Teamy
Diagnostic

Data Processing Addendum

Effective as of May 8, 2026

This Data Processing Addendum (“DPA”) supplements the subscription agreement, order form, commercial proposal or other applicable written agreement between:

Orbyte Labs Limited, a company registered in Hong Kong under company number 78783408, with its registered office at Unit B, 11/F, Yam TZE Commercial Building, 23 Thomson Road, Wan Chai, Hong Kong SAR, developer and operator of the Teamy product (“Orbyte Labs”),

and

[Client legal name], a company registered under number [number], with its registered office at [address] (“Client”).

Orbyte Labs and the Client are each referred to as a “Party” and together as the “Parties”.

1. Purpose

This DPA sets out the terms under which Orbyte Labs processes personal data on behalf of the Client in connection with the provision of Teamy.

Teamy is a SaaS product that enables organizations to deploy, configure and supervise AI agents, connect third-party tools, coordinate tasks, process files, manage organizational context and control certain actions through human validation mechanisms.

This DPA applies only to personal data processing carried out by Orbyte Labs on behalf of the Client, where the Client acts as controller and Orbyte Labs acts as processor.

2. Definitions

In this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person processed by Orbyte Labs on behalf of the Client through Teamy.

“Client Data” means data, files, content, instructions, messages, prompts, tasks, configurations, integrations, outputs and other information submitted to or processed in Teamy by or on behalf of the Client.

“Applicable Regulation” means applicable laws and regulations relating to the protection of personal data, including the General Data Protection Regulation where applicable, and the Swiss Federal Act on Data Protection / FADP / nFADP where applicable.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

“Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data Breach” and “Subprocessor” have the meanings given to them under the Applicable Regulation.

3. Roles of the Parties

For Personal Data processed in the Client’s Teamy Organization:

  • the Client acts as controller;
  • Orbyte Labs acts as processor, processing such Personal Data on behalf of the Client and in accordance with the Client’s documented instructions.

The Client remains responsible for determining the purposes and means of processing, the applicable legal basis, the information to be provided to Data Subjects, applicable retention periods and compliance with its obligations as controller.

Orbyte Labs may act as an independent controller for certain processing carried out for its own purposes, including commercial management, billing, security, communications, support, usage analytics and service administration. Such processing is described in the Teamy Privacy Policy and is not covered by this DPA.

4. Client instructions

Orbyte Labs processes Personal Data only on documented instructions from the Client.

These instructions include the applicable agreement, this DPA, the Teamy Terms of Use, the configurations defined by the Client in Teamy, and any reasonable written request sent by the Client to Orbyte Labs.

Orbyte Labs will inform the Client if it believes that an instruction clearly violates the Applicable Regulation, unless prohibited from doing so by law.

5. Description of processing

The processing carried out by Orbyte Labs on behalf of the Client is described in Appendix 1, Description of Processing.

This Appendix specifies, in particular, the subject matter, duration, nature, purposes, categories of Data Subjects, categories of Personal Data, processing operations and categories of Subprocessors.

6. Confidentiality and security

Orbyte Labs will ensure that persons authorized to process Personal Data are subject to an appropriate contractual or legal confidentiality obligation.

Access to Personal Data is limited to persons who need such access to provide, maintain, secure or support Teamy.

Orbyte Labs implements reasonable technical and organizational measures designed to protect Personal Data against destruction, loss, alteration, unauthorized disclosure or unauthorized access.

Such measures may include, as applicable, access control, authentication, permission management, encryption where appropriate, logging, monitoring, backups, logical separation of environments, internal access restrictions, protection of secrets and integration tokens, and security procedures.

The Client acknowledges that Teamy is a SaaS product relying on cloud services, third-party integrations and AI models, and that no security measure can guarantee absolute security.

The Client is responsible for the security of its own accounts, devices, networks, users, connected services, permissions, validations and configurations in Teamy.

7. Subprocessors

The Client authorizes Orbyte Labs to use Subprocessors to provide Teamy, including for hosting, infrastructure, storage, authentication, security, analytics, support, billing, payments, communications, integrations and AI models.

Orbyte Labs will impose data protection obligations on its Subprocessors that are reasonably equivalent to those set out in this DPA.

Orbyte Labs remains responsible to the Client for the performance of its Subprocessors’ obligations to the extent required by the Applicable Regulation.

Orbyte Labs may change its Subprocessors where necessary for the operation, security, improvement or evolution of Teamy. Where required by the Applicable Regulation, Orbyte Labs will inform the Client of any material change in order to allow the Client to raise a reasonable objection.

In the event of a reasonable objection, the Parties will seek in good faith an appropriate solution. If no solution can be found, the Client may stop using the relevant feature or terminate the relevant service in accordance with the applicable agreement.

8. AI model providers

Teamy uses artificial intelligence model providers to generate outputs, run agents, analyze content, produce recommendations or enable certain service features.

These providers may include, depending on the features used, OpenAI, Anthropic, Google or other equivalent providers.

Orbyte Labs does not train its own general AI models on Client Data.

When Teamy sends prompts, instructions, files, context or other content to third-party AI model providers in order to provide the service, such data is processed in accordance with the applicable terms, policies and commitments of those providers.

Orbyte Labs uses reasonable efforts to select providers suitable for professional use and to limit the data transmitted to what is necessary to provide the requested features.

9. Assistance to the Client

To the extent reasonably possible and taking into account the nature of the processing, Orbyte Labs will assist the Client in complying with its data protection obligations, including in relation to:

  • Data Subject rights requests;
  • security of Personal Data;
  • Personal Data Breaches;
  • data protection impact assessments, where applicable;
  • prior consultation with a supervisory authority, where applicable.

This assistance will be provided to the extent the relevant information is available to Orbyte Labs and the request relates to processing carried out through Teamy on behalf of the Client.

Orbyte Labs may charge for exceptional or disproportionate assistance requests, or requests outside the normal support scope of the applicable agreement, provided that it informs the Client in advance.

10. Data Subject requests

If Orbyte Labs receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Client, Orbyte Labs may redirect the request to the Client, inform the Client of the request, or assist the Client in responding where reasonably possible.

Orbyte Labs will not respond directly to a request concerning the Client’s Personal Data, unless instructed by the Client, required by law, or reasonably necessary for service security.

The Client remains responsible for responding to Data Subject requests where the data is processed under its control as controller.

11. Personal Data Breach

Orbyte Labs will inform the Client without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Client through Teamy.

The notification will include, to the extent the information is available:

  • the general nature of the incident;
  • the categories of data concerned;
  • the likely consequences;
  • the measures taken or proposed to address the incident;
  • relevant information for follow-up.

Orbyte Labs will reasonably cooperate with the Client to help it comply with its notification obligations, where required by the Applicable Regulation.

Notification of an incident by Orbyte Labs does not constitute an admission of fault or liability.

12. Deletion and return of data

At the end of the applicable agreement, Orbyte Labs will delete or make unavailable the Personal Data processed on behalf of the Client, unless retention is necessary to comply with a legal obligation, resolve a dispute, prevent fraud, maintain security logs, defend its rights or comply with reasonable technical procedures.

Where technically possible and reasonably requested by the Client before the end of the agreement, Orbyte Labs may assist the Client with the export or return of certain Client Data available in Teamy.

Data retained in backups will be deleted according to Orbyte Labs’ normal backup retention and rotation cycles.

13. International transfers

Orbyte Labs is based in Hong Kong. The Client acknowledges that the provision of Teamy may involve transfers or processing of Personal Data outside the European Union, the European Economic Area, the United Kingdom, Switzerland or the Client’s country.

Where the Applicable Regulation requires specific safeguards for international transfers, Orbyte Labs will use reasonable efforts to implement appropriate safeguards, such as standard contractual clauses, contractual commitments with Subprocessors, reasonable technical and organizational measures, or any other mechanism recognized by the Applicable Regulation.

Where the GDPR applies, the Parties agree that the European Commission Standard Contractual Clauses may apply to transfers of Personal Data from the European Economic Area to Orbyte Labs or to Subprocessors located outside the European Economic Area, to the extent required by the Applicable Regulation.

Where Swiss data protection law applies, Orbyte Labs will also use reasonable efforts to implement appropriate safeguards required for transfers to countries that do not benefit from a level of protection recognized as adequate by Switzerland.

14. Audits and information

Orbyte Labs will make available to the Client information reasonably necessary to demonstrate compliance with its obligations under this DPA, to the extent such information is available and does not compromise security, confidentiality, trade secrets or information relating to other clients.

Any audit request must be reasonable, proportionate, limited to the relevant processing, preceded by reasonable written notice and subject to appropriate confidentiality obligations.

Where possible, the Parties will prioritize the provision of documents, written responses, certifications, reports or security information over an on-site audit.

Audits must not unreasonably disrupt Orbyte Labs’ operations or compromise the security of Teamy.

15. Sensitive data

The Client agrees not to submit to Teamy sensitive personal data, medical data, full payment data, data relating to minors, highly regulated data or any other category of data requiring specific protections, unless previously agreed in writing with Orbyte Labs and appropriate safeguards are implemented.

The Client remains responsible for ensuring that the data submitted to Teamy is appropriate in light of the nature of the service, the intended purposes and the Applicable Regulation.

16. Client responsibilities

The Client is responsible for the lawfulness of the Personal Data submitted to Teamy, informing Data Subjects, determining applicable legal bases, configuring access rights, permissions, integrations and validations, complying with retention periods applicable to its activity, handling Data Subject requests, and ensuring that its use of Teamy complies with the Applicable Regulation.

The Client also remains responsible for reviewing outputs generated by AI agents before any important use.

17. Term

This DPA takes effect on the effective date of the applicable agreement and remains in force for as long as Orbyte Labs processes Personal Data on behalf of the Client through Teamy.

Obligations that by their nature should survive termination will continue to apply, including confidentiality, security, data deletion and use limitation obligations.

18. Contractual hierarchy

In the event of a conflict between this DPA and the Teamy Terms of Use, this DPA prevails for matters relating to the processing of Personal Data carried out by Orbyte Labs as processor on behalf of the Client.

In the event of a conflict between this DPA and the signed subscription agreement, the subscription agreement prevails for commercial, financial and duration-related matters, unless the conflict directly concerns obligations imposed by the Applicable Regulation regarding the protection of personal data.

19. Contact

For any question relating to this DPA or the processing of personal data, the Client may contact Orbyte Labs at:

contact@teamy.run

Appendix 1, Description of Processing

1. Subject matter of processing

Provision, operation, maintenance, security and support of Teamy, a SaaS product enabling organizations to deploy, configure and supervise AI agents, connect third-party tools, coordinate tasks, process files, manage organizational context and control certain actions through human validation mechanisms.

2. Duration of processing

The duration of processing corresponds to the duration of the subscription agreement or the Client’s use of Teamy, plus the period necessary for deletion, return, backup, security, legal obligations or dispute resolution.

3. Nature of processing operations

Operations may include collection, receipt, hosting, storage, consultation, organization, structuring, extraction, transmission, analysis, AI output generation, interaction with connected third-party services, logging, backup, security, deletion and return where available.

4. Purposes of processing

Purposes include creation and management of the Teamy Organization, management of Users, roles and permissions, configuration of AI agents, workflows and automations, processing of prompts, instructions, messages, files and tasks, generation of responses, recommendations, documents, plans or outputs, execution of actions requested or approved by the Client, connection and use of third-party services, usage management, support, diagnostics, security and maintenance.

5. Categories of Data Subjects

Data Subjects may include the Client’s Users, employees, directors, contractors or collaborators, the Client’s customers, prospects, suppliers or partners, and any person mentioned in files, messages, emails, documents, tasks, integrations or content submitted to Teamy.

6. Categories of Personal Data

Processed data may include first name, last name, email address, professional identifiers, role, position, organization, permissions, messages, prompts, instructions, comments, files, documents, emails, calendars, metadata and content from connected services, tasks, validations, workflows, histories, generated outputs, technical data, logs, timestamps, AI credit consumption, product events, data necessary for integrations, OAuth tokens and associated permissions.

The Client agrees not to submit sensitive or highly regulated data without Orbyte Labs’ prior written agreement.

7. Categories of Subprocessors

Orbyte Labs may use Subprocessors for cloud hosting, infrastructure, databases, file storage, authentication, access management, security, monitoring, AI model providers, product analytics, customer support, email, communications, billing, payments, internal development, maintenance and diagnostic tools.

8. Third-party services and AI models

Depending on the features used by the Client, Teamy may process data through third-party services such as Google Workspace, Gmail, Google Calendar, Google Drive, Google Docs, Google Sheets, Google Slides, Discord, GitHub, LinkedIn, X/Twitter, Stripe, OpenAI, Anthropic, Google or other equivalent providers.

The exact providers may evolve depending on the features used, integrations enabled, and technical, security or availability constraints.

9. General security measures

Security measures may include internal access management, authentication, organization and user-level permissions, access limitation to authorized persons, secure storage of secrets and tokens, monitoring, logs, backups, encryption where appropriate, logical separation of environments, internal security procedures, data retention limitation where possible, and continuous review of security practices.