Legal

Data Processing Agreement

Last updated: 21 May 2026  ·  Version 1.0

This Data Processing Agreement ("DPA") applies automatically to all customers of VerbaPulse as part of the Terms of Service. Enterprise customers requiring a countersigned DPA should contact [email protected].

1. Definitions

In this DPA, the following terms have the meanings given below:

2. Scope and Nature of Processing

2.1 Subject Matter

VerbaPulse processes Personal Data to provide the Services as described in the Terms of Service and this DPA.

2.2 Nature of Processing

VerbaPulse performs the following processing activities:

2.3 Categories of Personal Data

CategoryData elementsStored?
Account data First name, last name, work email address, hashed password, department Yes — for duration of subscription
Communication content Email/message body text submitted for analysis No — processed transiently, never stored
Usage events Risk type, risk level, action (accepted/dismissed), organization ID, timestamp Yes — aggregated, no individual user linkage in analytics
Technical data IP address, browser type, request timestamps Yes — server logs retained 30 days then deleted

2.4 Categories of Data Subjects

Employees and authorized users of the Controller's organization who use the VerbaPulse Service.

2.5 Duration of Processing

VerbaPulse will process Personal Data for the duration of the active subscription and for 90 days following termination, after which account data is permanently deleted. Communication content is discarded immediately after each analysis response is returned.

3. Instructions for Processing

VerbaPulse processes Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service. VerbaPulse will promptly notify the Controller if it believes any instruction infringes applicable data protection law.

4. Controller Obligations

The Controller represents and warrants that:

5. VerbaPulse Obligations

VerbaPulse commits to:

6. Sub-processors

The Controller provides general authorization for VerbaPulse to engage the following sub-processors. VerbaPulse will notify the Controller of any intended changes to sub-processors by updating this page and providing 30 days' notice via email to organization administrators.

Sub-processorPurposeData transferredLocationPrivacy policy
OpenAI, Inc. Language risk analysis (API) Email/message body text (no PII) United States Link
Twilio SendGrid Transactional email delivery Recipient email, first name United States Link
Google LLC (Analytics) Website analytics Anonymized page view data United States Link

Where sub-processors are located outside the European Economic Area, VerbaPulse relies on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism, or on the sub-processor's participation in an approved adequacy framework.

7. Technical and Organizational Security Measures

VerbaPulse implements the following measures to protect Personal Data:

Access control

Encryption

Infrastructure

Organizational

8. Data Subject Rights

VerbaPulse will assist the Controller in fulfilling Data Subject rights requests under the GDPR (Articles 15–22), including:

Data Subject rights requests should be submitted to [email protected]. VerbaPulse will respond within 30 days.

9. Data Breach Notification

In the event of a Personal Data breach, VerbaPulse will:

10. Audits and Compliance

VerbaPulse will make available all information reasonably necessary to demonstrate compliance with this DPA. Enterprise customers may request a security review or questionnaire completion by contacting [email protected].

Where applicable law requires an audit, the Controller may conduct one (or appoint a mutually agreed third party) upon 30 days' written notice, at the Controller's cost, no more than once per year, and subject to reasonable confidentiality terms.

11. Governing Law

This DPA is governed by the same law as the Terms of Service. Where the GDPR applies, this DPA is intended to comply with the requirements of Article 28 GDPR.

12. Precedence

In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA shall take precedence.

Need a countersigned DPA? Enterprise customers can request a countersigned version at [email protected].

Questions about data processing? We respond within 2 business days.