This Data Protection Addendum ("DPA") forms part of the agreement between Tau LLC ("Processor") and the Customer ("Controller").
1. Purpose
This DPA ensures compliance with global data protection laws (including GDPR) and governs how personal data is processed.
2. Roles
- Controller: The Customer, who decides why and how personal data is processed.
- Processor: Tau LLC, which processes data only under the Controller's instructions.
3. Processor Obligations
Tau LLC shall:
- Process personal data only on documented instructions from the Controller.
- Ensure staff are bound by confidentiality.
- Implement technical and organizational measures to protect data.
- Assist the Controller in fulfilling obligations under GDPR (e.g., data subject rights, breach notifications).
- Delete or return personal data upon termination of services, unless retention is required by law.
4. Sub-processing
- Tau LLC may engage sub-processors for specific services.
- Sub-processors are bound by obligations no less protective than this DPA.
- Current sub-processors are listed at: see Sub-processor List.
- Controller will be notified of new sub-processors with at least 30 days' notice.
5. International Transfers
Data may be transferred outside the user's country, provided that adequate safeguards (e.g., Standard Contractual Clauses) are in place.
6. Security Measures
Tau LLC applies:
- Encryption in transit and at rest.
- Role-based access control.
- Incident response protocols.
- Independent audits.
7. Data Breach
In the event of a personal data breach, Tau LLC will notify the Controller without undue delay and no later than 72 hours.
8. Term
This DPA remains in force for as long as Tau LLC processes personal data on behalf of the Controller.
Signed:
Tau LLC (Processor)
verify@tauos.org
© 2025 Tau Foundation & Tau LLC
verify@tauos.org