Legal · B2B

Data processing agreement

Last updated: 2026-04-20 · Version 1.0

Placeholder. Pulsus legal team to replace this copy by 2026-05-15. Structure + links are final; body text is provisional.

This page hosts the standard Pulsus Data Processing Agreement (“DPA”) for business customers — typically Family Plan primary subscribers who invite seat members and therefore act as controllers for those seats under GDPR / UK-GDPR / KVKK.

The DPA is a single PDF download kept version-controlled. The download link below is placeholder pending counsel review; email privacy@pulsus.co and we will send you the current signed-and-countersigned version.

What the DPA covers

Art. 28 GDPR required terms: subject-matter and duration, nature and purpose, categories of data subject and personal data, obligations and rights of the controller.
Standard Contractual Clauses (2021 EU Commission) — Module 2 (Controller → Processor) for EU→US data flows to our named subprocessors.
UK IDTA + Addendum for UK-resident controller data transfers (ICO-published template, 2026 refresh).
Turkey Standart Sözleşme (KVKK) — Standard Contractual Clauses for cross-border transfers; filed with KVKK within 5 business days of execution as required by the 2026 guidance.
Subprocessor appendix — mirrors our public subprocessor list with the addition of named-subcontractor role.
Security measures appendix — reference to our Technical and Organisational Measures (TOMs) document.
Data breach notification — 72-hour window aligned with GDPR Art. 33.
Audit rights — reasonable audit access on 30 days' notice, subject to mutual NDA.
Return / deletion on termination — 30 days.

Who signs

The primary Family Plan subscriber countersigns on behalf of their household. Employer-bundled Pulsus deployments are handled bespoke — contact business@pulsus.co.

This page is a summary, not the DPA itself. The executed DPA governs — request the latest version from the address above.

What the DPA covers

Art. 28 GDPR required terms: subject-matter and duration, nature and purpose, categories of data subject and personal data, obligations and rights of the controller.

Standard Contractual Clauses (2021 EU Commission) — Module 2 (Controller → Processor) for EU→US data flows to our named subprocessors.

UK IDTA + Addendum for UK-resident controller data transfers (ICO-published template, 2026 refresh).

Turkey Standart Sözleşme (KVKK) — Standard Contractual Clauses for cross-border transfers; filed with KVKK within 5 business days of execution as required by the 2026 guidance.

Subprocessor appendix — mirrors our public subprocessor list with the addition of named-subcontractor role.

Security measures appendix — reference to our Technical and Organisational Measures (TOMs) document.

Data breach notification — 72-hour window aligned with GDPR Art. 33.

Audit rights — reasonable audit access on 30 days' notice, subject to mutual NDA.

Return / deletion on termination — 30 days.