Skip to main content
pulse
Legal

Data Processing Addendum

Effective May 2, 2026 · Pulse Inc.

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Pulse Inc. (“Processor”) and the customer organization (“Controller”) that uses the Pulse platform. It describes how Pulse processes Personal Data on the Controller’s behalf in compliance with the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the California Consumer Privacy Act as amended (“CCPA/CPRA”).

1. Definitions

Capitalized terms not defined here have the meanings given in the GDPR. “Personal Data” means any information relating to an identified or identifiable natural person. “Sub-processor” means a third party engaged by Pulse to process Personal Data on the Controller’s behalf.

2. Roles and responsibilities

The Controller determines the purposes and means of processing. Pulse acts as the Processor and processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country.

3. Categories of data and data subjects

The Controller may instruct Pulse to process the following data on its behalf:

  • Identification: name, email, profile photo of workspace members.
  • Communication content: messages, documents, comments, and metadata ingested from connected third-party tools (Slack, GitHub, Notion, Linear, Calendar, Drive, etc.).
  • Technical: IP addresses, browser user-agents, session metadata, audit logs.
  • Workspace metadata: roles, teams, group memberships.
  • Programmatic integration data: event payloads delivered to customer-configured webhook URLs (entity IDs, timestamps, event-type metadata; never raw source-system content), and request payloads received via authenticated REST API calls.

Data subjects are the Controller’s employees, contractors, and any third parties whose data appears in connected source systems.

4. Sub-processors

The Controller authorizes Pulse to engage the sub-processors listed below. We will give the Controller at least 14 days’ notice before engaging a new sub-processor; the Controller may object on reasonable grounds.

  • Supabase (database hosting, US/EU regions): primary data storage
  • Vercel (application hosting, global edge): web tier
  • Inngest (background-job orchestration): async workers
  • Anthropic (LLM inference, no-training endpoints): AI synthesis
  • OpenAI (embeddings, no-training endpoints): vector search
  • Resend (transactional email): verification, invitations, password reset
  • Sentry (error monitoring, optional): exception telemetry

5. Security

Pulse implements appropriate technical and organizational measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • OAuth tokens encrypted with AES-256-GCM at rest using a per-deployment key.
  • Per-tenant data isolation enforced at the database query layer.
  • Permission inheritance: we mirror source-system ACLs at retrieval time and never expand them.
  • Bcrypt-12 password hashing; JWT session tokens with 7-day rolling expiry; DB-backed session revocation.
  • SOC 2 Type II controls; annual third-party audits.
  • Rate limiting on authentication endpoints; audit logging of security-relevant events.
  • Outbound webhook deliveries are signed with HMAC-SHA256; payloads contain only entity identifiers and metadata, never raw source-system content. The Controller is responsible for endpoint security and signature verification at the receiving side.
  • Public REST API requests are authenticated via workspace-scoped bearer tokens, rate-limited at 100 requests/minute and 10,000 requests/day per key, with full audit logging of every call.

6. International data transfers

For Personal Data subject to the GDPR transferred outside the EEA / UK / Switzerland, Pulse relies on the European Commission’s Standard Contractual Clauses (Module 2: Controller-to-Processor) and equivalent UK and Swiss mechanisms, incorporated into this DPA by reference. The Controller may choose an EU region during workspace creation to keep all data within the EEA.

7. Data subject rights

Pulse will assist the Controller in fulfilling data-subject requests (access, rectification, erasure, portability, restriction, objection) through:

  • The data-export endpoint, which streams a JSON archive of all workspace data on demand.
  • Soft-delete on user-content rows with a 30-day reversible window before permanent purge.
  • Workspace deletion which cascades to all child rows after the grace period.

8. Personal data breach notification

Pulse will notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a Personal Data breach, providing reasonable detail to assist the Controller in meeting its notification obligations under GDPR Article 33.

9. Audits

The Controller may, no more than once per year and on at least 30 days’ written notice, request our most recent SOC 2 Type II report and similar third-party audit reports. The Controller may conduct a customer-led audit at its own expense and during business hours, subject to mutual confidentiality terms.

10. Return or deletion of data

On termination of the Service, the Controller may export Personal Data via the data-export endpoint for thirty (30) days. Thereafter, all Personal Data is permanently and irreversibly deleted, except where retention is required by applicable law.

11. Conflicts

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data.

12. Contact

Data protection inquiries: dpo@pulse.app. To exercise data-subject rights through your organization, contact your workspace Owner.