Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between ShipPulse (“Processor”) and the customer (“Controller”). This DPA applies where ShipPulse processes personal data on behalf of the customer in connection with the ShipPulse services.

This DPA is incorporated by reference into the ShipPulse Terms of Service. By using ShipPulse services, the customer agrees to the terms of this DPA.

2. Definitions

For the purposes of this DPA:

• Personal Data means any information relating to an identified or identifiable natural person processed through ShipPulse services.
• Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• Data Subject means individuals whose personal data is processed (e.g. testimonial authors, feedback submitters, changelog subscribers).
• Sub-processor means a third-party processor engaged by ShipPulse to assist in processing Personal Data.
• GDPR means the EU General Data Protection Regulation 2016/679.
• SCCs means Standard Contractual Clauses for international data transfers, as adopted by the European Commission.

3. Scope and Roles

The customer acts as the Controller of Personal Data collected via ShipPulse (e.g. testimonials, feedback, subscriber emails). ShipPulse acts as the Processor, processing Personal Data solely on the Controller's documented instructions.

4. ShipPulse Obligations

ShipPulse agrees to:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that authorized personnel processing Personal Data are committed to confidentiality.
• Implement appropriate technical and organizational security measures.
• Assist the Controller in responding to Data Subject rights requests.
• Delete or return all Personal Data upon termination of services, at the Controller's choice.
• Make available all information necessary to demonstrate compliance with GDPR Article 28 obligations.
• Notify the Controller without undue delay (within 72 hours) after becoming aware of a personal data breach.

5. Controller Obligations

The Controller agrees to:

• Ensure a lawful basis exists for all Personal Data provided to ShipPulse for processing.
• Provide accurate and complete instructions for processing.
• Inform Data Subjects about processing activities (e.g. via a privacy policy on their website).
• Ensure collection forms and widgets are configured lawfully.

6. Sub-processors

The Controller grants ShipPulse general authorization to engage sub-processors. The current list of sub-processors is maintained at shippulse.dev/sub-processors.

ShipPulse will notify the Controller of any intended changes to sub-processors by updating the sub-processors page with at least 30 days notice. If the Controller objects to a new sub-processor, it may terminate the services in accordance with the Terms of Service.

ShipPulse imposes data protection obligations on all sub-processors equivalent to those in this DPA.

7. International Data Transfers

ShipPulse and its sub-processors may process Personal Data in the United States and other countries outside the European Economic Area (EEA). Where Personal Data is transferred from the EEA or UK to countries not recognized as providing an adequate level of data protection, such transfers are governed by:

• The EU Standard Contractual Clauses (SCCs) adopted by the European Commission Decision 2021/914, Module 2 (Controller to Processor), incorporated herein by reference.
• For UK transfers: the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the UK Information Commissioner's Office.

By accepting this DPA, the parties agree to be bound by the SCCs, with ShipPulse as the data importer and the customer as the data exporter.

8. Security Measures

ShipPulse implements the following technical and organizational security measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) policies in the database
• Access controls and least-privilege principles
• API key authentication with SHA-256 hashing
• Webhook signature verification (HMAC-SHA256)
• Automated backups via Supabase
• Structured security logging and monitoring

9. Data Subject Rights

ShipPulse provides tools to assist the Controller in fulfilling Data Subject rights requests under GDPR:

• Right of Access / Data Portability: Controllers can export all project data in JSON format from Dashboard → Settings → Account.
• Right to Erasure: Controllers can delete individual testimonials, feedback posts, and subscribers from the dashboard. Full account deletion removes all associated data.
• Right to Rectification: Controllers can edit testimonials, feedback posts, and subscriber information via the dashboard.

For assistance with Data Subject requests that cannot be completed via the dashboard, contact [email protected].

10. Data Retention and Deletion

ShipPulse retains Personal Data for as long as the customer account is active. Upon account termination:

• All project data is deleted within 30 days via cascading database deletion.
• Backups containing the data are purged within 90 days.
• The Controller may request immediate deletion by contacting [email protected].

11. Audit Rights

ShipPulse will make available to the Controller all information necessary to demonstrate compliance with the obligations under this DPA and GDPR Article 28. This includes:

• Responding to reasonable information requests in writing.
• Providing evidence of compliance certificates where available.

12. Contact

For DPA-related questions, data breach notifications, or sub-processor change objections, contact:

Email: [email protected]
Subject: DPA Inquiry — ShipPulse

To countersign this DPA, enterprise customers may email the above address with their company name and contact details. A signed PDF will be provided within 5 business days.