Data Processing Addendum

Last updated: 2026-04-30

1. The parties

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", acting as data controller) and the entity operating Telegram OS ("Processor", acting as data processor) for the provision of the Service.

2. Definitions

• Personal Data, Processing, Data Subject, Controller, Processor, and Sub-processor have the meanings given in the GDPR.
• Customer Personal Data means Personal Data the Processor processes on behalf of the Customer through the Service.
• Data Protection Laws means all applicable laws relating to Personal Data, including the GDPR, the UK GDPR, and the CCPA where relevant.

3. Scope and roles

For Customer Personal Data processed through the Service, the Customer is the Controller and the Processor is the Processor. The Processor will process Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do so by law.

4. Duration, nature, and purpose

• Duration: for the term of the Customer's subscription plus the retention windows defined in the Privacy Policy.
• Nature: hosting, processing, and transmitting Customer Personal Data to operate the Service the Customer has subscribed to.
• Purpose: to provide the operator platform: accounts, inbox, automation, analytics, marketplace, billing, and teams.

Categories of Data Subjects

• Customer's authorized users (operators, team members).
• Customer's contacts inside Telegram (counterparties to inbox conversations and automations).

Categories of Personal Data

• Identifiers: user IDs, usernames, phone numbers, email addresses.
• Account metadata: rented account state, health, trust level.
• Communication content: inbox messages, attachments.
• Telemetry: IP, user-agent on privileged actions.

5. Processor obligations

• Process Customer Personal Data only on the Customer's documented instructions.
• Ensure persons authorized to process Customer Personal Data are bound by confidentiality.
• Implement and maintain the technical and organizational measures described in the security page.
• Assist the Customer in fulfilling Data Subject rights requests.
• Notify the Customer without undue delay (and within 72 hours of becoming aware) of a Personal Data breach affecting Customer Personal Data.

6. Sub-processors

The Customer authorizes the Processor to engage Sub-processors to provide the Service. A current list is available on request via the contact page. The Processor will:

• Impose contractual terms on each Sub-processor that are no less protective than this DPA.
• Remain liable for the acts and omissions of its Sub-processors as if they were its own.
• Notify the Customer of any intended addition or replacement of a Sub-processor with at least 30 days' notice. The Customer may object on reasonable grounds.

7. International transfers

Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland, the parties rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and the UK International Data Transfer Addendum, with Module Two (Controller to Processor) deemed incorporated by reference.

8. Data Subject rights and assistance

Taking into account the nature of the Processing, the Processor will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling its obligations to respond to requests for exercising Data Subject rights (access, rectification, erasure, restriction, portability, objection).

9. Audits

The Processor will make available to the Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, conducted by the Customer or an independent auditor mandated by the Customer, no more than once per twelve-month period and on at least 30 days' written notice. Audit costs are borne by the Customer unless the audit reveals material non-compliance.

10. Security

The Processor maintains the technical and organizational measures described on the Security page, including tenant isolation, per-tenant session encryption, role-rank authorization guards, append-only audit logging, mandatory two-factor for staff with production access, and signed releases.

11. Return and deletion

On termination of the Service, the Processor will, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless retention is required by applicable law. Backups containing Customer Personal Data are purged on a rolling 30-day window.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Order of precedence

To the extent of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Customer Personal Data.

14. How to execute

For most customers, this online DPA is sufficient. If your compliance program requires a counter-signed copy, email dpo@telegramos.app with your entity name and we will return a counter-signed PDF within 5 business days.