Data Processing Agreement

Effective 15 May 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Testimo (“Processor”, “we”) and the customer (“Controller”, “you”) using the Testimo service under our Terms of Service. It describes how Testimo processes personal data on the Controller’s behalf in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR.

1. Roles

The Controller decides what personal data is collected through Testimo (by designing forms and inviting respondents) and the purposes of that collection. Testimo processes that personal data solely on the Controller’s documented instructions, which for the purposes of this DPA include configuring features in the product UI (e.g. enabling sheet sync, attaching forms to specific sheets, configuring notification recipients).

2. Subject matter and duration

Subject matter: processing personal data of respondents (the Controller’s clients or prospects) submitted through Testimo’s forms, for the purpose of delivering the Testimo service.

Duration: for as long as the Controller’s Testimo account remains active, plus the retention period set out in our privacy policy.

3. Nature and purpose of processing

Processing operations include:

• Storing form definitions and respondent submissions.
• Generating AI-drafted testimonial copy from submission content (Google Gemini, on the Controller’s instruction).
• Mirroring submissions to a Google Sheet the Controller chooses (via the Sheets sync feature).
• Sending notification emails to recipients the Controller configures, and a copy of the submission to the respondent when the Controller enables that per-question.
• Generating bookings on Testimo’s own Google Calendar when a prospect uses the Book-a-call feature on a Controller’s form. (Note: this scope is on Testimo’s calendar, not the Controller’s.)

4. Types of personal data and categories of data subjects

Data subjects: the Controller’s clients, prospects, leads, members, customers and anyone else the Controller invites to fill in a Testimo form.

Categories of personal data: any information the Controller chooses to collect via form questions, which typically includes:

• Name, email address, phone number.
• Business or organisation name.
• Free-text answers (which may include sensitive content depending on what the Controller asks).
• Optional photo or file uploads.
• Submission metadata (timestamps, IP address, user agent, the URL the form was opened from).

5. Confidentiality

Testimo ensures that personnel authorised to process personal data are bound by confidentiality obligations (employment contract clauses or written commitments). Access to production data is limited to those who need it to provide and improve the service.

6. Security measures

Testimo implements the following technical and organisational measures consistent with Article 32 GDPR:

• Encryption in transit: all client / server and inter-service traffic is over HTTPS (TLS 1.2+).
• Encryption at rest: our subprocessors (Supabase, Vercel) encrypt all stored data at the disk level. Google refresh tokens are additionally encrypted with AES-256-GCM using a key held only on the server.
• Access control: row-level security policies on every tenant table scope reads + writes to the Controller’s own data only. Administrative access requires multi-factor authentication.
• Logging and monitoring: infrastructure logs are retained and reviewed on a best-effort basis for unusual activity.
• Backups: daily encrypted snapshots, retained for up to 30 days.

7. Subprocessors

The Controller authorises Testimo to use the following subprocessors:

• Supabase (Postgres, Auth, Storage) — primary data store. Region: Sydney, Australia (ap-southeast-2).
• Vercel (application hosting). Region: Sydney, Australia (syd1).
• Google LLC — Gemini (for AI-drafted summary generation), Sheets and Calendar APIs (only when the Controller explicitly connects them).
• Brevo (Sendinblue) — transactional email (submission notifications, welcome emails, submission copies).
• Brandfetch — auto-pulled brand assets (logo, theme colour). No personal data sent.

We’ll give 30 days’ notice via email to the Controller’s registered address before adding or replacing a subprocessor. The Controller may object on reasonable data- protection grounds; if we can’t resolve the objection, the Controller may terminate the agreement.

8. Data subject rights

Testimo will assist the Controller, taking into account the nature of processing, by appropriate technical and organisational measures, in responding to data subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).

For Controllers’ own data, self-service rights are available inside the product:

• Export (Article 20) and account deletion (Article 17) are available at Settings → Account → Your data.

For data subjects whose data is held under the Controller’s account (i.e. respondents), the Controller is the first point of contact. We’ll assist the Controller in responding within the GDPR’s 30-day window.

9. International transfers

Personal data is primarily hosted in Sydney, Australia. Some subprocessors (Google, Brevo) are based outside the EEA / UK. Where transfers occur, they are made under the Standard Contractual Clauses published by the European Commission / Information Commissioner’s Office, or under any successor mechanism.

10. Breach notification

If Testimo becomes aware of a personal data breach affecting the Controller’s data, we will notify the Controller without undue delay and in any event within 72 hours of becoming aware, providing the information required by Article 33(3) to the extent it is available.

11. Audits

Testimo will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Audits are limited to once per year unless required by a supervisory authority or following a confirmed breach. Audit activities must be agreed in writing in advance and scheduled to minimise disruption.

12. Return / deletion on termination

On termination of the Controller’s account, Testimo will either delete or return all personal data, at the Controller’s choice, unless storage is required by law. Self-service deletion at Settings → Account → Your data triggers an immediate purge of all the Controller’s tenant data.

13. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in our Terms of Service.

14. Governing law

This DPA is governed by the same law and jurisdiction set out in our Terms of Service.

15. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict for matters relating to the processing of personal data.

16. Counter-signed copy

Customers who need a counter-signed PDF copy of this DPA on letterhead may request one by emailing info@testimo.app with the subject DPA request. We’ll send a PDF within 5 working days.