Last updated: May 16, 2026
This Data Processing Addendum (DPA) is part of the Terms of Use between Tarello and the Customer and governs the processing of Personal Data under the Brazilian LGPD (Law 13.709/2018) and, where applicable, the GDPR.
1. Roles
For the purposes of this DPA:
- Customer = Controller of the Personal Data they choose to submit to the Service.
- Tarello = Processor, processing Personal Data exclusively per documented Customer instructions (Terms of Use, Console settings, authorized support).
2. Scope
Tarello processes Personal Data only to:
- Provide the contracted Service;
- Technical support requested by the Customer;
- Comply with applicable legal obligations.
Tarello does not process Personal Data for its own purposes. Any additional processing requires written instruction from the Customer.
3. Subprocessors
Tarello uses subprocessors for infrastructure (cloud providers, CDN, payment processors). The updated list is available upon request to hello@tarello.io. New subprocessors will be announced 30 days in advance.
4. Security measures
Tarello applies the technical and organizational measures described at /legal/security, including encryption, access control, isolation, audit and backup. Updates to that protection standard will be reflected in the Security document.
5. Incident notification
In case of a Personal Data breach posing risk to data subjects, Tarello will notify the Customer within 72 hours of confirming the incident, providing: nature of the incident, affected data (category and estimated volume), measures taken and contact point for investigation.
6. Data subject rights
Tarello will support the Customer in handling data subject requests (access, correction, deletion, portability) to the extent technically feasible and within the scope of the Service.
7. Retention and return
Upon termination, the Customer will have 30 days to export their Data via API. After that period, Tarello will delete the Data, except where required by law to retain it.
8. International transfers
When the Customer chooses hosting outside Brazil, Tarello acts as Processor also in that jurisdiction. Standard Contractual Clauses (SCCs) are available for Customers processing data of EU subjects.
9. Contact
Requests related to this DPA: hello@tarello.io.