Data Processing Addendum (DPA)

Last updated: August 15, 2025 • Talos Automata, Inc.

This DPA forms part of the agreement between Talos Automata, Inc. ("Spec") and the customer who accepts the Spec Terms of Service (the "Customer"). It reflects the parties' agreement regarding the processing of Customer Personal Data under Data Protection Laws.

1. Definitions

"Customer Personal Data" means personal data processed by Spec on behalf of the Customer through the Service. "Data Protection Laws" includes GDPR/UK GDPR and CPRA. "SCCs" means the Standard Contractual Clauses (and UK Addendum/IDTA as applicable). Other capitalized terms have the meanings in the Terms.

2. Roles and Scope

  • Roles: Customer is the controller; Spec is the processor (service provider) for Customer Personal Data processed through the Service. Spec is an independent controller for account, billing, and telemetry data.
  • Subject matter and duration: Processing for the duration of Customer's use of the Service until deletion.
  • Nature and purpose: Provision of AI assistance and automation features requested by Customer.
  • Data subjects: Individuals whose data is included in Customer's connected accounts and inputs.
  • Types of personal data: Content from authorized sources, identifiers, and necessary metadata.

3. Processor Obligations

  • Process only on documented instructions from Customer.
  • Ensure confidentiality of personnel with access.
  • Implement appropriate technical and organizational security measures.
  • Use sub‑processors per the Sub‑processor Registry; impose equivalent data protection obligations and remain responsible.
  • Use SCCs and lawful mechanisms for international transfers.
  • Assist with data subject requests and compliance considering the nature of processing.
  • Notify Customer without undue delay of any personal data breach involving Customer Personal Data.
  • Delete or return Customer Personal Data upon termination or request unless law requires retention.

4. Customer Obligations

  • Ensure lawful basis and necessary notices/consents for processing.
  • Configure the Service to meet compliance requirements, including permissions and integrations.

5. No Training on API Data; Limited Provider Logs

No training on API data: Spec will not permit LLM providers to use Customer Personal Data sent via API to train public models.

Limited provider logs: Providers may retain operational logs (often up to 30 days) for abuse/fraud detection and reliability. This is separate from training.

6. Audits and Certifications

Upon request, Spec will provide information reasonably necessary to demonstrate compliance, including summaries of security measures and third‑party audit reports where available. Audits are limited to once per year and must protect confidentiality and security.

7. Liability

The limitations and exclusions of liability in the Terms apply to this DPA.

8. Miscellaneous

In case of conflict between this DPA and the Terms, this DPA controls with respect to processing of Customer Personal Data. This DPA is governed by the governing law specified in the Terms.

Annex I – Details of Processing

See Sections 2 and 5.

Annex II – Technical and Organizational Measures

  • Access controls and least privilege
  • Encryption in transit and at rest for any cloud components
  • Key management and secret rotation
  • Logging and monitoring
  • Vulnerability management and patching
  • Secure development lifecycle
  • Incident response and post‑incident reviews
  • Regular security reviews and employee training

Annex III – Sub‑processors

See the Spec Sub‑processor Registry for the current list and purposes.

Annex IV – International Transfers

  • EU SCCs (Controller‑to‑Processor, Module Two)
  • UK IDTA or UK Addendum to EU SCCs
  • Swiss FDPIC clauses applied mutatis mutandis

Contact: support@withspec.com