Data Processing Agreement
Last Updated: January 2026
Effective Date: January 30, 2026
Note: This Data Processing Agreement ("DPA") applies automatically when you use PulseWork. If you require a countersigned copy for your records, please contact privacy@pulsework.io.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between PulseWork ("Processor", "we", "us") and the entity using the Service ("Controller", "Customer", "you") for the provision of the PulseWork workforce management service ("Service").
This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Laws, including the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR.
2. Roles and Scope
For the purposes of this DPA and applicable Data Protection Laws:
- Customer is the Data Controller of Personal Data
- PulseWork is the Data Processor acting on Customer's behalf
This DPA applies to all Personal Data processed by PulseWork in connection with providing the Service to Customer.
3. Processing Details
3.1 Categories of Data Subjects
- Customer's employees, contractors, and team members
- Customer's managers and administrators
3.2 Categories of Personal Data
- Identity Data: Name, email address, profile picture (from Google)
- Employment Data: Role/position within the organization
- Activity Data: Task assignments, assignment history, timestamps
- Technical Data: IP addresses, browser information (in server logs)
3.3 Processing Purposes
- Providing the workforce management Service
- Displaying task assignments on the Kanban board
- Sending notifications when users are reassigned
- Maintaining audit logs of assignment changes
- Providing customer support
4. Processor Obligations
PulseWork shall:
- Process Personal Data only on documented instructions from Customer
- Not process Personal Data for any purpose other than providing the Service
- Not sell, rent, or otherwise commercially exploit Personal Data
- Ensure persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist Customer in responding to Data Subject requests
- Delete or return all Personal Data upon termination, at Customer's choice
5. Security Measures
PulseWork implements appropriate technical and organizational measures to protect Personal Data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Role-based access control at the application layer
- Authentication via Google OAuth (no password storage)
- Regular automated backups
- Network firewall and intrusion prevention
- Secure secrets management separated from application code
6. Sub-processors
Customer provides general authorization for PulseWork to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure hosting | Germany (EU) |
| Google LLC | Authentication (OAuth) | USA* |
| Resend Inc. | Transactional email | USA* |
| Sentry | Error monitoring (no PII) | USA* |
| LemonSqueezy LLC | Payment processing | USA* |
*For transfers to the USA, Standard Contractual Clauses are relied upon as the transfer mechanism.
PulseWork shall notify Customer of any intended changes to Sub-processors at least 14 days before any new Sub-processor begins processing Personal Data.
7. Data Subject Rights
PulseWork shall assist Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection).
Many requests can be fulfilled by Customer directly through the Service's administrative features (e.g., removing a member from an organization, exporting data).
8. Security Incidents
PulseWork shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Customer's Personal Data. The notification shall include:
- Description of the nature of the incident
- Categories and approximate number of Data Subjects affected
- Likely consequences and measures taken to address the incident
9. Data Retention and Deletion
Upon termination of the Service agreement, PulseWork shall:
- Upon Customer request, provide Customer with a copy of Personal Data in a commonly used format
- Delete all Personal Data within 90 days, unless retention is required by law
10. Audits
PulseWork shall make available to Customer information necessary to demonstrate compliance with this DPA. Upon reasonable notice and subject to confidentiality obligations, Customer may request documentation demonstrating PulseWork's compliance with data protection obligations.
11. Term
This DPA shall remain in effect for the duration of PulseWork's processing of Personal Data on behalf of Customer. Obligations relating to security incidents, data deletion, and confidentiality shall survive termination.
12. Governing Law
This DPA shall be governed by the laws of England and Wales. In the event of a conflict between this DPA and the main Service agreement, this DPA shall prevail with respect to data protection matters.
13. Contact
For questions about this DPA, data protection concerns, or to request a countersigned copy:
Email: privacy@pulsework.io
Website: https://pulsework.io