data processing agreement · v3.2 · effective apr 2026

DPA in two columns.

The legal version on the right; a plain-English version on the left of every clause. Both bind us. Both are versioned. Use either to brief your privacy team.

Download signed PDF Counter-sign for your org

01Definitions

In plain English

The capitalised words in this DPA mean what they usually mean in privacy law (controller, processor, personal data, etc.). “Customer Data” is the data you put in Pulse; “Service” is everything Pulse provides.

“Applicable Data Protection Law” means GDPR (Regulation 2016/679), UK GDPR, the Swiss FADP, CCPA / CPRA, and any other privacy or data-protection law applicable to a party’s processing of Personal Data under this DPA.

“Customer Data” means Personal Data that Customer or Customer’s Authorised Users submit to or generate within the Service. “Service” means the Pulse hosted platform, MCP server, connectors, Skills runtime, and any related software made available to Customer under the Agreement.

02Scope & roles of the parties

In plain English

You are the data controller, Pulse is the processor. Pulse only handles your data on your instructions and only for the purpose of running the Service for you.

Customer is the Controller of Customer Data. Pulse is the Processor. Where Customer is itself a processor for an upstream controller, Pulse is a sub-processor and the obligations in this DPA flow through accordingly.

Pulse will Process Customer Data only (a) to provide and improve the Service for Customer; (b) on documented instructions from Customer; (c) as required by Applicable Law, in which case Pulse will inform Customer prior to processing unless prohibited.

03Subject-matter and duration

In plain English

Pulse processes your data for as long as your subscription is active, plus a 30-day wind-down for export and deletion.

The subject-matter, nature, and purpose of processing, the categories of Data Subjects, and the categories of Personal Data are set out in Annex I (Processing Details).

Processing continues for the term of the Agreement plus the Wind-Down Period (30 days from termination).

04Customer instructions & lawful basis

In plain English

You’re responsible for having a lawful basis to put your data in Pulse. We’re responsible for following your instructions and not doing anything sneaky with the data.

Customer warrants that it has all rights, consents, and lawful bases necessary to authorise Pulse’s processing of Customer Data as contemplated by the Agreement.

Pulse personnel authorised to process Customer Data are under written confidentiality obligations that survive termination of employment.

05Security measures

In plain English

Pulse implements the security measures described in Annex II, encryption, access control, audit logging, the policy engine, the no-training contracts with model providers, and so on.

Taking into account the state of the art, Pulse implements the technical and organisational measures set out in Annex II (TOMs) to ensure a level of security appropriate to the risk.

Pulse may update its TOMs from time to time, provided the updated TOMs do not materially decrease the protection of Customer Data.

06Sub-processors

In plain English

Pulse uses a small list of sub-processors (Vercel, Supabase, Anthropic, OpenAI, Resend), listed in Annex III. We give 30 days’ advance notice before adding a new one; you can object and exit if you don’t agree.

Customer authorises Pulse to engage Sub-processors to process Customer Data, subject to the conditions in this Clause 6 and the list in Annex III. Pulse will impose data-protection terms on Sub-processors no less protective than this DPA.

Pulse remains fully liable for the acts and omissions of its Sub-processors as if they were its own.

07International transfer

In plain English

If your data leaves the EU/UK (mostly, when it’s sent to model providers in the US), the EU Standard Contractual Clauses and the UK Addendum apply automatically. We layer technical safeguards on top: zero retention, encryption, access control.

Where Pulse transfers Personal Data from the EEA, Switzerland, or the UK to a country not subject to an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and the UK International Data Transfer Addendum (Version B1.0).

Customer is the data exporter; Pulse is the data importer. Annex I, II, and III of this DPA serve as Annex I, II, and III of the SCCs.

08Data-subject rights & assistance

In plain English

If a user asks for their data, asks for it to be deleted, etc., Pulse helps you respond. Most of the work happens through self-serve admin tools; for harder cases, our team helps.

Pulse provides Customer with the means, through the Service, to fulfil requests from Data Subjects to exercise rights under Applicable Data Protection Law.

Where a Data Subject contacts Pulse directly, Pulse will refer them to Customer, unless legally required to respond.

09Personal-data breach notification

In plain English

If we discover a breach affecting your data, we tell you within 24 hours, with the facts we know at that point, and we keep updating you as we learn more.

Pulse will notify Customer without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach affecting Customer Data, providing the information required by Article 33(3) GDPR to the extent then known.

10Audit rights

In plain English

You can audit Pulse’s processing by reviewing the security review pack we hand out today (architecture overview, threat model, sub-processor list). SOC 2 and ISO 27001 reports are on the post-launch roadmap and will be made available here once those audits complete. For Enterprise customers, an on-site audit once a year is available.

Pulse will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. The current pack includes the architecture overview, threat model, sub-processor list, and applicable controls documentation. SOC 2 Type II and ISO 27001 reports will be added once those audits are complete.

Where Customer reasonably requires further information or an on-site audit, Pulse will accommodate one audit per twelve-month period during business hours, on at least 30 days’ notice.

11Return & deletion

In plain English

When you leave, you have 30 days to export. After that we delete your data, primaries, replicas, and backups, and give you a signed deletion certificate.

At the end of the Wind-Down Period, or earlier on Customer’s written instruction, Pulse will delete Customer Data from production systems within 7 days and from backups within 30 days, providing Customer with a signed deletion certificate.

12Liability & survival

In plain English

The liability cap in your main contract applies to this DPA too, except for things that have to be uncapped by law, like data-subject damages under Article 82 GDPR.

Liability under this DPA is governed by the Liability section of the Agreement, except that nothing in the Agreement excludes or limits liability where Applicable Data Protection Law prohibits such exclusion or limitation, including liability under Article 82 GDPR.

Annex I · Processing details

Required by SCC Clause 9 + Article 28(3) GDPR.

Categories of Data Subjects

Customer’s Authorised Users: Employees, contractors, and partners with access to the Customer’s workspace.
Persons mentioned in Customer Data: Anyone whose name, email, or other identifier appears in connected sources.

Categories of Personal Data

Identification & account: Name, work email, role, IdP claims, last login, MFA status.
Connected content: Whatever Customer’s connected sources contain.
Pulse-generated: Map graph, retrieval index, calibration feedback, audit log, briefings, drafts.
Telemetry: Pseudonymous events. No content.

Nature, purpose & duration

Nature: Storage, indexing, retrieval, synthesis, audit recording, briefing delivery.
Purpose: Provision of the Service to Customer; security and abuse prevention.
Duration: Term of the Agreement + Wind-Down Period (30 days).

Annex II · Technical & organisational measures

Summary; the full Statement of Applicability is in the trust pack.

Encryption in transitTLS 1.3 enforced via Vercel + Supabase. mTLS planned for future self-hosted connectors.

Encryption at restAES-256 (Supabase managed). KMS-backed customer-managed keys (BYOK) on the Enterprise roadmap. BYOK Anthropic ships today.

Tenant isolationPer-tenant rows guarded by tenant-id checks at every Prisma query and policy-engine pass. No shared embedding pool.

Access controlSSO (SAML, OIDC), SCIM, MFA, IP allowlists. Capability scopes enforced by the policy engine.

Audit loggingImmutable, hash-chained. SIEM streaming export on the Enterprise roadmap; JSON / Parquet export available today.

Zero-retention inferenceContractual no-logging / no-training agreements with Anthropic and OpenAI.

Vulnerability programPre-launch: every change reviewed by both founders, lint + typecheck + tests on every commit. Independent pen testing and bug bounty start once SOC 2 audit kicks off.

DR / BCPRPO target 5 min, RTO target 1 hour. Cross-region Postgres replication via Supabase, daily backups with point-in-time recovery.

PseudonymisationTelemetry stream is pseudonymous; the linkage table is in a separate envelope.

Annex III · Authorised sub-processors

Current as of v3.2 effective date. Live list with regions: pulsehq.tech/legal/subprocessors.

Sub-processor	Service	Region	Transfer mechanism
Vercel, Inc.	Application hosting + CDN	US (global edge)	SCCs · UK Addendum · DPF
Supabase, Inc.	Postgres database + auth	US (AWS-hosted)	SCCs · UK Addendum · DPF
Anthropic, PBC	Model inference (zero-retention)	US	SCCs · UK Addendum · DPF
OpenAI, OpCo LLC	Model inference (zero-retention)	US	SCCs · UK Addendum · DPF
Resend, Inc.	Transactional email	US	SCCs · UK Addendum · DPF