Version 1.0 — March 2026
This DPA follows the structure of the Bonterms Data Protection Addendum v1.0, an open-source template widely used in SaaS. Adapted and pre-filled for Tagmatic's sub-processors and data processing practices.
This Data Processing Addendum ("DPA") supplements the Tagmatic Terms of Service or other written agreement between the parties (the "Agreement") and governs the processing of Customer Personal Data by Tagmatic in connection with the Tagmatic text annotation service (the "Cloud Service").
This DPA is incorporated into, and forms part of, the Agreement. By using the Cloud Service, Customer agrees to the terms of this DPA on behalf of itself and any Affiliates. In the event of a conflict between this DPA and the Agreement on matters of data protection, this DPA shall control.
The parties intend for Tagmatic to act as a Processor (or Service Provider under CCPA) and for Customer to act as a Controller (or Business under CCPA) with respect to Customer Personal Data.
Capitalized terms used but not defined below have the meanings in the Agreement or applicable Data Protection Laws.
"Customer Personal Data" means any Personal Data contained in Customer Data that Tagmatic Processes on behalf of Customer in connection with the Cloud Service.
"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including (as applicable) the EU GDPR, UK GDPR, CCPA/CPRA, and their implementing regulations.
"GDPR" means the EU General Data Protection Regulation 2016/679.
"CCPA" means the California Consumer Privacy Act of 2018, as amended by the CPRA.
"Personal Data" means information that identifies, relates to, or could reasonably be linked to an identified or identifiable natural person (a Data Subject).
"Process" / "Processing" means any operation on Personal Data, including collection, storage, use, disclosure, or deletion.
"Security Incident" means any accidental or unlawful access to, or acquisition, disclosure, alteration, loss, or destruction of, Customer Personal Data.
"Subprocessor" means any third party engaged by Tagmatic to Process Customer Personal Data.
"DPA Effective Date" means the date Customer first accepted this DPA, or the Agreement execution date, whichever is earlier.
This DPA applies to Processing of Customer Personal Data by Tagmatic in the course of providing the Cloud Service, as described in Schedule 1 (Details of Processing).
Customer is the Controller of Customer Personal Data. Tagmatic is the Processor. Where Customer itself acts as a Processor (i.e., Customer processes data on behalf of its own customers), Tagmatic acts as a Sub-Processor and the terms of this DPA apply accordingly.
Tagmatic will Process Customer Personal Data only on documented instructions from Customer, as set forth in this DPA, the Agreement, and any other written instructions Customer provides. Tagmatic will promptly inform Customer if, in its opinion, an instruction violates applicable Data Protection Laws.
Tagmatic will not use Customer Personal Data to train, fine-tune, or improve any AI model, including the AI models operated by its Subprocessors (Google Gemini, Anthropic Claude). This restriction applies to Tagmatic directly and is incorporated into Tagmatic's agreements with AI Subprocessors.
Tagmatic will ensure that all personnel authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations (whether contractual or statutory).
Tagmatic will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. These measures include, as a minimum, those described in Schedule 2 (Security Measures).
(a) Customer grants general authorization for Tagmatic to engage the Subprocessors listed in Schedule 3 (Subprocessor List) to Process Customer Personal Data for the purposes described therein.
(b) Tagmatic will impose data protection obligations on all Subprocessors that are at least equivalent to those in this DPA, by written agreement.
(c) Tagmatic will notify Customer at least 14 days before adding or replacing a Subprocessor. If Customer objects within 14 days on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If unresolved, Customer may terminate the Agreement upon written notice.
Tagmatic will promptly notify Customer if it receives a request from a Data Subject exercising rights under Data Protection Laws (e.g., access, erasure, portability). To the extent Tagmatic can do so, it will assist Customer in fulfilling such requests. Tagmatic will not respond to Data Subjects directly except on Customer's instructions or as required by law.
Tagmatic will notify Customer without undue delay — and in any event within 72 hours — upon becoming aware of a Security Incident affecting Customer Personal Data. The notice will include (to the extent then known): nature of the incident, categories and approximate number of Data Subjects affected, categories and approximate number of records involved, likely consequences, and measures taken or proposed. Tagmatic will cooperate fully and provide all reasonably requested information to assist Customer in meeting its breach notification obligations.
Tagmatic will, upon reasonable request, provide assistance to Customer in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required under Data Protection Laws.
Tagmatic will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by Customer or a mandated third-party auditor, subject to reasonable notice (minimum 30 days), confidentiality obligations, and Tagmatic's reasonable security requirements. Tagmatic may satisfy this obligation by providing current third-party audit reports (e.g., SOC 2) in lieu of a customer-directed audit.
Upon expiration or termination of the Agreement, or upon Customer's written request, Tagmatic will delete or return all Customer Personal Data in its possession within 30 days, unless Tagmatic is required by law to retain such data. Automated backup copies will be purged within 90 days. Tagmatic will certify such deletion in writing upon request.
Customer represents and warrants that it has established all lawful bases under Data Protection Laws necessary to permit Tagmatic to Process Customer Personal Data as contemplated by this DPA and the Agreement, including obtaining all necessary consents from Data Subjects.
Customer is responsible for the accuracy, quality, and lawfulness of Customer Personal Data and the means by which Customer acquired the Personal Data. Customer will provide instructions to Tagmatic that comply with all applicable Data Protection Laws.
Customer is responsible for independently evaluating whether the Cloud Service meets Customer's security requirements and for configuring the Cloud Service in a manner that is appropriate for Customer's use case and data sensitivity.
Tagmatic and its Subprocessors process Customer Personal Data in the United States. Customer acknowledges this transfer as necessary to provide the Cloud Service.
To the extent Customer transfers Personal Data from the European Economic Area, United Kingdom, or Switzerland to Tagmatic in the United States, such transfers are made pursuant to:
Upon request, Tagmatic will execute and provide Customer with executed copies of the applicable SCCs.
For the purposes of the CCPA, Tagmatic is a "Service Provider" as defined in Cal. Civ. Code § 1798.140(ag). Tagmatic will not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any commercial purpose other than performing the Cloud Service; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties; or (d) combine Customer Personal Data with Personal Data received from other sources, except as permitted by the CCPA.
Tagmatic certifies that it understands and will comply with the restrictions set forth in Section 6.1. Tagmatic will notify Customer if it makes a determination that it can no longer meet its CCPA obligations.
Tagmatic will assist Customer in responding to CCPA consumer rights requests (know, delete, correct, opt-out of sale/sharing) as described in Section 3.5 of this DPA.
This DPA commences on the DPA Effective Date and terminates upon expiration or termination of the Agreement, or (if later) upon the date on which Tagmatic has ceased all Processing of Customer Personal Data.
This DPA is governed by the same governing law and jurisdiction as the Agreement, except where Data Protection Laws require otherwise.
To the fullest extent permitted by Data Protection Laws, any claims in connection with this DPA will be subject to the limitations and exclusions of liability set forth in the Agreement.
In the event of any conflict between this DPA and the Agreement regarding data protection matters, this DPA shall control. SCCs shall take precedence over this DPA with respect to international transfers to the extent of any conflict.
The parties will work together in good faith to amend this DPA as reasonably necessary to comply with changes to Data Protection Laws.
Data protection inquiries: help@tagmatic.app
| Subject Matter | Processing of text inputs submitted by Customer to the Tagmatic text annotation API for the purpose of generating annotation labels and confidence scores. |
| Duration | For the duration of the Agreement. Upon termination, as set out in Section 3.9 of this DPA. |
| Nature of Processing | Automated processing of text data through AI classification models to produce annotation labels, categories, sentiment, or other outputs as configured by Customer. Storage of annotation records and associated metadata in a hosted database. |
| Purpose of Processing | To provide the Tagmatic text annotation service as described in the Agreement. No other purpose, including AI model training. |
| Categories of Data |
Customer Data: Text inputs submitted for annotation (which may include financial data, communications, or other business text at Customer's discretion). Annotation Outputs: Labels, categories, confidence scores, and metadata generated by the annotation service. Account Data: User email addresses, display names, API keys (hashed), and usage records associated with Customer's account. Audit Logs: Timestamps, request IDs, and processing metadata. |
| Categories of Data Subjects |
Customer's employees, contractors, and end users whose Personal Data may be contained within text inputs submitted to the annotation service. Customer's authorized users of the Tagmatic platform. |
| Special Category Data | Not intentionally processed. Customer should not submit special category data (as defined in GDPR Article 9) without first contacting Tagmatic at help@tagmatic.app. |
| Retention Period | Active accounts: retained while account is active. Upon deletion request: purged within 30 days (backups within 90 days). Billing records: up to 7 years as required by law. |
| Encryption in Transit | TLS 1.2 or higher for all data in transit. HTTPS enforced; plain HTTP redirected. |
| Encryption at Rest | AES-256 encryption of data at rest at the infrastructure level (Neon PostgreSQL). |
| Access Control | Passwordless magic-link authentication. JWT session tokens (short-lived, revocable). Scoped API keys. All database queries scoped to authenticated user (row-level isolation). Principle of least privilege for runtime credentials. |
| Network Security | Database accessible only via private networking from application servers. No public database endpoint. TLS enforced on all database connections. |
| Backup & Recovery | Daily automated database backups with 7-day retention. Tested restore procedures. |
| Vulnerability Management | Regular dependency updates. Critical security patches applied within 48 hours of vendor notification. |
| Secrets Management | All production secrets, credentials, and API keys stored as encrypted environment variables in Render. No secrets in source code or version control. |
| Incident Response | Security Incident notification within 72 hours of discovery. Documented incident response procedure. |
| Infrastructure Compliance | Hosted on Render (SOC 2 Type II certified) and Neon (enterprise PostgreSQL with security certifications). |
| Subprocessor | Location | Role | Trains on Data? |
|---|---|---|---|
| Render Services, Inc. | United States | Application hosting and compute. Runs Tagmatic web servers and workers. | No |
| Neon, Inc. | United States | PostgreSQL database hosting. Stores annotation records, metadata, and audit logs. | No |
| Google LLC (Gemini API) |
United States | Tier 1 AI annotation model. Processes text inputs to generate annotation labels and confidence scores. API-only — no persistent data retention per Google Cloud commercial terms. | No — API only |
| Anthropic, PBC (Claude API) |
United States | Tier 2 AI annotation model. Re-processes low-confidence inputs for higher-quality annotation. API-only — Anthropic does not train on API inputs from commercial customers. | No — API only |
Tagmatic will notify Customer at least 14 days in advance before adding or replacing any Subprocessor. Current list maintained at tagmatic.app/security.
By signing below (or by accepting the Agreement electronically), the parties agree to be bound by this DPA as of the DPA Effective Date.
To execute this DPA, send the signed document to help@tagmatic.app. To request the DPA in Word format for markup, contact the same address.