Data Processing Addendum

• “Personal Data” means any information relating to an identified or identifiable natural person that the Customer (acting as controller) submits to or has PulseSignal process in connection with the Service.
• “Data Protection Law” means, as applicable: the EU GDPR (Regulation 2016/679), the UK GDPR and DPA 2018, the Swiss FADP, the California Consumer Privacy Act as amended by the CPRA, the Brazilian LGPD (Law 13.709/2018), Canada’s PIPEDA and Quebec Law 25, India’s DPDP Act 2023 and DPDP Rules 2025, Singapore PDPA, Australia’s Privacy Act 1988, and any other privacy law that applies to a party’s processing under this DPA.
• “Sub-processor” means a third party PulseSignal engages to process Personal Data on the Customer’s behalf, as listed at /privacy/sub-processors.
• “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
• “UK IDTA” means the UK International Data Transfer Addendum to the EU SCCs, version B1.0 issued by the Information Commissioner.

For Personal Data submitted by the Customer or generated by the Customer’s use of the Service, the Customer is the “controller” (or equivalent) and PulseSignal is the “processor” (or equivalent).

For Personal Data that PulseSignal collects independently from publicly available sources about third-party companies and their named officers (as described in our Privacy Policy), PulseSignal is the “controller” in its own right and this DPA does not apply to that processing.

• Subject matter: PulseSignal’s provision of the Service as described in the Agreement.
• Nature and purpose: hosting Customer Data, generating digests, alerts, briefings, exports, and API responses, and operating the technical infrastructure that supports those features.
• Duration: the term of the Agreement, plus the retention windows described in our Privacy Policy.
• Categories of data subject: (i) the Customer’s personnel who hold accounts on the Service, (ii) any individual whose data the Customer chooses to upload (for example, contact-list entries on a watchlist).
• Categories of Personal Data: contact information (name, email), account credentials, configuration, support correspondence, usage telemetry, payment-method identifiers maintained by Stripe.
• Sensitive categories: none expected. The Customer must not upload Article 9 data without prior written agreement.
• Frequency: continuous, for the term of the Agreement.

PulseSignal will process Personal Data only on the documented instructions of the Customer. The Agreement, this DPA, and the in-product configuration the Customer chooses (watchlists, alert rules, delivery channels) constitute the Customer’s documented instructions. PulseSignal will tell the Customer in writing if it believes an instruction infringes Data Protection Law.

PulseSignal ensures that personnel authorised to process Personal Data are bound by a written confidentiality obligation or are under an appropriate statutory duty of confidentiality.

PulseSignal implements and maintains technical and organisational measures appropriate to the risk, as documented on /security, and reviewed at least annually. Current controls include:

• TLS 1.2+ in transit, AES-256 at rest for primary stores and backups.
• Least-privilege access, SSO with MFA for production, structured audit logging.
• Routine dependency-vulnerability review and patching.
• Encrypted, rotated backups stored in a separate region.
• Documented incident-response runbook with a 72-hour breach-notification commitment for EU/UK/Swiss data subjects.

Where the Customer has stricter security requirements (for example, customer-supplied encryption keys, regional data residency beyond what we offer today), those are out of scope of the current Service and must be agreed separately in writing.

The Customer authorises PulseSignal to engage the Sub-processors listed at /privacy/sub-processors as at the effective date of the Agreement, and any future Sub-processors PulseSignal adds in accordance with this section.

PulseSignal will give the Customer at least 30 days’ written notice (by email to the billing contact and by an update to the sub-processor page) before any material addition takes effect. The Customer may object on reasonable data-protection grounds within that notice period. If the Customer objects and the parties cannot agree on a workaround within 30 days, the Customer may terminate the affected portion of the Service with a prorated refund of unused pre-paid fees.

PulseSignal imposes data-protection obligations on each Sub-processor that are substantively equivalent to those in this DPA, and remains liable to the Customer for the acts and omissions of its Sub-processors with respect to Personal Data.

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country outside its jurisdiction that has not received an adequacy decision, the parties incorporate the appropriate transfer mechanism by reference:

• EU transfers: the EU SCCs (Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor) for Customer-to-PulseSignal transfers and Module 3 (processor-to-processor) for PulseSignal-to-Sub-processor transfers, with: docking clause optional; governing law of Ireland; supervisory authority of the lead supervisory authority for the Customer’s establishment.
• UK transfers: the UK IDTA, with Table 1 populated from the Agreement, Tables 2 and 3 populated from this DPA and Annex I, and Table 4 with both Importer and Exporter able to terminate.
• Swiss transfers: the EU SCCs as modified for use under the Swiss FADP, with references to GDPR read as references to the FADP, and the Swiss Federal Data Protection and Information Commissioner as the supervisory authority.

PulseSignal has carried out a transfer impact assessment for current Sub-processors and concluded that, taken together with the technical safeguards described in Annex II, the transfers offer an essentially equivalent level of protection. The assessment is available to the Customer on written request.

PulseSignal will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising rights under Data Protection Law. The Customer’s account dashboard exposes self-service export and deletion endpoints for Customer Data. For complex requests (for example, a request from an individual whose data has been embedded in a watchlist note), PulseSignal will respond to the Customer’s reasonable assistance request within seven business days at no additional charge, and will agree commercially reasonable fees beyond that if the volume becomes burdensome.

PulseSignal will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data. The notification will, to the extent known: describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. PulseSignal will keep the Customer informed as the investigation progresses.

PulseSignal maintains the records required by GDPR Article 30(2) and equivalent law. Once per twelve months, on at least 30 days’ prior written notice and during normal business hours, the Customer (or a third-party auditor reasonably acceptable to PulseSignal and bound by confidentiality) may carry out an audit limited to what is strictly necessary to verify compliance with this DPA. The Customer will bear its own costs and PulseSignal’s reasonable costs of the audit. PulseSignal may satisfy the audit obligation by providing a then-current independent audit report (for example, an AICPA SOC 2 report once such an audit has been engaged and signed, or a current penetration-test letter); we do not currently hold a SOC 2 report and will not represent that we do. If a finding requires remediation, the parties will agree a reasonable timeline in writing.

On termination of the Agreement, PulseSignal will, at the Customer’s choice, delete or return all Personal Data processed on the Customer’s behalf and delete existing copies, except where Union, Member State, or other applicable law requires retention. Backups containing Personal Data are deleted on the standard backup-rotation cycle (currently 35 days) following the deletion request.

Each party’s liability under this DPA is subject to the liability cap and exclusions in the Agreement. Nothing in this DPA limits liability that cannot be limited under Data Protection Law (including, where applicable, liability under GDPR Article 82 to data subjects).

In the event of conflict between this DPA and the Agreement, this DPA prevails on matters of data protection. In the event of conflict between this DPA and the EU SCCs, UK IDTA, or Swiss addendum (as applicable to a given transfer), those transfer instruments prevail to the extent of the conflict.

PulseSignal may update this DPA to reflect changes in Data Protection Law, in Sub-processors, or in our technical and organisational measures. We will give 30 days’ written notice of material changes (effective date 2 June 2026; prior version: 22 May 2026). The Customer’s continued use of the Service after the effective date is acceptance of the revised DPA. Either party may terminate the affected portion of the Service if the change is materially adverse and the parties cannot agree a workaround within the notice period.

DPA execution and questions: privacy@pulsesignal.co.