# Data Processing Addendum (DPA) — PULSE

**Template version: 2026.04**
**Status: customer-completable template — sign and return to privacy@runonpulse.com**

This Data Processing Addendum (the "DPA") forms part of the agreement
between the customer identified below ("Controller") and PULSE
("Processor") governing Processor's processing of Personal Data on
behalf of Controller in connection with the PULSE Service.

---

## 1. Parties

| Field                          | Value                          |
|--------------------------------|--------------------------------|
| Controller (legal entity name) | _____________________________  |
| Controller registered address  | _____________________________  |
| Controller signatory name      | _____________________________  |
| Controller signatory title     | _____________________________  |
| Processor                      | PULSE Operations Ltd           |
| Processor registered address   | (see https://runonpulse.com)   |
| Effective date                 | _____________________________  |

## 2. Subject matter and duration

The subject matter of the processing is the provision of the PULSE
software-as-a-service workflow platform.  The duration of the
processing is the term of the underlying subscription agreement plus
the post-termination retention windows in clause 9.

## 3. Nature and purpose of processing

Processor will process Personal Data only as necessary to provide the
Service: hosting Controller's workspace data, executing automations
configured by Controller, sending operational notifications,
delivering support, and operating security and integrity controls.

## 4. Categories of data subjects

* Controller's staff and contractors who use the Service
* Controller's franchise partners, branch managers, and operators
* End-customers whose data Controller chooses to upload (e.g.
  reservations, support tickets, survey respondents)

## 5. Categories of Personal Data

* Identity data: name, work email, phone, profile photo
* Account data: hashed credentials, MFA secrets, role assignments
* Usage data: audit log entries, IP, user-agent, in-app actions
* Free-text content: notes, manuals, survey responses, uploaded files
* Any further categories Controller chooses to upload

## 6. Sub-processors

Processor maintains a current list of authorised sub-processors at
https://runonpulse.com/sub-processors. Processor will give Controller
30 days' notice of any new sub-processor by email and via the
sub-processors page.

## 7. International transfers

Where transfers occur outside the UK / EEA, the parties incorporate by
reference the UK International Data Transfer Addendum and the EU
Standard Contractual Clauses (Module 2: Controller-to-Processor),
Module 3 where Processor sub-processes onward.

## 8. Security measures (Annex II)

* Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
* Per-tenant data isolation (schema-per-tenant by default)
* Role-based access control with least-privilege defaults
* Mandatory MFA for production access
* Append-only audit log of administrative actions
* Annual penetration test; continuous dependency scanning
* Documented breach response (72-hour notification commitment)

## 9. Retention and deletion

* Operational data is retained for the active subscription term.
* On termination Processor offers a 30-day grace window during which
  Controller may export workspace data. After the window, Processor
  destroys workspace data within 30 further days, except for:
  * billing and invoicing records (legal retention, ~7 years), and
  * append-only security audit log entries (with personal references
    tombstoned where the data subject exercises right-to-erasure).

## 10. Data-subject rights

Processor will provide Controller with reasonable assistance to
respond to data-subject requests (access, rectification, erasure,
restriction, portability, objection) via the in-app self-service
flows and the platform-admin DSAR queue.

## 11. Personal-data breaches

Processor will notify Controller of any confirmed Personal-Data
breach without undue delay and in any event within 72 hours of
confirmation, providing the information required by Article 33(3)
GDPR / UK GDPR.

## 12. Audit

Processor will, no more than once per twelve-month period, make
available to Controller a current SOC 2 / ISO 27001-equivalent
report or, where unavailable, respond in writing to a reasonable
security questionnaire.

## 13. Liability

Liability under this DPA is subject to the limitations of liability
in the underlying subscription agreement.

## 14. Governing law

This DPA is governed by the law of the underlying subscription
agreement.

---

## Signatures

**For the Controller**

Name:     _____________________________

Title:    _____________________________

Date:     _____________________________

Signature:_____________________________


**For PULSE (Processor)**

Name:     _____________________________

Title:    _____________________________

Date:     _____________________________

Signature:_____________________________