Template version 2026.05 · Last updated 2026-05-12

Data Processing Agreement (template)

This is the template PULSE uses for UK GDPR / EU GDPR customers who require a signed DPA. To request a counter-signed copy email [email protected] from the billing-owner address on your workspace.

Download DPA template (Markdown) Plain-text Markdown — open in any editor, sign, return to [email protected].

1. Parties and roles

The customer (the "Controller") instructs PULSE (the "Processor") to process Personal Data only as required to provide the PULSE service in accordance with the terms of service and the customer's documented instructions.

2. Subject matter and duration

Subject matter: provision of the PULSE workspace platform (Pack, Manual, Playbooks, Execute, Learn, Dash, Signal, Compliance). Duration: the term of the customer's subscription, plus the 30-day post-cancellation export window before deletion.

3. Categories of data subjects and personal data

  • Data subjects: the customer's employees and contractors who hold a PULSE login.
  • Personal data: identifiers (name, email, username, profile image), employment metadata (job title, start date, branch assignment), authored content (tasks, comments, course progress, review responses), and audit metadata (login IPs, action timestamps).

4. Sub-processors

The current list of sub-processors is published at /subprocessors. The customer can subscribe to advance notice of additions; PULSE gives 30 days written notice and the customer may object on reasonable grounds.

5. Security measures

PULSE maintains the technical and organisational measures described at /security: encryption in transit and at rest, role-based access, audit logging, regular backups, and isolation of tenant data via a schema-per-tenant database design.

6. Data subject rights

PULSE provides self-service export and erasure for end users via Account › Privacy & data, and tenant-level export via the workspace owner. PULSE will assist the customer in fulfilling DSARs within the timelines required by Article 12.

7. Personal data breach notification

PULSE will notify the customer's billing-owner contact without undue delay, and in any case within 72 hours, of becoming aware of a personal data breach affecting their data, with the information required by Article 33(3).

8. International transfers

Where personal data is transferred outside the UK or EEA, the transfer is governed by the EU Standard Contractual Clauses (with the UK International Data Transfer Addendum where applicable), incorporated by reference into this DPA.

9. Return or deletion at end of provision

On termination of the subscription PULSE makes the customer's data available for export for 30 days, then deletes it. Backup copies expire on a rolling basis (typically within 35 days).

This template is provided for information. The signed DPA issued by PULSE on request is the operative document.