Data Processing Agreement

GDPR-compliant data processing terms for PulseKeep services.

Last updated: March 2025

Summary

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PulseKeep and you ("Customer") and governs the processing of personal data by PulseKeep on behalf of the Customer in connection with the Services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Data Controller" means the Customer who determines the purposes and means of processing Personal Data.
  • "Data Processor" means PulseKeep, which processes Personal Data on behalf of the Customer.
  • "Sub-processor" means any third party engaged by PulseKeep to process Personal Data.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and Purpose

PulseKeep processes Personal Data solely for the purpose of providing the uptime monitoring Services, including:

  • • Monitoring URLs, endpoints, and APIs specified by the Customer
  • • Sending alert notifications to email addresses and webhooks configured by the Customer
  • • Displaying status information on public status pages created by the Customer
  • • Managing subscriber notifications for status page updates

3. Customer Obligations

The Customer warrants that:

  • • It has obtained all necessary consents and legal bases for processing Personal Data
  • • It will only provide Personal Data that is necessary for the Services
  • • It will comply with all applicable data protection laws
  • • It will promptly notify PulseKeep of any data subject requests

4. PulseKeep Obligations

PulseKeep agrees to:

  • • Process Personal Data only on documented instructions from the Customer
  • • Ensure personnel are bound by confidentiality obligations
  • • Implement appropriate technical and organizational security measures
  • • Assist the Customer in responding to data subject requests
  • • Delete or return Personal Data upon termination of the Services
  • • Make available information necessary to demonstrate compliance

5. Security Measures

Encryption

All data encrypted in transit (TLS 1.2+) and at rest

Access Control

Role-based access with multi-factor authentication

Infrastructure

Hosted on AWS with SOC 2 compliance

Logging

Comprehensive audit logging and monitoring

6. Sub-processors

PulseKeep uses the following sub-processors to provide the Services:

Sub-processorPurposeLocation
Amazon Web ServicesCloud infrastructure, monitoringGlobal (US, EU, APAC)
SupabaseDatabase, authenticationUS / EU
LemonSqueezyPayment processingUS
VercelWeb hostingGlobal

Customer will be notified of any changes to sub-processors with at least 30 days notice.

7. International Transfers

Personal Data may be transferred outside the EEA. PulseKeep ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and compliance with applicable data protection frameworks.

8. Data Subject Rights

PulseKeep will assist the Customer in fulfilling data subject requests, including:

  • • Right of access
  • • Right to rectification
  • • Right to erasure
  • • Right to data portability
  • • Right to object to processing

9. Data Retention

Personal Data is retained only as long as necessary to provide the Services. Upon termination, PulseKeep will delete all Personal Data within 30 days, unless retention is required by law.

10. Breach Notification

In the event of a Personal Data breach, PulseKeep will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of the breach, providing all information necessary for the Customer to fulfill its notification obligations.

11. Audit Rights

Upon reasonable request and subject to confidentiality obligations, PulseKeep will make available information necessary to demonstrate compliance with this DPA. Audits may be conducted by the Customer or an independent auditor with reasonable advance notice.

12. Term and Termination

This DPA remains in effect for the duration of the Services. Upon termination, PulseKeep will delete or return all Personal Data as instructed by the Customer, unless retention is required by law.

Contact

For questions about this DPA or to request a signed copy, contact us at:

privacy@pulsekeep.io