Legal
Data Processing Agreement
Last updated: 21 May 2026 · Version 1.0
This Data Processing Agreement ("DPA") applies automatically to all customers of VerbaPulse as part of the
Terms of Service. Enterprise customers requiring a countersigned DPA should contact
[email protected].
1. Definitions
In this DPA, the following terms have the meanings given below:
- "Controller" means the Customer — the organization that has entered into the Terms of Service with VerbaPulse and determines the purposes and means of processing Personal Data.
- "Processor" means VerbaPulse, which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- "Processing" has the meaning given in Article 4(2) of the GDPR.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by VerbaPulse to process Personal Data in connection with the Service.
- "Services" means the VerbaPulse language risk detection platform, including the Chrome Extension, Outlook Add-in, and associated web dashboard.
2. Scope and Nature of Processing
2.1 Subject Matter
VerbaPulse processes Personal Data to provide the Services as described in the Terms of Service and this DPA.
2.2 Nature of Processing
VerbaPulse performs the following processing activities:
- Transient analysis: Email and message text submitted by users for risk analysis is transmitted to VerbaPulse's servers, processed in memory, and returned as analysis results. This content is not persisted to any database or storage system.
- Account management: Name, work email address, and organizational role are stored to operate user accounts and the admin dashboard.
- Event logging: Anonymized interaction events (e.g., risk category, risk level, action taken) are logged and linked to an organization identifier — never to an individual user identifier for analytics purposes.
2.3 Categories of Personal Data
| Category | Data elements | Stored? |
| Account data |
First name, last name, work email address, hashed password, department |
Yes — for duration of subscription |
| Communication content |
Email/message body text submitted for analysis |
No — processed transiently, never stored |
| Usage events |
Risk type, risk level, action (accepted/dismissed), organization ID, timestamp |
Yes — aggregated, no individual user linkage in analytics |
| Technical data |
IP address, browser type, request timestamps |
Yes — server logs retained 30 days then deleted |
2.4 Categories of Data Subjects
Employees and authorized users of the Controller's organization who use the VerbaPulse Service.
2.5 Duration of Processing
VerbaPulse will process Personal Data for the duration of the active subscription and for 90 days following termination, after which account data is permanently deleted. Communication content is discarded immediately after each analysis response is returned.
3. Instructions for Processing
VerbaPulse processes Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service. VerbaPulse will promptly notify the Controller if it believes any instruction infringes applicable data protection law.
4. Controller Obligations
The Controller represents and warrants that:
- It has a lawful basis for processing the Personal Data submitted to the Service (e.g., legitimate interests, performance of a contract, or employee consent where required).
- It has provided appropriate notices to Data Subjects about the processing of their communications through the Service.
- It will not submit to the Service any special categories of Personal Data (as defined in Article 9 GDPR) or Personal Data of individuals under 18 years of age.
5. VerbaPulse Obligations
VerbaPulse commits to:
- Process Personal Data only for the purposes set out in this DPA and the Terms of Service.
- Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Section 7.
- Assist the Controller in responding to Data Subject rights requests within the timeframes required by applicable law.
- Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting the Controller's data.
- Delete or return all Personal Data upon termination of the Services, in accordance with Section 2.5.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
6. Sub-processors
The Controller provides general authorization for VerbaPulse to engage the following sub-processors. VerbaPulse will notify the Controller of any intended changes to sub-processors by updating this page and providing 30 days' notice via email to organization administrators.
| Sub-processor | Purpose | Data transferred | Location | Privacy policy |
| OpenAI, Inc. |
Language risk analysis (API) |
Email/message body text (no PII) |
United States |
Link |
| Twilio SendGrid |
Transactional email delivery |
Recipient email, first name |
United States |
Link |
| Google LLC (Analytics) |
Website analytics |
Anonymized page view data |
United States |
Link |
Where sub-processors are located outside the European Economic Area, VerbaPulse relies on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism, or on the sub-processor's participation in an approved adequacy framework.
7. Technical and Organizational Security Measures
VerbaPulse implements the following measures to protect Personal Data:
Access control
- Role-based access control — only authorized personnel can access production systems.
- Server access restricted to SSH key authentication; password-based login disabled.
- Principle of least privilege applied to all internal system access.
Encryption
- All data in transit encrypted via TLS 1.2+ (TLS 1.3 preferred).
- Passwords stored as salted SHA-256 hashes — never in plaintext.
Infrastructure
- Dedicated cloud server with automated OS security updates.
- Firewall restricting inbound traffic to HTTPS (443) and SSH (22).
- Automated daily database backups with 7-day retention.
Organizational
- Personnel authorized to access Personal Data are subject to confidentiality obligations.
- Incident response process in place; breaches reported within 72 hours of discovery.
- Regular review of sub-processor security practices.
8. Data Subject Rights
VerbaPulse will assist the Controller in fulfilling Data Subject rights requests under the GDPR (Articles 15–22), including:
- Access and portability: Export of account data and event logs upon request.
- Rectification: Correction of inaccurate account data.
- Erasure: Permanent deletion of an individual's account data upon request from the Controller. Organization admins can remove users directly from the Admin panel.
- Restriction and objection: Suspension of processing where lawfully required.
Data Subject rights requests should be submitted to [email protected]. VerbaPulse will respond within 30 days.
9. Data Breach Notification
In the event of a Personal Data breach, VerbaPulse will:
- Notify the Controller without undue delay and within 72 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to meet its own notification obligations to supervisory authorities and Data Subjects.
- Cooperate with the Controller and take such reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation, and remediation of the breach.
10. Audits and Compliance
VerbaPulse will make available all information reasonably necessary to demonstrate compliance with this DPA. Enterprise customers may request a security review or questionnaire completion by contacting [email protected].
Where applicable law requires an audit, the Controller may conduct one (or appoint a mutually agreed third party) upon 30 days' written notice, at the Controller's cost, no more than once per year, and subject to reasonable confidentiality terms.
11. Governing Law
This DPA is governed by the same law as the Terms of Service. Where the GDPR applies, this DPA is intended to comply with the requirements of Article 28 GDPR.
12. Precedence
In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA shall take precedence.