.

8. Limited data retention

  • See Section 9 of this DPA and the Privacy Policy retention table.

9. Accountability

  • The Service includes audit logs of safety-critical actions (plan approvals, training assignments, e-signatures, consent acceptance) attributable to a specific Authorized User.

10. Portability and erasure

  • The Service provides export functionality in commonly used formats (CSV, PDF) for the major data categories Customer manages.
  • Customer may delete records using the Service's UI; deletions propagate per the retention rules described in Section 9.

Annex III — Subprocessors

The current list of Subprocessors is published, and maintained, at docs.tellusehs.com/legal/subprocessors and is incorporated by reference into this DPA as Annex III.

This DPA does not require Customer's signature to be effective for purposes of the protections it provides. Customers that require a countersigned copy for their procurement records may obtain one by emailing dpa@tellusehs.com.