Data Processing Addendum (DPA)

1) Definitions

Terms such as “personal data,” “processing,” “data subject,” “controller,” and “processor” have the meanings given in applicable data protection laws (e.g., GDPR, UK GDPR). “Customer Data” means personal data that Controller submits to the Service for processing. “Account Data” (e.g., user names, billing contacts) is processed by PortPulse as an independent controller per the Privacy Policy.

2) Roles; processing instructions

• PortPulse acts as Processor and processes Customer Data only on documented instructions from Controller, including as set out in this DPA and the Agreement.
• Controller is responsible for the lawfulness of Customer Data and obtaining necessary notices and consents.
• Processor will promptly inform Controller if an instruction infringes applicable law.

3) Confidentiality & personnel

• Processor ensures personnel are bound by confidentiality obligations and receive privacy/security training.
• Access to Customer Data is limited to personnel with a need to know.

4) Security measures

Processor implements appropriate technical and organizational measures (TOMs) to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

• Encryption in transit (TLS); encryption at rest where supported.
• Access control (least privilege), MFA for admin consoles, key management and rotation.
• Network security (WAF, rate limiting), logging and monitoring, vulnerability management.
• Backup and recovery, change management, secure development practices.

5) Personal data breach notification

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Data, providing available information to assist Controller in meeting its obligations.

6) Sub-processors

• Controller authorizes the use of sub-processors listed on the Privacy Policy (Sub-processors section) and any successors with substantially similar obligations.
• Processor will enter into written agreements imposing data protection obligations at least as protective as those in this DPA and remains responsible for sub-processor performance.
• Processor will notify Controller of changes and allow reasonable opportunity to object on valid grounds.

7) Data subject requests

Taking into account the nature of processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill data subject requests (e.g., access, deletion).

8) Audits & assistance

Processor will make available information necessary to demonstrate compliance with this DPA and applicable law, and will allow for audits by Controller or its auditor, subject to reasonable advance notice, confidentiality, and frequency limits. Remote document reviews are preferred. On-site visits are limited to once annually unless legally required or following a material incident.

9) International transfers

Where processing involves transfers of Customer Data from the EEA/UK to countries without adequate protection, the parties agree that the EU Commission Standard Contractual Clauses (SCCs) 2021/914 (Module Two — Controller to Processor) and the UK Addendum (as applicable) are incorporated by reference. PortPulse acts as “data importer” and Customer as “data exporter.” Conflicts are resolved per Section 14.

10) Return & deletion

Upon termination or at Controller’s written request, Processor will delete or return Customer Data, unless retention is required by law. Operational logs may be retained for limited periods for security, legal, or accounting purposes, after which they are deleted per schedules.

11) Liability

Each party’s aggregate liability arising out of or related to this DPA is subject to the limitations set forth in the Agreement. Nothing in this DPA limits a party’s liability where prohibited by law.

12) Governing law

This DPA is governed by the law designated in the Agreement. For SCCs, the governing law is as specified in the SCCs and the UK Addendum (as applicable).

Annex A — Subject matter & duration

• Subject matter: Processing of Customer Data as necessary to provide the Service (API access, logging, analytics, security).
• Duration: For the term of the Agreement and any transitional period for return/deletion.
• Nature & purpose: Hosting, storage, transmission, caching, monitoring, and support of API operations.
• Data subjects: Controller’s authorized users and personnel; limited operational contacts.
• Categories of data: Business contact data; technical identifiers (IP, user agent); request metadata. No special category data is intended.

Annex B — Technical & organizational measures

• Encryption in transit (TLS 1.2+); encryption at rest where supported by providers.
• Access controls, RBAC, MFA, least privilege, periodic access reviews.
• Network security (WAF, rate limiting, CDN), monitoring, centralized logging.
• Backup/restore with periodic tests; change management and code reviews.
• Incident response runbooks and breach notification procedures.

Annex C — Authorized sub-processors

See the Sub-processors list in the Privacy Policy. Processor may update sub-processors with notice and an opportunity to object on reasonable grounds.