Data Processing Addendum
A counter-signed PDF copy of this Addendum is available at /legal/dpa.pdf.
1. About this Data Processing Addendum
When a Builder uses Toolum to design or generate a product that involves Personal Data of someone other than the Builder — sample user records, customer email lists, account profiles for an app being prototyped, end-user identifiers that flow through a Blueprint — the Builder takes on the role of a data controller under the EU General Data Protection Regulation, and Toolum takes on the role of a data processor for that processing. This Addendum is the contract that governs the controller-to-processor relationship in that situation.
Most Builders do not need this Addendum. If you are using Toolum only to prototype your own ideas, to generate code for your own apps that you have not yet deployed to real end-users, or to explore the platform with synthetic or placeholder data, the relationship between you and Toolum is governed entirely by our Terms of Service and our Privacy Policy. This Addendum becomes relevant the moment your use of Toolum touches Personal Data of natural persons other than yourself.
1.1 What this Addendum does
This Addendum sets out the terms under which Toolum processes Personal Data on the Builder's behalf, in compliance with Article 28 of Regulation (EU) 2016/679 (the "GDPR") and any equivalent provisions of Cyprus data protection law that implement the GDPR domestically. It specifies what Toolum may do with the Personal Data the Builder entrusts to it, what safeguards apply to that processing, what happens when the Builder exercises data subject rights or when Toolum needs to notify the Builder of a breach, and what the Builder is responsible for as the controller of the data.
It also forms the necessary contractual basis for two categories of obligations that the GDPR requires every processor relationship to address: international data transfers (Article 44 et seq.) and the technical and organizational measures by which Personal Data is protected (Article 32). The text on those subjects is in Sections 8 and 11, and in the Annexes at the end of this document.
1.2 Who the parties are
The parties to this Addendum are:
Toolum — Kirill Maximenko (Cyprus self-employed entity)
Tax Identification Number: 60056031S
Address: 3 Evagora Pitali, 4040 Germasogeia, Limassol, Cyprus
Email: info@toolum.ai
Acting as the data processor under this Addendum.
Builder — the natural or legal person who has accepted Toolum's Terms of Service, holds an active Toolum account, and uses the Service to process Personal Data of natural persons other than the Builder. Acting as the data controller under this Addendum.
In this Addendum, "we," "us," "our," and "Toolum" refer to the processor identified above. "You" and "your" refer to the Builder acting in the capacity of data controller for the Personal Data being processed through Toolum.
1.3 How this Addendum is accepted
This Addendum is incorporated by reference into our Terms of Service. When you accept the Terms of Service to create your Toolum account or to make a purchase, you are also accepting this Addendum. No additional signature, click-through, or email exchange is required.
From the moment you accept the Terms of Service, this Addendum applies to any processing of Personal Data of natural persons other than yourself that you carry out through the Service. If your use of Toolum never involves such processing, this Addendum remains dormant — it does no harm and it does not impose obligations that have no subject matter. If your use of Toolum does involve such processing at any point, the protections in this Addendum apply automatically from that moment.
A pre-signed PDF copy of this Addendum is available for download at the URL where this document is published, for Builders who need a signed version for their own records or to satisfy their own customers' due-diligence requirements. Downloading the PDF is not a precondition for the Addendum to be in effect; the Addendum is in effect by virtue of your acceptance of the Terms of Service.
1.4 How this Addendum relates to other Toolum documents
This Addendum is one part of the broader Toolum legal framework. It is read together with:
- Terms of Service — the master agreement that governs your use of the Service generally. Sections 6.7 and 17.2 of the Terms are the source of this Addendum: they identify the controller-to-processor scenario and direct you here for the operative terms.
- Privacy Policy — the disclosure of how Toolum processes Personal Data about you, the Builder, as a controller in its own right. The Privacy Policy and this Addendum address different processing relationships and do not overlap on substance; where this Addendum refers to material that is also documented in the Privacy Policy (notably the data categories in Section 4 and the technical measures in Annex II), the references are for the Builder's convenience.
- Subprocessor List — the current list of Subprocessors engaged by Toolum, which forms part of this Addendum by reference and is reproduced in Annex III at the end of this document.
- AI Transparency Statement — the technical disclosure of how AI inference works on Toolum, which describes the processing flow that the AI provider Subprocessors in Annex III actually perform.
Where the substance of this Addendum conflicts with any other Toolum document on a matter of Personal Data processing carried out under your controller authority, this Addendum prevails, as required by GDPR Article 28(3). On any other matter, the document closer to the specific subject matter prevails.
1.5 Defined terms
The following terms have the meanings given below when used in this Addendum. Terms defined in the GDPR that are used but not separately defined here have the meaning given to them in the GDPR.
- Personal Data — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1), that is processed by Toolum on your behalf in connection with the Service.
- Processing — any operation or set of operations performed on Personal Data, as defined in GDPR Article 4(2).
- Controller — the natural or legal person that determines the purposes and means of processing of Personal Data, as defined in GDPR Article 4(7). Under this Addendum, the Builder is the Controller.
- Processor — the natural or legal person that processes Personal Data on behalf of the Controller, as defined in GDPR Article 4(8). Under this Addendum, Toolum is the Processor.
- Subprocessor — a third party engaged by the Processor to carry out specific processing activities on the Processor's behalf, as identified in the Subprocessor List and reproduced in Annex III.
- Data Subject — the identified or identifiable natural person to whom the Personal Data relates.
- Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, as defined in GDPR Article 4(12).
- Supervisory Authority — an independent public authority established by an EU Member State pursuant to GDPR Article 51. Toolum's lead Supervisory Authority is identified in our Privacy Policy Section 10.4.
- Service — the Toolum platform as defined in the Terms of Service Section 1.3.
- Builder Personal Data — the Personal Data that you upload to, generate through, or otherwise process through the Service in the capacity of Controller. The categories, subjects, and processing operations are described in Annex I.
- Standard Contractual Clauses or SCCs — the standard contractual clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021, specifically Module Two (controller to processor).
- EU-US Data Privacy Framework or DPF — the data transfer framework established by Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection of Personal Data under the EU-US Data Privacy Framework.
2. Subject matter, duration, and purpose
2.1 Subject matter
The subject matter of the processing under this Addendum is the Personal Data that you, as Controller, transmit to or generate through Toolum in connection with your use of the Service for purposes that involve Personal Data of natural persons other than yourself. This includes, in particular, the contents of prompts you submit, files you upload, project structures you build, and AI-generated outputs that contain or refer to Personal Data of Data Subjects.
The full description of the subject matter, including the categories of Data Subjects affected and the categories of Personal Data processed, is set out in Annex I.A.
2.2 Duration
The processing under this Addendum begins when you first submit Builder Personal Data to the Service in your capacity as Controller and continues for as long as Toolum holds that Personal Data.
The active processing period ends:
- When you close your Toolum account in accordance with the Terms of Service Section 15.1;
- When your Toolum subscription terminates for any of the reasons described in the Terms of Service Section 15.2 through 15.5;
- When Toolum's relationship with you ends for any other reason; or
- When the Personal Data is deleted at your instruction, in accordance with Section 14 below.
After the active processing period ends, residual processing operations limited to the retention windows described in our Privacy Policy Section 8 may continue for the purposes specified there — backup-cycle completion, audit-log integrity, tax-record retention, and similar narrowly-scoped operational purposes. The terms of this Addendum continue to apply to such residual processing for the duration of the relevant retention window.
2.3 Nature and purpose
The nature of the processing is the operation of an AI-powered no-code builder for digital products, as described in the Terms of Service Section 1.3 and the AI Transparency Statement Section 2.
The purpose of the processing is to enable you to design and generate digital products through Toolum, including any AI-generated outputs, code exports, and Blueprint operations that involve Personal Data you have chosen to incorporate into your work. Toolum does not process Builder Personal Data for any purpose other than this, except where the further processing is:
- Necessary to comply with a legal obligation imposed on Toolum by EU or Member State law (in which case the limits in Section 6.2 apply); or
- Permitted by your documented instructions in accordance with Section 6.1.
For the avoidance of doubt, Toolum does not, under any circumstances, use Builder Personal Data to train, fine-tune, evaluate, or otherwise improve any AI model — whether one of Toolum's own systems or one operated by an AI provider Subprocessor. The provider-side training opt-out configuration that makes this true is described in the AI Transparency Statement Section 5.
3. Applicability and relationship to the Terms of Service
3.1 When this Addendum applies
This Addendum is in effect from the moment you accept the Terms of Service, by incorporation as described in Section 1.3. The substantive obligations of this Addendum become operative whenever your use of the Service involves the processing of Personal Data of natural persons other than yourself. In practice, this includes circumstances such as:
- Uploading customer lists, end-user records, or other Personal Data into a Blueprint for prototyping or generation purposes;
- Building or generating an app that, when deployed, will process Personal Data of its own end-users, where any Personal Data of those end-users passes through Toolum during the build process;
- Submitting prompts that contain Personal Data of identified or identifiable third parties;
- Using Toolum on behalf of a commercial client or employer whose underlying data processing activities relate to Personal Data of Data Subjects, where any of that Personal Data flows through Toolum.
Whether your use of Toolum falls within the substantive scope of this Addendum is determined by what you actually do with the Service. The protections in this Addendum are available to you and to your Data Subjects in any case where the processing relationship arises, without any further activation step.
3.2 Processing not covered by this Addendum
This Addendum does not govern the following processing activities:
- Processing of Personal Data about you, the Builder, in your capacity as a Toolum customer (Account Information, billing data, usage telemetry about your sessions, technical and device information about your devices, communications you send to Toolum support). That processing is governed by our Privacy Policy, under which Toolum acts as Controller in its own right.
- Processing of Personal Data that you submit to the Service but that does not identify or relate to any natural person other than yourself.
- Processing of synthetic, fictional, or fully-anonymized data that does not constitute Personal Data within the meaning of GDPR Article 4(1).
The carve-out above does not "switch off" the Addendum — the Addendum remains in effect by virtue of your acceptance of the Terms of Service (Section 1.3). It simply identifies the processing activities to which the Addendum's substantive obligations do not extend, because the controller-to-processor relationship described here does not arise.
3.3 Relationship to the Terms of Service
This Addendum is incorporated into the Terms of Service by reference and forms part of the contract between you and Toolum. The provisions of the Terms of Service that relate to Service availability, pricing, suspension and termination, intellectual property in your Customer Content, force majeure, governing law, and other general matters continue to apply to your use of the Service. This Addendum supplements those provisions for the specific subject of Personal Data processing in your controller capacity, and prevails over the Terms of Service on that subject in the event of any conflict, as required by GDPR Article 28(3).
The liability provisions in the Terms of Service Section 19, including the carve-out in Section 19.3 for breach of data protection obligations and its specific cap (twenty-four months of fees paid to Toolum preceding the breach, with a floor of one hundred euros), apply to liability arising under this Addendum. See Section 15 below.
4. Description of the processing
This section identifies, at the level required by GDPR Article 28(3)(a), what Personal Data Toolum processes under your controller authority, who the Data Subjects are, what the processing operations consist of, and how long the Personal Data is retained.
4.1 Categories of Personal Data
The categories of Personal Data that Toolum processes on your behalf when you act as Controller are those that you choose to include in your prompts, your uploaded files, your project structures, and the Customer Content you generate through the Service. Toolum does not pre-select or limit the categories; the scope of categories is determined by what you submit.
In practice, Builder Personal Data may include, without limitation:
- Identifiers (names, usernames, account IDs, email addresses, profile photos);
- Contact information (postal addresses, phone numbers);
- Authentication artifacts that you choose to include in prompts or files (note: we strongly recommend you redact passwords, tokens, and credentials before submission);
- Demographic information (age, gender, language, country);
- Transactional or behavioral data about end-users of the apps you are building;
- Free-text content authored by or about Data Subjects (reviews, feedback, support messages, sample testimonials);
- Visual content (uploaded images that may depict identifiable persons);
- Any other information that you choose to incorporate into your Blueprint.
The detailed inventory of categories under this Addendum, for the purposes of GDPR Article 28(3) and the Standard Contractual Clauses, is set out in Annex I.A. Annex I.A reflects the general categories that Toolum processes; the specific Personal Data within those categories is determined by what you, as Controller, submit.
4.2 Categories of Data Subjects
The Data Subjects whose Personal Data may be processed under this Addendum are those whose information you choose to submit to or generate through the Service. Depending on the nature of your use, this may include:
- End-users or prospective end-users of the apps you are building with Toolum;
- Customers, prospects, or business contacts of yourself or of a client you act on behalf of;
- Employees, contractors, or other personnel whose information you process for HR, productivity, or related purposes;
- Sample or test data sets representing fictional personas — to the extent any element of such sets relates to an identifiable real person rather than to a fully synthetic record;
- Any other natural persons whose Personal Data you include in your prompts, files, or generated outputs.
The detailed inventory of Data Subject categories under this Addendum is set out in Annex I.A.
4.3 Processing operations
The processing operations carried out by Toolum on your behalf in respect of Builder Personal Data include:
- Collection. Receiving Personal Data when you submit it through the Service (prompt submission, file upload, project import, API call).
- Storage. Holding the Personal Data on Toolum's infrastructure for the duration of your active subscription and the retention windows that follow.
- Transmission to AI providers. Sending the Personal Data, as part of prompts and project context, to the AI inference providers identified in Annex III, for the purpose of generating outputs in response to your requests. The detailed flow is described in the AI Transparency Statement Section 4.
- Generation of outputs. Returning AI-generated outputs that incorporate, refer to, or derive from the Personal Data you submitted.
- Rendering. Displaying the Personal Data to you and to other users you have authorized to access the relevant Blueprint.
- Export. Delivering Personal Data to you in exportable form (code archive, Git push, file download) when you exercise the Code Export Entitlement under the Terms of Service Section 9.
- Backup. Replicating the Personal Data across backup systems for operational resilience, on the cycle described in our Privacy Policy Section 8.
- Deletion. Removing the Personal Data on the schedule set out in our Privacy Policy Section 8 and in Section 14 below.
Toolum does not carry out processing operations on Builder Personal Data beyond those described above, except where required by your documented instructions in accordance with Section 6.1 or by a legal obligation in accordance with Section 6.2.
4.4 Retention
Builder Personal Data is retained for the periods set out in our Privacy Policy Section 8, applied to the relevant categories. The headline rule is that Builder Personal Data is retained for the duration of your active subscription plus the per-category retention windows that follow account closure. The retention table in the Privacy Policy is the authoritative reference for the timing of each category.
Where you instruct Toolum to delete Builder Personal Data sooner than the default retention period — for example, in response to a Data Subject erasure request you have received — Toolum will action the deletion in accordance with Section 14 below and Section 9 of this Addendum.
5. Controller's obligations and instructions
This Addendum operates on the premise that you, as Controller, are responsible for the lawfulness and the legitimate basis of the processing that you carry out through Toolum. Toolum, as Processor, performs the processing on your documented instructions and applies the safeguards described in this Addendum, but the underlying compliance with the GDPR's Controller-side obligations rests with you.
5.1 Your warranties as Controller
By using Toolum to process Builder Personal Data under this Addendum, you warrant that:
- You have a valid legal basis under GDPR Article 6 (and, where applicable, Article 9) for each processing operation you carry out through the Service;
- You have provided Data Subjects with all the information required under GDPR Articles 13 and 14, in respect of the processing carried out through Toolum, before any Personal Data of those Data Subjects is submitted to the Service;
- You have honored any prior data subject rights requests under GDPR Articles 15 through 22 that relate to the Personal Data you submit, such that the data you provide to Toolum reflects the current state of any rectifications, erasures, or restrictions previously requested;
- You have lawful authority to transfer the Personal Data to Toolum for processing under this Addendum; and
- Your use of Toolum, and the use of the Personal Data you submit, complies with your own privacy notices, internal data protection policies, and any contractual obligations you owe to third parties.
5.2 Your instructions to Toolum
The documented instructions on which Toolum processes Builder Personal Data are:
- The terms of this Addendum;
- The terms of the Terms of Service to the extent they relate to Service functionality;
- The configuration choices you make through the Service (project settings, retention overrides where the Service exposes them, AI provider routing preferences where applicable);
- Any specific further instructions you provide to Toolum in writing to info@toolum.ai.
If you provide a further written instruction that Toolum reasonably believes infringes the GDPR or any other applicable data protection law, Toolum will inform you of that view promptly and may suspend processing of the relevant instruction until the matter is resolved. This reservation does not relieve you of your obligations as Controller, including any obligation to vary the instruction so that it complies with applicable law.
5.3 Personal Data of others — your accountability
You are accountable to your Data Subjects, to Supervisory Authorities, and to any third parties whose Personal Data you handle through Toolum, for the lawfulness and the legitimacy of the processing you direct. Toolum performs the processing operations identified in Section 4.3 on your instructions and within the framework of this Addendum, but Toolum does not assess the legitimacy of the underlying processing relationships you have with Data Subjects. That assessment is yours.
6. Toolum's obligations as Processor
This section sets out Toolum's substantive commitments as Processor under GDPR Article 28(3). The provisions below are the operative covenants by which the Article 28 requirements are met.
6.1 Processing on documented instructions
Toolum processes Builder Personal Data only on your documented instructions, as identified in Section 5.2. Toolum does not process Builder Personal Data for any purpose other than to perform the Service for you, except where Toolum is required to do so by EU or Member State law to which it is subject, in which case Section 6.2 applies.
If Toolum becomes aware that an instruction you have given would, in Toolum's reasonable view, cause processing that infringes the GDPR or any other applicable data protection law, Toolum will inform you of that view promptly under Section 5.2, and may suspend processing of the relevant instruction until you have confirmed your instruction in writing or provided a varied instruction that addresses the concern.
6.2 Processing required by law
Where Toolum is required by EU or Member State law to process Builder Personal Data in a manner that goes beyond your documented instructions — for example, in response to a binding court order or to comply with a regulatory obligation — Toolum will, before carrying out the further processing, inform you of the legal requirement, unless the law itself prohibits such notification on important grounds of public interest. In that exceptional case, Toolum's notification to you will be deferred until the prohibition no longer applies and will include the reason for the deferral.
Toolum verifies the lawfulness of any binding legal request it receives before complying with it, in accordance with the procedure described in our Privacy Policy Section 6.2. Where the law allows, Toolum will narrow the scope of disclosure to what the request actually requires.
6.3 Confidentiality
Toolum ensures that persons authorized to process Builder Personal Data on Toolum's behalf — Toolum's own personnel, where any, and the personnel of its Subprocessors — are bound by appropriate confidentiality obligations, either through a contractual duty of confidentiality or through a statutory duty equivalent in scope.
The confidentiality obligations apply during the period of authorization and continue after the authorization ends, for the periods set out in the relevant contracts of employment, service, or engagement.
6.4 Security
Toolum implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing under this Addendum, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.
The measures Toolum currently applies are described in Annex II.
The full description of how Toolum protects Personal Data more generally, including the network controls, the secrets management, the logging practices, and the dependency hygiene that supports the Annex II measures, is in our Privacy Policy Section 9.
6.5 Subprocessing
Toolum engages Subprocessors to deliver the Service. The current list of Subprocessors is set out in our Subprocessor List and is reproduced in Annex III. The substantive framework for Subprocessor engagement, including your general written authorization for Toolum to engage and to change Subprocessors, is in Section 7 of this Addendum.
6.6 Assistance with Data Subject rights
Toolum provides reasonable assistance to you, by appropriate technical and organizational measures, in fulfilling your obligation to respond to requests from Data Subjects exercising their rights under GDPR Articles 15 through 22. The substantive framework for this assistance is in Section 9 of this Addendum.
6.7 Assistance with broader Controller obligations
Toolum assists you in ensuring compliance with the obligations set out in GDPR Articles 32 through 36 — security of processing, notification of Personal Data Breaches to the Supervisory Authority, communication of Personal Data Breaches to Data Subjects, data protection impact assessments, and prior consultation with the Supervisory Authority — taking into account the nature of the processing and the information available to Toolum.
The Personal Data Breach notification framework is in Section 10 of this Addendum. For data protection impact assessments under GDPR Article 35, Toolum makes available the information set out in this Addendum and in the documents it cross-references (in particular Annex I, Annex II, the Privacy Policy, the Subprocessor List, and the AI Transparency Statement). On reasonable written request to info@toolum.ai, Toolum will respond to specific further questions about its processing under this Addendum to the extent necessary for your assessment.
6.8 Deletion or return at end of services
On termination of your use of the Service for any reason, Toolum deletes or, at your option, returns Builder Personal Data to you, in accordance with Section 14 of this Addendum.
6.9 Information and audit cooperation
Toolum makes available to you the information necessary to demonstrate compliance with the obligations set out in this Addendum, and contributes to audits in the manner described in Section 12 of this Addendum.
7. Subprocessors
7.1 General written authorization
You authorize Toolum to engage the Subprocessors listed in Annex III at the date of this Addendum, and to engage further Subprocessors in accordance with this Section 7. This authorization is your general written authorization within the meaning of GDPR Article 28(2).
7.2 Toolum's commitments when engaging Subprocessors
When Toolum engages a Subprocessor to process Builder Personal Data, Toolum:
- Enters into a written contract with the Subprocessor that imposes data protection obligations substantially equivalent to those set out in this Addendum, including (without limitation) processing only on documented instructions, confidentiality, security, assistance with Data Subject rights, breach notification, and deletion or return at end of services;
- Assesses the Subprocessor's data protection capability and security posture before engagement, on the basis of the criteria described in our Subprocessor List Section 4;
- Where the Subprocessor is established outside the European Economic Area, ensures that the international transfer of Personal Data to that Subprocessor is governed by one of the transfer mechanisms permitted under GDPR Chapter V (see Section 8);
- Remains fully liable to you for the performance of the Subprocessor's obligations, in accordance with GDPR Article 28(4).
7.3 Notice of Subprocessor changes
When Toolum proposes to engage a new Subprocessor that will process Builder Personal Data, or to replace an existing Subprocessor that processes Builder Personal Data, Toolum notifies you in advance through one of the following channels at least fourteen (14) days before the change takes effect:
- An update to the Subprocessor List page on the Toolum site;
- An email to the address on your Toolum account; or
- An in-product notification.
For changes involving Subprocessors handling sensitive categories of data (payment processing, AI inference involving your prompts, and similar high-impact categories), Toolum will use at least the email channel above, regardless of which other channels it also uses.
7.4 Your right to object
If, on reasonable grounds related to data protection, you object to a proposed Subprocessor change before it takes effect, you may notify Toolum of your objection in writing to info@toolum.ai during the notice period.
If your objection cannot be resolved through reasonable discussion within a further fourteen (14) days, you may terminate your Toolum subscription, in which case:
- The portion of your AI Credit Bundle for the current Subscription Period that remains unused is refunded on a pro-rata basis, in accordance with our Refund Policy Section 3.1;
- Your Code Export Entitlement remains available to you during the thirty-day post-termination Export window described in the Terms of Service Section 15.6.
This objection right does not limit any other right you have under this Addendum or under applicable data protection law.
7.5 Annex III is the authoritative list
Annex III at the end of this Addendum lists the Subprocessors engaged at the date of execution of this Addendum. The Subprocessor List is the living version of this inventory and reflects the current Subprocessors engaged by Toolum at any given time. Where Annex III and the Subprocessor List differ, the Subprocessor List prevails on the question of which Subprocessors Toolum currently engages; this Addendum continues to apply to processing carried out through any Subprocessor properly engaged in accordance with Sections 7.1 through 7.4.
8. International transfers
Some of the Subprocessors Toolum engages process Personal Data outside the European Economic Area, in particular in the United States. Transfers to those Subprocessors are governed by valid transfer mechanisms under GDPR Chapter V, as described in this Section.
8.1 EU-US Data Privacy Framework
Each of the United States-based Subprocessors identified in Annex III as relying on the EU-US Data Privacy Framework — currently Anthropic, OpenAI, Google, Cloudflare, and Resend — is self-certified under the EU-US Data Privacy Framework adopted by the European Commission on 10 July 2023. The European Commission's adequacy decision (Implementing Decision (EU) 2023/1795) recognizes that transfers of Personal Data from the EEA to organizations self-certified under the DPF enjoy an adequate level of protection.
You can verify each Subprocessor's current DPF certification status on the official Data Privacy Framework list at https://www.dataprivacyframework.gov.
8.2 Standard Contractual Clauses
In parallel with reliance on the DPF, Toolum's contracts with each US-based Subprocessor incorporate the European Commission's Standard Contractual Clauses, Module Two (controller to processor), adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
The SCCs operate as a contingency safeguard for the situation where the DPF is invalidated by a court of competent jurisdiction or revoked by either party to the relevant Subprocessor agreement. If the DPF ceases to provide a valid basis for any transfer to which it applies, the SCCs continue to govern that transfer without further action being required from you.
8.3 Transfer mechanism by Subprocessor
The applicable transfer mechanism for each Subprocessor engaged by Toolum is identified in Annex III.
8.4 Onward transfers
The Subprocessors engaged by Toolum may, in turn, engage their own sub-processors for the purposes of delivering their services. Each Toolum Subprocessor is contractually required to apply substantially equivalent data protection terms to any onward transfer of Personal Data, including DPF certification or SCCs for onward transfers outside the EEA.
The transparency commitments of each Subprocessor in respect of its own sub-processors are governed by that Subprocessor's published policies, which Toolum monitors for material changes.
8.5 Transfer impact assessment
Toolum maintains an internal transfer impact assessment for each Subprocessor that processes Personal Data outside the EEA. The assessment considers, in respect of each US-based Subprocessor:
- The applicable legal framework in the destination country, including the relevant aspects of US surveillance law as analyzed in the European Commission's adequacy decision;
- The Subprocessor's published transparency reports concerning government data requests;
- The Subprocessor's contractual commitments concerning notifications, narrow disclosure, and challenge of unlawful requests; and
- The supplementary safeguards Toolum applies in addition to the contractual safeguards required by the SCCs.
Toolum makes the substance of these assessments available to you on reasonable written request to info@toolum.ai, subject to the confidentiality obligations Toolum owes to its Subprocessors. Enterprise Builders with specific assessment requirements should describe the scope of the requested documentation in their request.
8.6 Your right to transfer documentation
You may request copies of the transfer-related documentation Toolum holds — the relevant Subprocessor's DPF certification listing, the executed Standard Contractual Clauses, the substance of the transfer impact assessment — by writing to info@toolum.ai. Toolum will provide what it can without breaching confidentiality obligations to its Subprocessors. The right in this Section 8.6 is in addition to, and does not limit, your audit rights under Section 12.
9. Data Subject rights assistance
Data Subjects whose Personal Data you process through Toolum retain their rights under the GDPR. When they exercise those rights, you, as Controller, are responsible for responding to them on the merits.
Toolum's role in this Section is to forward misdirected requests to you and to action specific operations on your instruction. Toolum does not respond to Data Subjects on the merits, and does not act as your customer service representative.
9.1 Forwarding requests received by Toolum
If a Data Subject contacts Toolum directly with a request that, on its face, concerns Personal Data processed under your Controller authority, Toolum will:
- Inform the Data Subject that Toolum acts as Processor and not as Controller for that Personal Data, and direct the Data Subject to address the request to you;
- Provide the Data Subject with the publicly available contact information for the Controller as it appears on the relevant Toolum surface;
- Notify you that such a request has been received, through the email address on your Toolum account, so that you can engage with the Data Subject directly.
Toolum will not respond to the Data Subject on the merits, will not investigate the substance of the request, and will not attempt to identify the specific Personal Data the request concerns. Those activities are the Controller's responsibility.
9.2 Tools and on-request operations
Taking into account the nature of the processing and the information available to Toolum, Toolum supports your response to Data Subject requests through two mechanisms.
The first mechanism is the self-service tools in the Service, which expose functionality for you to retrieve, review, correct, export, and delete the Personal Data you hold within your Blueprints. For the rights of access (GDPR Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), and portability (Article 20), the self-service tools are the primary mechanism by which you respond. The Code Export Entitlement in our Terms of Service Section 9 provides structured, machine-readable export of Blueprint contents in support of portability requests, where your tier includes that Entitlement.
The second mechanism is on-request operations on your written instruction, where a Data Subject request cannot be fulfilled through self-service tools — for example, deletion across backup systems, or retrieval of specific records from Toolum's infrastructure that you cannot reach through the editor. You write to info@toolum.ai with a clearly-scoped request, and Toolum actions it on your behalf as Processor. Toolum acts on your instruction, not on the Data Subject's instruction; the underlying request from the Data Subject is yours to evaluate and to honor.
For the right to object (GDPR Article 21) and the right not to be subject to solely automated decisions (Article 22), Toolum's processing under this Addendum is carried out on your instructions and on the Controller-defined basis you have set. Objections and Article 22 review requests are addressed to you, not to Toolum, in this capacity.
9.3 Timeline for assistance
Where you instruct Toolum to action a Data Subject request through the on-request mechanism in Section 9.2 above, Toolum aims to respond in a manner that allows you to meet the one-month deadline under GDPR Article 12(3).
For straightforward operational requests — data retrieval from a specific Blueprint, deletion of identified records — Toolum will action the request within fourteen (14) calendar days of receiving it.
For requests that require broader investigation or that involve backup or audit-log systems, Toolum will provide an initial substantive response within the same window and complete the action as soon as reasonably practicable thereafter.
9.4 No additional fees for assistance
Toolum does not charge for the assistance described in this Section 9 in connection with reasonable, properly-scoped requests.
For requests that are manifestly unfounded or excessive — repetitive requests for the same Personal Data, or requests that are not in fact related to a genuine Data Subject right exercise — Toolum may, in line with GDPR Article 12(5), charge a reasonable fee based on administrative costs or decline to act, with notification to you of the basis for the decision.
10. Personal Data breach notification
Toolum maintains procedures to identify, contain, and respond to Personal Data Breaches affecting Builder Personal Data processed under this Addendum. This Section describes Toolum's notification commitments to you when such a breach occurs.
10.1 Toolum's notification to you
If Toolum becomes aware of a confirmed Personal Data Breach affecting Builder Personal Data, Toolum will notify you without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach. The notification will be sent to the email address on your Toolum account and will include, to the extent the information is available at the time:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- The name and contact details of the Toolum point of contact for further information;
- A description of the likely consequences of the breach; and
- A description of the measures Toolum has taken, or proposes to take, to address the breach, including measures to mitigate its possible adverse effects.
Where it is not possible to provide all the information at the same time as the initial notification, the information will be provided in phases without undue further delay, in accordance with GDPR Article 33(4).
10.2 What does not count as a breach
Consistent with the analysis adopted across industry-standard data processing agreements, the following events do not, in themselves, constitute a Personal Data Breach for the purposes of Section 10.1:
- Unsuccessful login attempts, port scans, denial-of-service attacks, and other network-level attacks that do not compromise the security of Personal Data;
- Pings, automated security probes, and similar activity that the network and security stack absorbs without impact on Personal Data;
- Internal incidents identified and contained before any Personal Data was accessed, altered, or disclosed.
The framework in Section 10.1 applies to events where the security of Personal Data has, in fact, been compromised within the meaning of GDPR Article 4(12).
10.3 Your downstream notifications
The substantive obligations to notify the Supervisory Authority under GDPR Article 33 and the affected Data Subjects under GDPR Article 34 are obligations of the Controller. Toolum's role under this Addendum is to provide you with the information you need to discharge those obligations in a timely manner. The seventy-two-hour window in Section 10.1 is set so that you can meet your own seventy-two-hour Supervisory Authority notification timing under Article 33(1) where the breach so requires.
10.4 Cooperation in breach response
Toolum cooperates with you in the response to a Personal Data Breach affecting Builder Personal Data, including by providing additional information on the cause, scope, and remediation of the breach on reasonable request, in a manner consistent with Toolum's confidentiality obligations to its Subprocessors and to law enforcement where the breach has been reported. Where the breach originated at a Subprocessor, Toolum coordinates with the Subprocessor on the response and relays the relevant information to you.
11. Security of processing
Toolum implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing under this Addendum. The measures Toolum applies are described in Annex II at the end of this document. The substantive security commitments below restate, in summary form, the core elements of Annex II.
11.1 Risk-appropriate measures
Toolum's security measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, as required by GDPR Article 32(1).
11.2 Pseudonymization and encryption of Personal Data
Personal Data in transit between you, Toolum, and Toolum's Subprocessors is encrypted using TLS 1.2 or higher. Personal Data at rest within Toolum's primary database is encrypted using industry-standard symmetric encryption. Authentication credentials (passwords) are stored as salted hashes, never in plain text.
11.3 Confidentiality, integrity, availability, and resilience
Toolum's infrastructure is designed to maintain the confidentiality, integrity, availability, and resilience of processing systems and services. The specific controls — least-privilege access, access reviews on personnel changes, secrets management, network controls, logging and monitoring, dependency hygiene — are described in our Privacy Policy Section 9 and in Annex II.
11.4 Restoration of availability and access to Personal Data
Toolum maintains backup procedures that allow the restoration of availability and access to Personal Data in a timely manner in the event of a physical or technical incident, in accordance with GDPR Article 32(1)(c).
11.5 Process for regularly testing, assessing, and evaluating effectiveness
Toolum conducts ongoing review of the technical and organizational measures it applies. Security advisories for software dependencies are tracked and acted on under a defined cadence. The substance of these reviews, together with any material changes to the Annex II measures, is reflected in updates to this Addendum and to the Privacy Policy that accompanies it.
11.6 Changes to the security measures
Toolum may update the technical and organizational measures described in Annex II from time to time, provided that the updated measures continue to ensure a level of security appropriate to the risk of the processing. Where a material change to the measures is made, Toolum will revise Annex II and update the "Last Updated" date at the top of this Addendum accordingly.
12. Information and audit rights
Toolum provides the information and audit cooperation required by GDPR Article 28(3)(h). This Section describes the operative mechanism.
12.1 Information availability
Toolum makes available to you the information necessary to demonstrate compliance with the obligations set out in this Addendum. The principal sources of that information are:
- This Addendum itself, which describes Toolum's processor commitments at the level required by Article 28(3);
- Our Privacy Policy, which describes Toolum's data handling practices at the level required by GDPR Articles 13 and 14;
- Our Subprocessor List, which describes the third-party services that process Builder Personal Data on Toolum's behalf;
- Our AI Transparency Statement, which describes the technical mechanics of AI processing on Toolum;
- Annex II of this Addendum, which describes the technical and organizational security measures Toolum applies.
On reasonable written request to info@toolum.ai, Toolum will respond to specific further questions about its processing under this Addendum to the extent necessary for you to demonstrate compliance with your own Controller obligations under the GDPR.
12.2 Audit cooperation
Where you, in your reasonable judgment, require independent audit cooperation that goes beyond the information disclosure in Section 12.1, Toolum will cooperate with such audit on the following terms:
- The audit is conducted by you or by an independent third-party auditor that you appoint, subject to a reasonable confidentiality undertaking acceptable to Toolum;
- The scope of the audit is limited to the processing of Personal Data carried out under this Addendum, and does not extend to information that is unrelated to that processing or that is subject to confidentiality obligations Toolum owes to third parties (including to its Subprocessors and to any law enforcement disclosure);
- Audit activity is scheduled with reasonable advance notice, conducted during normal business hours, and structured so as not to interrupt or materially impact the operation of the Service for Toolum or for other Builders;
- Audit activity does not include unaccompanied physical access to Toolum's premises or to its Subprocessors' premises; on-site access, where reasonably necessary, is arranged on a case-by-case basis with Toolum's agreement and on terms that protect the security of Toolum's operations and of other Builders' Personal Data;
- Toolum bears its own reasonable costs of cooperation; the costs of an audit beyond reasonable cooperation, including any fees of the third-party auditor you appoint, are your responsibility.
12.3 No present external certifications
For the avoidance of doubt and consistent with the information available to you at the time of accepting this Addendum, Toolum does not, at the date of this Addendum, hold a SOC 2 Type II report or an ISO 27001 certification covering its processing of Builder Personal Data. The audit cooperation framework in Section 12.2 is the operative mechanism by which audit-style assurance is provided to you.
Toolum will revise this Section 12.3 if and when it obtains a SOC 2 Type II report, an ISO 27001 certification, or any other independent third-party security assurance that is relevant to the processing under this Addendum.
12.4 Frequency of audits
You may exercise the audit cooperation right in Section 12.2 once per twelve-month period in the ordinary course. Additional audits within the same twelve-month period are available where a Personal Data Breach affecting Builder Personal Data has occurred, where a Supervisory Authority has directed an audit, or where there is other reasonable cause for an out-of-cycle audit.
13. Term and termination
13.1 Term
This Addendum takes effect from the moment you accept the Terms of Service in accordance with Section 1.3, and continues in effect for the duration of your use of the Service.
13.2 Termination
This Addendum terminates automatically:
- When the Terms of Service between you and Toolum terminate for any reason, including the reasons set out in the Terms of Service Section 15;
- When you close your Toolum account in accordance with the Terms of Service Section 15.1; or
- When this Addendum is replaced by a successor version in accordance with Section 16.4.
13.3 Survival
The provisions of this Addendum that, by their nature, are intended to survive termination continue to apply for the period necessary to give them effect. These include:
- Section 6.1 (processing on documented instructions), to the extent of any residual processing during the retention windows that follow termination;
- Section 6.3 (confidentiality), for the periods set out in the relevant confidentiality undertakings;
- Section 10 (Personal Data breach notification), in respect of breaches affecting Personal Data that Toolum holds during any post-termination retention window;
- Section 12 (information and audit rights), in respect of processing carried out during the term of the Addendum;
- Section 14 (deletion or return at end of services), in respect of the actions to be carried out on termination;
- Section 15 (liability), in respect of liability accrued during the term;
- This Section 13.3 and Section 16 (miscellaneous).
14. Deletion or return of Personal Data
GDPR Article 28(3)(g) requires that, on termination of the processor relationship, the Personal Data be deleted or returned to the Controller at the Controller's choice. This Section is the operative implementation of that requirement.
14.1 Your choice
On termination of your use of the Service for any reason, you may instruct Toolum to either:
- Delete Builder Personal Data from Toolum's active systems; or
- Return Builder Personal Data to you in a structured, commonly used, and machine-readable format, before deletion.
If you do not provide an explicit choice, Toolum will treat the absence of an instruction as a choice to delete, in accordance with Section 14.2.
14.2 Deletion timeline
Where you choose deletion or do not provide an instruction, Toolum deletes Builder Personal Data from active systems within thirty (30) days of the termination event. This timeline accommodates a brief operational reversal window in case the termination was made in error and the account is restored within that window. The thirty-day window is the same window described in our Privacy Policy Section 8.1.
Builder Personal Data held in backup systems is deleted on the backup-cycle schedule documented in our Privacy Policy Section 8. During the backup retention window, Builder Personal Data remains encrypted, is not used for any purpose other than backup integrity, and is overwritten on the cycle described.
14.3 Return path
Where you choose return, Toolum makes Builder Personal Data available to you in a structured, commonly used, and machine-readable format through the Code Export Entitlement Section 9, if your tier includes it, or through a one-time export on reasonable written request to info@toolum.ai, if your tier does not include the standing Code Export Entitlement and you make the request within the thirty-day post-termination window described in the Terms of Service Section 15.6.
14.4 Retention required by law
Where Toolum is required by EU or Member State law to retain certain Personal Data beyond the deletion timeline in Section 14.2 — for example, payment-related Personal Data subject to the Cyprus tax-record retention obligations described in our Privacy Policy Section 8.1 — the retained Personal Data is held only for the specific legal purpose and only for the specific period required. The terms of this Addendum continue to apply to the retained Personal Data for the duration of the required retention period.
14.5 Confirmation of deletion
On reasonable written request to info@toolum.ai after the deletion timeline in Section 14.2 has elapsed, Toolum will provide written confirmation that the deletion has been completed, identifying the date of completion and noting any Personal Data that has been retained under Section 14.4 together with the legal basis and the projected end date of the retention.
15. Liability
Liability under this Addendum is governed by the framework in the Terms of Service, as supplemented by this Section 15.
15.1 The Terms of Service liability framework applies
The exclusion of consequential damages in the Terms of Service Section 19.1, the aggregate liability cap in Section 19.2, the carve-outs from the cap in Section 19.3, the Beta features liability cap in Section 19.4, the statutory rights preservation in Section 19.5, and the allocation of risk in Section 19.6 all apply to liability arising under this Addendum.
15.2 Data protection breach carve-out
The specific carve-out in the Terms of Service Section 19.3 for liability arising from Toolum's breach of its data protection obligations under this Addendum and under our Privacy Policy applies. That carve-out provides:
- Liability for breach of data protection obligations is subject to a separate cap of twenty-four (24) months of fees paid to Toolum preceding the breach;
- The separate cap is floored at one hundred euros (€100), so that liability for a breach affecting a Builder who has paid Toolum nothing or very little in the preceding period is not reduced to nominal amounts;
- Liability arising from fraud, willful misconduct, or gross negligence is not capped at all;
- Liability that cannot be limited or excluded under applicable consumer protection law is not capped at all.
15.3 Indemnification framework
The mutual indemnification provisions in the Terms of Service Section 20 apply to claims arising from the processing under this Addendum. In particular, the indemnification obligations in Terms of Service Section 20.4 — your obligation to defend Toolum against third-party claims arising from your processing of Personal Data of others through Toolum in violation of GDPR or other applicable data protection law — operates as part of the broader allocation of responsibility in this Addendum.
15.4 Statutory rights preservation
Nothing in this Section 15 limits or excludes any liability that cannot be limited or excluded under applicable consumer protection law or under the GDPR itself, including liability that Article 82 of the GDPR makes non-excludable as between Controller and Processor.
16. Miscellaneous
16.1 Order of precedence
If there is any conflict between the provisions of this Addendum and the Terms of Service or any other document referenced in this Addendum, this Addendum prevails on matters of Personal Data processing carried out under your Controller authority, as required by GDPR Article 28(3). On all other matters, the Terms of Service prevail.
If there is any conflict between the body of this Addendum and the Annexes, the body of the Addendum prevails on the interpretation of the substantive obligations; the Annexes prevail on the descriptions of processing, categories of Personal Data, security measures, and Subprocessors that the Annexes specifically address.
16.2 Governing law and jurisdiction
This Addendum is governed by the laws of the Republic of Cyprus and is subject to the jurisdiction and dispute resolution provisions of the Terms of Service Section 21, including the preservation of mandatory consumer protection law of your country of habitual residence within the European Union under Section 21.2.
16.3 Severability
If any provision of this Addendum is held to be invalid, illegal, or unenforceable in any jurisdiction, the validity, legality, and enforceability of the remaining provisions are not affected. The invalid provision shall be interpreted, modified, or replaced (to the minimum extent necessary) so as to give effect to the parties' original intent as nearly as possible, and the remaining provisions continue in full force and effect.
16.4 Changes to this Addendum
Toolum may update this Addendum from time to time, in accordance with the procedure for material changes to the Terms of Service Section 23. Where a material change to this Addendum is published, Toolum provides at least fourteen (14) days advance notice through the channels described in the Terms of Service Section 23.2.
For non-material changes — corrections of typographical errors, clarifications of existing language, structural improvements that do not change substantive meaning, updates to Annex III to reflect Subprocessor changes notified under Section 7.3 — Toolum updates this Addendum by revising the "Last Updated" date at the top, without separate notice.
Historic versions of this Addendum are available at their dated URLs under /legal/dpa/<date> and preserved in our public repository, so that you can review the version of the Addendum that applied at any given point in time.
16.5 Language
The governing language of this Addendum is English. Toolum may make translations of this Addendum available in good faith for the convenience of Builders whose primary language is not English. In case of conflict between the English version and any translation, the English version controls.
Where Cyprus law or the consumer protection law of your country of habitual residence requires that a contract be made available in a specific language, your right to receive the document in that language is preserved.
16.6 Entire agreement
This Addendum, together with the Terms of Service and the documents cross-referenced in Section 1.4, constitutes the entire agreement between you and Toolum with respect to the processing of Builder Personal Data under your Controller authority. Prior agreements, communications, or understandings on the same subject matter, written or oral, are superseded.
16.7 Contact
For any question about this Addendum, about how Toolum processes Personal Data on your behalf, or to provide written instructions under Section 5.2:
Toolum
Kirill Maximenko (Cyprus self-employed entity)
Tax Identification Number: 60056031S
Address: 3 Evagora Pitali, 4040 Germasogeia, Limassol, Cyprus
Email: info@toolum.ai
For complaints relating to the processing of Personal Data by Toolum, the lead Supervisory Authority is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, the contact details for which are in our Privacy Policy Section 10.4.
Annex I.A — Description of the processing
This Annex describes the processing of Personal Data carried out by Toolum on the Builder's behalf under this Addendum, at the level required by GDPR Article 28(3) and by the Standard Contractual Clauses Module Two.
Categories of Data Subjects. The categories of Data Subjects whose Personal Data may be processed under this Addendum are determined by what the Builder, as Controller, chooses to submit to or generate through the Service. Typical categories include:
- End-users or prospective end-users of the apps that the Builder is building with Toolum;
- Customers, prospects, or business contacts of the Builder or of a client the Builder acts on behalf of;
- Employees, contractors, or other personnel whose information the Builder processes for HR, productivity, or related purposes;
- Sample or test data sets representing fictional personas, to the extent any element of such sets relates to an identifiable real person rather than to a fully synthetic record;
- Any other natural persons whose Personal Data the Builder includes in prompts, files, or generated outputs.
Categories of Personal Data. The categories of Personal Data that may be processed under this Addendum are determined by what the Builder submits in prompts, files, project structures, and Customer Content. Typical categories include:
- Identifiers (names, usernames, account IDs, email addresses, profile photos);
- Contact information (postal addresses, phone numbers);
- Authentication artifacts that the Builder chooses to include in prompts or files (the Builder is strongly advised to redact passwords, tokens, and credentials before submission);
- Demographic information (age, gender, language, country);
- Transactional or behavioral data about end-users of the apps the Builder is building;
- Free-text content authored by or about Data Subjects (reviews, feedback, support messages, sample testimonials);
- Visual content (uploaded images that may depict identifiable persons);
- Any other information that the Builder chooses to incorporate into a Blueprint.
For the avoidance of doubt, this Annex does not cover Personal Data processed by Toolum as Controller in its own right (Builder account data, billing data, usage telemetry about the Builder's sessions, technical and device information about the Builder's devices, communications the Builder sends to Toolum support). That processing is governed by our Privacy Policy.
Special categories of Personal Data. The Service is not intended to process special categories of Personal Data under GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation), nor data relating to criminal convictions and offences under Article 10. If the Builder elects to process such categories through the Service, the Builder bears full responsibility for ensuring that the additional legal-basis requirements of Articles 9(2) and 10 are met and for any heightened security measures the nature of the data requires; Toolum's standard security measures (Annex II) apply but may not, on their own, be sufficient for the level of risk associated with such categories.
Frequency of processing. Processing under this Addendum is continuous for the duration of the Builder's use of the Service. Specific processing events (prompt submission, file upload, Code Export, deletion) occur on demand triggered by the Builder.
Nature of the processing. The nature of the processing is the operation of an AI-powered no-code builder for digital products, as described in the Terms of Service Section 1.3 and the AI Transparency Statement Section 2.
Purpose of the processing. The purpose of the processing is to enable the Builder to design and generate digital products through Toolum, including any AI-generated outputs, code exports, and Blueprint operations that involve Personal Data the Builder has chosen to incorporate into the Builder's work.
Duration of the processing. The duration of the processing is the period of the Builder's active use of the Service, plus the retention windows that follow account closure or other termination, as set out in our Privacy Policy Section 8 and in Section 14 of this Addendum.
Annex I.B — Subject matter and parties
| Field | Description |
|---|---|
| Subject matter | Processing of Personal Data of natural persons other than the Builder, in the context of the Builder's use of the Toolum Service. The detailed description of the processing is in Annex I.A. |
| Duration | The period of the Builder's active use of the Service, plus the retention windows following termination, in accordance with Section 14 of this Addendum and our Privacy Policy Section 8. |
| Data Exporter (Controller) | The Builder — the natural or legal person who has accepted the Terms of Service, holds an active Toolum account, and uses the Service to process Personal Data of natural persons other than the Builder. |
| Data Importer (Processor) | Toolum — Kirill Maximenko (Cyprus self-employed entity, TIN 60056031S), 3 Evagora Pitali, 4040 Germasogeia, Limassol, Cyprus. Contact: info@toolum.ai. |
| Competent Supervisory Authority | Office of the Commissioner for Personal Data Protection of the Republic of Cyprus. Office address: Kypranoros 15, 1061 Nicosia, Cyprus. Postal address: P.O. Box 23378, 1682 Nicosia, Cyprus. Telephone: +357 22 818456. Email: commissioner@dataprotection.gov.cy. Website: https://www.dataprotection.gov.cy. |
For onward transfers of Personal Data from Toolum to Subprocessors outside the European Economic Area, the transfer mechanism and the relevant data importer are identified in Annex III.
Annex II — Technical and organizational measures
This Annex describes the technical and organizational measures that Toolum applies to ensure a level of security appropriate to the risk of the processing under this Addendum, at the level required by GDPR Article 32 and by the Standard Contractual Clauses Module Two. The measures below are current as of the "Last Updated" date at the top of this Addendum and are reviewed on an ongoing basis as described in Section 11.5.
Encryption of Personal Data
- Personal Data in transit between the Builder, Toolum, and Toolum's Subprocessors is encrypted using Transport Layer Security (TLS) version 1.2 or higher.
- Personal Data at rest within Toolum's primary database is encrypted using industry-standard symmetric encryption applied at the storage layer by the database provider.
- Authentication credentials (passwords) are never stored in plain text. Passwords are stored as salted hashes computed with a recognized password-hashing algorithm.
Ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Production services are deployed behind a content delivery network and edge protection layer that mitigates denial-of-service attempts and filters known malicious traffic.
- Authentication events, administrative actions, and unusual access patterns are logged for review and incident response.
- Backup systems support the restoration of availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
Restoration of availability and access to Personal Data in the event of an incident
- Toolum maintains backup procedures that replicate Personal Data across infrastructure for operational resilience.
- The backup retention window and the deletion cycle that applies after the active retention period ends are documented in our Privacy Policy Section 8.
Process for regularly testing, assessing, and evaluating effectiveness
- Security advisories for the software dependencies on which Toolum's infrastructure depends are tracked and acted on under a defined cadence.
- The substance of the security measures is reviewed on an ongoing basis, and material changes are reflected in updates to this Annex II and to our Privacy Policy Section 9.
Access control
- Access to production systems containing Personal Data is restricted to the minimum personnel necessary to operate and support the Service.
- Personnel access to Personal Data is reviewed periodically and revoked promptly on role change.
- API keys, signing keys, and other secrets that grant access to production systems are stored in environment variables on hardened infrastructure and are rotated when personnel with access to them change.
Confidentiality
- Personnel with access to Personal Data are subject to confidentiality obligations through their contracts of employment, service, or engagement, or through a statutory duty of equivalent scope.
- Confidentiality obligations apply during the period of authorization and continue after the authorization ends, for the periods set out in the relevant contracts.
Logging and monitoring
- Authentication events, administrative actions, and security-relevant operational events are logged centrally.
- Logs are retained for the period set out in our Privacy Policy Section 8.1 (audit and security logs: twelve months) and are reviewed for unusual patterns.
Subprocessor due diligence
- Each Subprocessor is assessed for its data protection capability and security posture before engagement, on the criteria described in our Subprocessor List Section 4.
- Subprocessor security posture is reviewed on an ongoing basis through the Subprocessor's published security documentation, certifications, and (where applicable) attestation reports.
Incident response
- Toolum maintains procedures for identifying, containing, and remediating security incidents.
- The notification framework for Personal Data Breaches is in Section 10 of this Addendum.
Data minimization
- Toolum collects only the Personal Data needed to deliver the Service, to comply with the law, or to fulfill the Builder's request, in accordance with the Controller-Processor framework set out in this Addendum.
- The Service does not require legal names, government identifiers, or other sensitive Personal Data for account creation; the Builder controls what Personal Data is incorporated into Blueprints.
Configuration of AI inference providers
- Toolum has configured each AI inference provider (Anthropic, OpenAI, Google) to disable use of Builder data for model training or fine-tuning, in accordance with the provider's commercial API terms. The detailed configuration is described in our AI Transparency Statement Section 5.
Onward transfer safeguards
- For each Subprocessor that processes Personal Data outside the European Economic Area, Toolum maintains the transfer mechanism identified in Annex III (EU-US Data Privacy Framework certification, Standard Contractual Clauses Module Two, or other valid mechanism under GDPR Chapter V).
Annex III — Subprocessors
The following Subprocessors are engaged by Toolum at the "Last Updated" date of this Addendum. The authoritative current list, with any changes notified to the Builder under Section 7.3 of this Addendum, is maintained at our Subprocessor List.
A. AI inference providers
| # | Subprocessor | Role | Primary Location | Transfer Mechanism |
|---|---|---|---|---|
| 1 | Anthropic, Inc. | AI inference (Claude models — primary) | United States | EU-US Data Privacy Framework + Standard Contractual Clauses (Module Two). |
| 2 | OpenAI, Inc. | AI inference (GPT models — fallback) | United States | EU-US Data Privacy Framework + Standard Contractual Clauses (Module Two). |
| 3 | Google LLC (Google Cloud / Gemini API) | AI inference (Gemini models — fallback) | United States | EU-US Data Privacy Framework + Standard Contractual Clauses (Module Two). |
B. Infrastructure and platform services
| # | Subprocessor | Role | Primary Location | Transfer Mechanism |
|---|---|---|---|---|
| 4 | Supabase, Inc. | Database, authentication, file storage | Ireland (EU-West-1) | EU-internal — no third-country transfer. |
| 5 | MVPS.net | Application hosting (virtual private server) | Germany | EU-internal — no third-country transfer. |
| 6 | Cloudflare, Inc. | Content delivery, DDoS protection, DNS | Global edge network (EU edge for EU users) | EU-US Data Privacy Framework + Standard Contractual Clauses (Module Two). |
| 7 | Hostinger International Ltd. | Domain registrar | Cyprus | EU-internal — no third-country transfer. |
C. Communications and operations
| # | Subprocessor | Role | Primary Location | Transfer Mechanism |
|---|---|---|---|---|
| 8 | Resend, Inc. | Transactional email delivery | United States | EU-US Data Privacy Framework + Standard Contractual Clauses (Module Two). |
| 9 | Stripe Payments Europe Ltd. | Payment processing, subscription billing | Ireland | EU-internal — no third-country transfer. |
Note on Stripe: Payment processing is not yet active. Stripe is listed here in advance of Toolum's payment system launch; until billing goes live, Toolum transmits no payment data to Stripe. The authoritative status is maintained in the Subprocessor List, which prevails as the living version of the inventory.
D. Analytics and observability
| # | Subprocessor | Role | Primary Location | Transfer Mechanism |
|---|---|---|---|---|
| 10 | PostHog Inc. (PostHog UK Ltd. for EU customers) | Product analytics, error tracking | Ireland (EU instance: eu.posthog.com) | EU-internal — no third-country transfer for EU-served data. |
Onward processing by Subprocessors. Each Subprocessor may engage its own sub-processors for the purposes of delivering its services to Toolum. Each Subprocessor is contractually required to apply substantially equivalent data protection terms to any onward transfer of Personal Data, including DPF certification or Standard Contractual Clauses for onward transfers outside the EEA.
Authoritative current list. The list above reflects the Subprocessors engaged at the date of this Addendum. Where this Annex III and the Subprocessor List differ on the identity of currently-engaged Subprocessors, the Subprocessor List prevails as the living version of the inventory.
This Data Processing Addendum is published by Toolum (Kirill Maximenko, Cyprus self-employed entity). It is incorporated by reference into the Terms of Service and applies to processing of Personal Data of natural persons other than the Builder carried out through the Service. Where this Addendum and any other Toolum document conflict on a matter of Personal Data processing carried out under the Builder's Controller authority, this Addendum prevails, as required by GDPR Article 28(3).
Document version 1.0. Effective June 5, 2026.