Legal

Data Processing Addendum

GDPR Article 28 agreement for customers processing personal data through PagePulse.

1. Purpose and scope

This Data Processing Addendum (“DPA”) forms part of the PagePulse Terms of Service and reflects the parties' agreement with respect to the processing of personal data contained in customer telemetry. Capitalized terms not defined in this DPA have the meanings given to them in the Terms, the GDPR, or the CCPA, as applicable.

This DPA applies when PagePulse processes personal data on behalf of the customer as a data processor (or service provider, under the CCPA). The customer is the data controller (or business, under the CCPA).

2. Categories of personal data

PagePulse processes the following categories of personal data contained in customer telemetry:

2.1 End-user device and connection data

Device class, browser family, operating system family, connection type (e.g. 4G), and screen size. This data is pseudonymous and cannot be linked to a specific individual without additional information the customer controls.

2.2 End-user geolocation

Country-level geolocation, derived from the end user's IP address at the moment of ingestion. The IP address itself is discarded within 60 seconds of ingestion and is never stored, logged, or used for any other purpose.

2.3 Customer account data

Account holder name, work email address, company name, and audit log entries generated by the customer's team members while using the dashboard and API.

3. Purposes of processing

PagePulse processes personal data only for the following purposes: (a) to provide the Service to the customer as described in the Terms; (b) to detect, prevent, and respond to security incidents; (c) to comply with legal obligations; and (d) to maintain audit logs required by our SOC 2 and ISO 27001 certifications.

PagePulse does not process personal data for any purpose that is not listed above, including for marketing, advertising, or training machine learning models that benefit any party other than the customer.

4. International data transfers

PagePulse operates collection regions in the United States, European Union, and Asia Pacific. Personal data may be transferred between these regions for the purposes described in this DPA. EU customers can elect EU-only data residency, in which case personal data is stored exclusively in the EU region.

All international transfers are made under the Standard Contractual Clauses (SCCs) adopted by the European Commission. A signed copy of the SCCs is available on request. For transfers to the United States, PagePulse self-certifies under the EU-US Data Privacy Framework.

5. Sub-processors

PagePulse engages the following categories of sub-processors: cloud hosting, managed database, email delivery, and payment processing. A current list of named sub-processors is available at pagepulse.dev/sub-processors and is updated at least 30 days before any new sub-processor is engaged.

PagePulse is liable for the acts and omissions of its sub-processors to the same extent it would be liable if performing those services directly. Each sub-processor is bound by a written agreement that imposes data protection obligations at least as protective as those in this DPA.

6. Data security

PagePulse implements and maintains technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, audit logging, and 90-day key rotation.

PagePulse maintains SOC 2 Type II and ISO 27001 certifications. Annual independent penetration tests are performed by a qualified third party. A summary of the most recent test is available on request under NDA.

7. Data subject rights

PagePulse will assist the customer in responding to data subject requests (access, correction, deletion, portability, objection) to the extent PagePulse holds relevant personal data. The customer is responsible for verifying the identity of the data subject and for communicating the response.

Data subject access requests should be submitted by the customer's workspace admin to support@pagepulse.dev. PagePulse will respond within 72 hours of receiving a complete request.

8. Data breach notification

PagePulse will notify the customer without undue delay, and in any case within 72 hours, of becoming aware of a personal data breach affecting the customer's data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the measures taken or proposed to address the breach, and the contact point for further information.

PagePulse will cooperate with the customer in any communication to data subjects or supervisory authorities, to the extent required by applicable law.

9. Data return and deletion

On termination of the customer's account, PagePulse will retain personal data for 30 days to allow for export, then hard-delete it across all systems, including backups. Audit logs that contain personal data are retained for 7 years to comply with SOC 2 and ISO 27001 requirements; during this retention period, the logs are used only for security and compliance purposes.

10. Audits

The customer may audit PagePulse's compliance with this DPA once per calendar year, on at least 30 days' notice, by appointing a qualified third-party auditor that is not a competitor of PagePulse. The audit will be conducted during business hours, will not unreasonably interfere with PagePulse's operations, and will be limited to information relevant to the customer's data.

As an alternative to a self-directed audit, the customer may accept PagePulse's most recent SOC 2 Type II report and ISO 27001 certificate, which are available on request under NDA.

Questions about this document? Email support@pagepulse.dev.