Telekinesis Docs

Appearance

Data Processing Agreement

Telekinesis GmbH
Neckarstraße 4, 4.1.08
64283 Darmstadt
Germany

Commercial Register: HRB 105059
Register Court: Amtsgericht Darmstadt

Managing Directors:
Suman Pal
Arjun Vir Datta

Email: suman.pal@telekinesis.ai
Phone: +49 157 5817 8477

Last updated: 1st December 2025

Important Notice

This DPA forms an integral part of the Terms & Conditions and is accepted electronically by the Customer at the time of account creation, in accordance with GDPR Article 28(9).

Telekinesis maintains logs of:

  • the version of the DPA accepted
  • the timestamp of acceptance
  • the user account accepting it

This satisfies all GDPR requirements for Controller–Processor contracts. This DPA applies only to Paid and Enterprise tier users. Free Tier usage is governed by the Telekinesis Terms & Conditions and Privacy Policy, under which Telekinesis acts as an independent Data Controller.

Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into by:

Telekinesis GmbH (“Processor”)

and

The entity or individual creating a Telekinesis Paid or Enterprise account (“Controller”).

This DPA does not apply to Free Tier usage. For Free Tier users, Telekinesis determines the purposes and means of processing input/output data, and therefore acts as the Controller under GDPR Article 4(7).

1. Subject Matter

  • This DPA governs Telekinesis’ processing of Personal Data performed on behalf of the Controller in connection with Paid or Enterprise access to Telekinesis APIs, runtimes, and platform.

  • This DPA supplements and forms part of the Telekinesis Terms & Conditions.

  • In the event of conflict, this DPA prevails over the T&C.

2. Definitions

Standard GDPR definitions apply, including:

  • “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject” (Art. 4)
  • “Subprocessor” (Art. 28)

3. Description of Processing

3.1 Categories of Personal Data

Telekinesis may process the following on behalf of the Controller:

  • Name
  • Email address
  • Role, job title, company
  • Truncated IP address
  • API usage metadata (timestamp, endpoint, request size)
  • Billing data (via Stripe)

Telekinesis does not process or retain input/output data for Paid or Enterprise tiers.

3.2 Categories of Data Subjects

  • Employees
  • End users
  • Authorized developers of the Controller

3.3 Nature and Purpose of Processing

  • Account creation
  • Authentication
  • Providing API access
  • Monitoring
  • Abuse prevention
  • Billing
  • Customer support

3.4 Duration

For the duration of the Controller’s account. Inference data is not stored or retained for these users.

4. Input and Output Data Policy

This section applies only to Paid and Enterprise tiers. Telekinesis:

  • Does not store or retain input images, video frames, or point clouds
  • Processes inference strictly in memory (RAM)
  • Deletes input immediately after inference
  • Does not log, analyze, or use inference content
  • Does not use inference output for training or analytics Free Tier users are not subject to this DPA.

5. Obligations of Telekinesis (Processor)

Telekinesis shall:

  • Process Personal Data only on documented instructions from the Controller.

  • Ensure persons authorized to process data are bound by confidentiality.

  • Implement appropriate Technical & Organizational Measures (TOMs), including:

    • Hosting on Amazon Web Services (AWS), including regions in the United States (US East), with appropriate safeguards for international data transfers under GDPR Chapter V.
    • Encryption in transit & at rest
    • Role-based access controls
    • Logging & monitoring
    • Incident response procedures

  • Assist Controller in data subject requests.

  • Notify Controller of personal data breaches within 48 hours.

  • Delete or return Personal Data upon termination (except where law requires retention).

6. Subprocessors

Controller grants general authorization for Telekinesis to use the following Subprocessors:

SubprocessorPurposeLocationNotes
Amazon Web Services (AWS)Hosting & infrastructureUnited States (US East)GDPR-compliant; Standard Contractual Clauses (SCCs) apply
HubSpot EUCRMEUNo U.S. transfer
Stripe Payments EuropeBillingIrelandGDPR-compliant
Discord (optional)Community supportEU serversUsed only if Controller engages voluntarily

Telekinesis will notify Controller of changes 30 days in advance.

6.1 Internation Data Transfers

Where Personal Data is transferred outside the European Economic Area, including to the United States, such transfers are subject to appropriate safeguards in accordance with GDPR Chapter V, including the European Commission’s Standard Contractual Clauses (SCCs).

Telekinesis relies on AWS’s GDPR-compliant data processing terms and SCCs for such transfers.

7. Obligations of Controller

Controller shall:

  • ensure Personal Data is processed lawfully
  • maintain updated user permissions
  • secure API keys
  • ensure no unlawful or unauthorized content is submitted

8. Security Measures (Art. 32 GDPR)

Telekinesis implements:

Technical:

  • TLS 1.2+
  • AES-256 encryption
  • IAM/MFA
  • Network firewalls
  • Intrusion detection
  • Secrets Manager
  • Rate limiting
  • In-memory only inference

Organizational:

  • Confidentiality agreements
  • Role-based access
  • Employee security training
  • Documentation of TOMs
  • Regular reviews

9. Data Subject Rights (Art. 12–22 GDPR)

Telekinesis assists Controller with:

  • Access
  • Rectification
  • Deletion
  • Portability
  • Objection

Requests will be addressed within 10 business days.

10. Audit Rights

Controller may audit Telekinesis:

  • once per calendar year
  • with 30 days’ notice
  • during business hours
  • without access to proprietary model internals

AWS, HubSpot, and Stripe certifications satisfy most audits.

11. Data Deletion

Upon termination:

  • Account data: deleted
  • Metadata logs: deleted within 6–12 months
  • Billing data: retained 10 years (required by German tax law)

Input data is never stored and therefore not subject to deletion.

12. Liability

Liability follows the main contract and German law.

Processor is not liable for:

  • Controller misconfigurations
  • Misuse of API keys
  • Unlawful content uploaded by Controller
  • Controller’s internal processing activities

13. Term & Termination

This DPA:

  • becomes effective upon account creation
  • remains valid until the main contract ends
  • cannot be terminated independently

14. Electronic Acceptance (GDPR Art. 28(9))

By creating an account, the Controller:

  • Agrees to this DPA
  • Approves Telekinesis as its Data Processor
  • Approves the listed subprocessors
  • Consents to electronic acceptance

Telekinesis maintains a log of DPA acceptance including:

  • version number
  • timestamp
  • user ID
  • truncated IP

This constitutes legally binding signature under German and EU law.

15. Governing Law

This DPA is governed exclusively by German law, with jurisdiction in Darmstadt, Germany.

16. Entire Agreement

This DPA supersedes any prior data processing terms unless superseded by a signed enterprise agreement.