TL;DR: The contract that governs how we (the Processor) handle your clients' personal data on your behalf (you're the Controller). Written to satisfy GDPR.
This Data Processing Addendum ("DPA") is entered into between ClientsPulse ("Processor") and the operator subscribing to the Service ("Controller") and forms part of the ClientsPulse Terms of Service.
1. Definitions
Terms not defined here have the meanings given in GDPR (EU 2016/679). "Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" carry their GDPR meanings.
2. Subject Matter and Purpose
TL;DR: We process your data only to run the Service. Nothing else.
The Processor processes Personal Data on behalf of the Controller solely to provide the ClientsPulse Service as described in the Terms of Service. The Processor shall not process Personal Data for any other purpose.
3. Categories of Personal Data Processed
- Client names and email addresses
- Email message content (BCC-ingested)
- Approval decisions, comments, and uploaded files
- Invoice amounts and payment status
- Portal access logs (IP addresses, timestamps)
4. Controller Obligations
TL;DR: You confirm you have the legal right to put this data in the Service, and you won't upload health/financial credentials.
The Controller warrants that:
- It has a lawful basis for processing the Personal Data it submits to the Service
- It has obtained any required consents from its clients (data subjects)
- It will not submit special category data (health, financial credentials, etc.) to the Service
- It will comply with applicable data protection laws in its use of the Service
5. Processor Obligations
TL;DR: We follow your instructions, keep things secure and confidential, help with data-subject requests, and delete or return data on exit.
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorised to process the data are bound by confidentiality
- Implement appropriate technical and organisational security measures (Article 32)
- Assist the Controller in responding to Data Subject requests within the statutory timeframe
- Delete or return all Personal Data upon termination of the Service, at the Controller's choice
- Provide all information necessary to demonstrate compliance with this DPA
6. Subprocessors
TL;DR: List is in the Privacy Policy. We give 14 days' notice before adding a new one.
The Processor uses subprocessors as listed in the Privacy Policy. The Processor maintains written agreements with each subprocessor that impose equivalent data protection obligations. The Controller provides general authorisation for the use of listed subprocessors.
The Processor will notify the Controller at least 14 days before adding a new subprocessor.
7. International Transfers
TL;DR: Data lives in US-East. EEA → US transfers covered by Standard Contractual Clauses.
Primary data is stored in the US (Supabase US-East). Transfers outside the EEA occur under Standard Contractual Clauses (SCCs) incorporated into Processor–Subprocessor agreements.
8. Security Incidents
TL;DR: If there's a breach affecting your data, you'll hear from us within 72 hours.
The Processor shall notify the Controller without undue delay (and no later than 72 hours) upon becoming aware of a Personal Data breach affecting the Controller's data. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken.
9. Audit Rights
TL;DR: Once a year, with 30 days' notice, at your expense.
The Controller may request an audit of the Processor's data processing activities no more than once per year, with 30 days' notice, at the Controller's expense.
10. Term and Termination
This DPA is coterminous with the Terms of Service. Upon termination, the Processor will delete all Personal Data within 90 days, unless longer retention is required by law.
11. Contact
Data protection inquiries: legal@clientspulse.app