tells · DPA template
Data Processing Agreement for white-label and B2B customers. vøiddo as data processor; you (the practitioner / practice / enterprise customer) as data controller; tells AI v1.0 as sub-processor.
1. Definitions
Capitalised terms have the meaning given in the GDPR (Regulation (EU) 2016/679) and CCPA (Cal. Civ. Code §1798.100 et seq.) where applicable. The defined terms used here:
| Term | Meaning in this DPA |
|---|---|
| Controller | You — the practitioner, practice, or enterprise customer who determines the purposes and means of processing your clients' personal data. |
| Processor | voiddo (legal business name; doing business as "vøiddo") — operating the tells service, processing personal data on the Controller's instructions. |
| Sub-processor | A processing service engaged by vøiddo to process personal data on the Controller's behalf — currently tells AI v1.0 inference infrastructure for analysis processing. Full list at sub-processors. |
| Personal Data | Any data submitted via the tells service that relates to an identified or identifiable natural person — including the text content of messages, profile excerpts, drafts, or any tracked-person labels you assign. |
| Data Subject | The natural person to whom Personal Data relates — typically the Controller's client, the third party whose communications are being analyzed, or the Controller themselves. |
| Processing | Any operation performed on Personal Data — collection, storage, transmission to the AI sub-processor, generation of analysis output, deletion. |
| Service | The tells application and any white-label embedding (WordPress shortcode, raw iframe, subdomain CNAME) provided to the Controller. |
2. Subject matter and scope of processing
vøiddo processes Personal Data on behalf of the Controller solely to deliver the tells Service: receive submitted text, process it through tells AI v1.0 under the Controller's account, return the structured analysis output, and (where the Controller has opted in to Patterns mode for their own account) store encrypted snapshots for diff-over-time analysis.
Processing is limited to:
- Receipt and transmission of input text submitted via the Service.
- Processing through tells AI v1.0 inference infrastructure under enterprise data-protection terms.
- Structured-output generation, validation, and return to the Controller's UI.
- Storage of analysis records as configured by the Controller's plan (default 90-day hard-purge; opt-in extended retention up to 12 months for eligible Pro / Forensic tiers).
- Operational metadata (timestamps, token counts, cost ledger entries) — never the content itself.
3. Categories of Data Subjects and Personal Data
| Category | Examples |
|---|---|
| Controller's clients | Text messages, written communications, profile excerpts, voice-coach drafts the Controller submits on behalf of clients. |
| Third parties referenced in submitted content | Names, written quotes, contextual references inside submitted content. |
| The Controller themselves | Email, account credentials, plan tier, billing-cycle counters, signup IP. |
tells is text-only. Voice recordings, video, biometric data, geolocation, device fingerprints, and government-issued identifiers are out of scope and will be rejected at the input layer if accidentally submitted.
4. Duration of processing
Processing continues for the duration of the Controller's active subscription. On termination, all Personal Data is deleted under §8 below within 30 days, except where retention is required by law (financial records related to billing).
5. Security measures
vøiddo implements technical and organisational measures appropriate to the risk, including:
- Encryption in transit: TLS 1.3 with HSTS preload on every endpoint.
- Encryption at rest: AES-256-GCM for opt-in retention data, with per-user HKDF-derived keys and AAD context binding. Master encryption key held in environment-variable scope separate from the database. Detailed spec at github.com/voidd0/tells-encryption-spec.
- Access control: Production database access is audited. No engineer reads raw user content in normal operations; encrypted fields are opaque without the per-user key derivation chain.
- Authentication: bcrypt password hashing (cost 12), JWT session tokens, refresh-token rotation, lockout after failed-login threshold.
- Network security: Strict CORS allowlist, security headers (X-Frame-Options, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), rate limiting at both Nginx and application layers.
- Logging discipline: Logs use hashed identifiers; no plaintext content in application or access logs.
- Cryptographic deletion: Account deletion destroys the per-user HKDF salt, rendering any retained ciphertext unrecoverable. Audit-log entry records the deletion timestamp + a non-reversible proof fingerprint.
- Independent audit: Within 90 days of public launch, an external freelance security auditor verifies these controls. Annual audits maintain the trust signal.
The full threat model is published at /legal/threat-model with both threats addressed and threats explicitly out of scope.
6. Sub-processors
The complete list of sub-processors and their roles is published at /legal/sub-processors. By acknowledging this DPA, the Controller authorises the engagement of those sub-processors. Material additions (any vendor that would receive content) are notified by email at least 30 days in advance, with the Controller's right to terminate without penalty during the notice period.
vøiddo flows down the obligations of this DPA to each sub-processor by contract. Where a sub-processor's terms include their own DPA (vøiddo AI infrastructure DPA, Paddle DPA, Sentry DPA), those apply in addition.
7. Data Subject rights
Where Data Subjects exercise rights under GDPR Articles 15–22 or CCPA §1798.100 et seq., vøiddo will assist the Controller within reasonable means and timelines:
- Right of access (Art. 15 / §1798.110): One-click "Export my data" in account settings produces a JSON export of all stored data.
- Right to erasure (Art. 17 / §1798.105): One-click "Delete my account" performs hard deletion + cryptographic deletion as described in §5.
- Right to rectification (Art. 16): Controller and Data Subjects can edit identifying account fields directly.
- Right to data portability (Art. 20): Export format is structured JSON suitable for reuse.
- Right to object (Art. 21): Patterns mode is opt-in; switching it off triggers immediate purge of all snapshot rows.
Where a Data Subject contacts vøiddo directly with a rights request relating to the Controller's account, vøiddo will refer the request to the Controller and will not action it without the Controller's instruction (except where required by law).
8. Deletion / return of Personal Data
On termination of the Controller's subscription, or on instruction from the Controller, vøiddo will:
- Hard-delete the Controller's account and all rows linked by foreign key (analyses, snapshots, tracked persons, refresh tokens, feedback, embed-license records).
- Perform cryptographic deletion of any opt-in retention data — destroying the per-user HKDF salt — within 24 hours of the deletion request.
- Issue an audit-log entry recording the deletion timestamp + the non-reversible proof fingerprint.
- Retain billing records (invoices, Paddle transaction IDs) for the period required by tax law, segregated from personal data.
9. Audits and information rights
The Controller may, with 30 days' written notice and no more than once per twelve-month period, request a written summary of vøiddo's most recent independent security audit and a confirmation that the controls in §5 are in effect. On-site audits are not offered as the production environment is a small VPS deployment without visitor facilities; the published threat model + audit summary are intended to substitute.
10. International transfers
Personal Data may be transferred to Google's data centres in the US or EU during AI processing. Such transfers rely on the Standard Contractual Clauses incorporated by reference in the vøiddo AI infrastructure DPA. The Controller acknowledges and authorises this transfer at acknowledgement of this DPA.
11. Term and termination
This DPA takes effect at the timestamp recorded for the Controller's clickwrap acknowledgement and remains in effect for the duration of the underlying tells subscription. On termination, §8 (deletion) applies. The obligations in §5 (security), §7 (data subject rights — for the period any data is still being deleted), and §10 (international transfers — for in-flight requests) survive termination.
12. Liability
vøiddo's aggregate liability under this DPA is capped at twelve (12) months of fees paid by the Controller for the Service in the period preceding the event giving rise to liability. This cap does not apply to: (a) breaches of confidentiality, (b) gross negligence, (c) wilful misconduct, or (d) liability that cannot be limited under applicable law (including statutory data protection liability under GDPR Art. 82 to the extent it cannot be limited).
13. Conflicts
If this DPA conflicts with the Terms of Service or the Privacy Policy, the DPA controls for matters of personal-data processing.
14. Governing law and venue
This DPA is governed by the laws of Israel. The Controller's local data-protection authority retains jurisdiction over Data Subject rights complaints under GDPR.
15. Contact
For DPA acknowledgement records, sub-processor change notices, audit summary requests, or data subject coordination: support@voiddo.com.