Data Processing Agreement - Article 28 GDPR
Last updated: August 1, 2025
This Data Processing Agreement (hereinafter "the Agreement") is concluded between the Client (as defined in the Terms of Service of Tesseris), hereinafter referred to as the "Data Controller", and Sohmware SARL, operating under the name Tesseris, SARL with a capital of 5000 euros, SIREN 749862322, whose registered office is located at 3 rue Hanau, 67350 Niedermodern, France, hereinafter referred to as the "Data Processor".
This Agreement constitutes an annex to the Terms of Service (ToS) of the Tesseris service and prevails over any contrary clause of the latter concerning the processing of personal data of the Data Controller's end customers.
The purpose of this Agreement is to define the conditions under which the Data Processor undertakes to carry out on behalf of the Data Controller the personal data processing operations defined below, in accordance with the requirements of the General Data Protection Regulation (GDPR) and French legislation on data protection.
The Data Processor is authorized to process on behalf of the Data Controller the personal data necessary to provide the Tesseris service. The processing details are as follows:
| Nature and Purposes of Processing | Provision of route optimization SaaS service, including: automated calendar consultation, AI-assisted appointment booking, optimal route calculation, SMS reminder notifications, secure data hosting and maintenance, route report generation. |
| Processing Duration | For the duration of the Client's subscription to the Tesseris service, as defined in the ToS, plus a 30-day retention period after termination to allow possible reactivation. Technical backups may be kept for up to 90 additional days for security and service continuity purposes. |
| Types of Personal Data | Data of the Data Controller's end customers: first names, last names, complete postal addresses, phone numbers, email addresses, service types, appointment slots, intervention history, contact preferences, real-time GPS geolocation coordinates (only with explicit consent from the end customer via their mobile device). |
| Categories of Data Subjects | The Data Controller's end customers (individuals and professionals subject to appointments and interventions scheduled within the framework of optimized routes). |
The Data Processor undertakes to strictly comply with the following obligations:
Process data only on documented instruction of the Data Controller, including regarding transfers of data to third countries. These constitute the initial instructions. Any additional instruction must be documented in writing.
Ensure the confidentiality of personal data processed and ensure that all persons authorized to process the data contractually undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
Implement appropriate technical and organizational security measures, as described in Annex 1 of this Agreement, to protect data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access.
The Data Controller authorizes the use of sub-processors listed in Annex 2. Any addition or replacement will be notified to the Data Controller with a minimum 30-day notice. The Data Controller may object for legitimate reasons. The Data Processor remains fully liable to the Data Controller for the performance of obligations of any sub-processor.
Assist the Data Controller, by appropriate technical and organizational measures, insofar as possible, to fulfill its obligation to respond to requests for exercising data subject rights (access, rectification, erasure, portability, restriction, objection). Requests received directly by the Data Processor will be immediately forwarded to the Data Controller.
Notify the Data Controller of any personal data breach as soon as possible after becoming aware of it, at the latest within 48 hours, providing all useful information: nature of the breach, categories and approximate number of data subjects concerned, probable consequences, measures taken or envisaged.
Provide the Data Controller with all information necessary to demonstrate compliance with the obligations provided for in this article and allow audits, including inspections, by the Data Controller or an auditor mandated by them.
At the end of the contract, according to the Data Controller's choice: return all personal data to the Data Controller or delete all personal data and destroy existing copies, except contrary legal obligation of retention.
The Data Controller undertakes to:
Ensure that the collection and initial processing of personal data of its end customers are carried out in compliance with applicable laws, particularly by collecting appropriate consents and respecting its information obligations.
Provide clear, lawful and documented instructions regarding data processing. Any additional instruction or modification must be communicated in writing.
Respect its own obligations under the GDPR, particularly informing its end customers about Tesseris's intervention as a processor, and directly manage requests for exercising rights from its end customers.
Cooperate with the Data Processor to enable compliance with the latter's obligations, particularly in case of audit or data breach.
The Data Controller may conduct audits to verify the Data Processor's compliance with this Agreement, maximum once per year and subject to 30 days' notice. Audits are conducted during business hours (9am-6pm, Monday-Friday) and must not unreasonably disrupt the Data Processor's activity. Audit costs are borne by the Data Controller. The Data Processor will provide all necessary documentation demonstrating its security and GDPR compliance measures.
Each party is responsible for compliance with its own obligations under this Agreement. In case of Data Processor breach resulting in a data violation or supervisory authority sanction, the Data Processor will indemnify the Data Controller for justified direct costs, within the limit of its contractual liability defined in the ToS. The Data Controller remains solely responsible to its own end customers for respecting their GDPR rights.
The Data Controller acknowledges and expressly accepts that the Tesseris service requires data transfers to third countries (Google Maps geolocation APIs, Microsoft/Google calendars) for its operation. These transfers are governed by European Commission adequacy decisions or by standard contractual clauses implemented by these providers. The Data Processor undertakes to inform the Data Controller of any new transfer to a third country.
This Agreement enters into force on the date of acceptance of the ToS by the Data Controller and remains in force throughout the duration of the subscription to the Tesseris service. It automatically ends upon termination or expiration of the subscription. Confidentiality and data return/deletion obligations will survive termination of this Agreement.
This Agreement is governed by French law. In case of dispute relating to the interpretation or execution of this Agreement, the parties favor amicable resolution. Failing that, any dispute will fall under the exclusive jurisdiction of the courts of Strasbourg, France.
The Data Processor implements the following security measures:
List of sub-processors authorized by the Data Controller:
Service : Main infrastructure hosting, data storage and production backups
Localisation : France
Garanties : EU hosting, physical and logical security measures, GDPR compliance
Service : Geolocation APIs, optimal route calculation, reverse geocoding
Localisation : European Union and countries with adequacy decision
Garanties : Selection according to GDPR compliance criteria and secure transfers
Service : Google calendar access, slot synchronization
Localisation : Worldwide (mainly United States)
Garanties : EU-US adequacy decision, standard contractual clauses, industrial security measures
Service : Calendar API (Outlook/Exchange), slot synchronization
Localisation : Worldwide (mainly United States)
Garanties : EU-US adequacy decision, standard contractual clauses, industrial security measures
Service : Long-term security backup storage
Localisation : France
Garanties : EU hosting, data encryption, GDPR compliance
Service : SMS reminder notification sending
Localisation : European Union or countries with adequacy decision
Garanties : Selection according to GDPR compliance criteria and security certifications
The Data Controller acknowledges having read and accepted this Agreement by accepting the Terms of Service of the Tesseris service.
The Data Processor undertakes to comply with all obligations defined in this Agreement.
DPO Contact: dpo@tesser.is
General Contact: contact@tesser.is