Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of any agreement between pulse Energy GmbH, Kellerstr. 30, 81667 Munich, Germany (“pulse”, “Processor”) and the client identified in the order form (“Customer”, “Controller”).

If there is a conflict between this DPA and the main agreement, this DPA prevails for Personal Data processing.

1. Roles and scope

• The Customer is the Controller. pulse is the Processor.

• pulse processes Personal Data only to provide the contracted services (Monitoring, Action, hosting of Markdown mirror pages, support) and according to documented instructions from the Customer.

• The Parties may each act as independent controllers for their own business records (e.g., invoicing, contract and compliance records). Such independent-controller processing is outside the scope of this DPA.

2. Subject matter, nature, purpose, duration

• Subject matter: operation of pulse’s AI visibility platform and related services.

• Nature of processing: collection, storage, hosting, retrieval, transmission, analysis, support, logging, and deletion.

• Purpose: provide and improve the contracted services under the Customer’s instructions (including availability, security, troubleshooting, usage and performance metrics strictly necessary to deliver the services).

• Duration: term of the main agreement plus the deletion period in Section 11.

3. Categories of data and data subjects

• Data subjects: Customer’s authorized users; natural persons identifiable in Customer content; visitors of Customer mirror pages hosted by pulse.

• Personal Data categories: user account data (name, email, role), configuration data, service and access logs (IP, user agent, timestamps), Customer website/content elements that may include names or images, support messages and attachments.

• Customer will not instruct pulse to process special categories of data (Art. 9 GDPR) or children’s data. If such data is unavoidable, Customer must notify pulse in writing and agree additional safeguards.

4. Controller instructions

• pulse processes Personal Data only on documented instructions from the Customer, including configurations in the dashboard and written requests via agreed support channels.

• If an instruction infringes GDPR or other EU/Member State law, pulse will inform the Customer and may suspend the instruction until clarified.

5. Confidentiality and personnel

• pulse ensures that personnel with access to Personal Data are bound by confidentiality and receive appropriate data protection and security training.

• Access follows the principle of least privilege and is revoked without undue delay when no longer required.

6. Security measures (Art. 32 GDPR)

• pulse implements technical and organisational measures appropriate to the risk. A summary is in Annex A (TOMs).

• The measures include encryption in transit and at rest, role-based access with MFA for administrative accounts, network segregation, secure software development and change management, logging and monitoring, vulnerability management, backups with tested restores, and business continuity procedures.

7. Sub-processors

• The Customer gives general authorisation for pulse to use Sub-processors necessary to provide the services. The current list and purposes are published at: pulse-energy.eu/subprocessors.

• pulse will give 30 days’ prior notice of material changes (addition or replacement).

• The Customer may object on reasonable, documented data-protection grounds. The Parties will try to resolve in good faith. If unresolved, the Customer may terminate the affected service module with a prorated refund of prepaid fees for the unused period.

• pulse imposes on Sub-processors data protection obligations no less protective than this DPA, including security and deletion.

8. International data transfers

• pulse and its Sub-processors may process Personal Data outside the EEA/UK.

• For such transfers, pulse ensures a valid transfer mechanism under Arts. 44+ GDPR, e.g., EU Standard Contractual Clauses (SCCs) and/or EU-US Data Privacy Framework participation where applicable, plus transfer impact assessments and appropriate supplementary measures (e.g., encryption, access controls, minimisation).

• A summary of transfer mechanisms is in Annex C. On request, pulse will provide additional information (which may be redacted for confidentiality).

9. Assistance to the Controller

• Data subject requests: Taking into account the nature of processing, pulse assists the Customer by providing tools or acting on instructions to fulfill requests under Arts. 12–23 GDPR (access, deletion, rectification, restriction, portability, objection).

• DPIA and consultations: pulse provides available information needed for the Customer’s DPIA and consultations with supervisory authorities (Arts. 35–36), limited to pulse’s processing and systems.

10. Personal Data Breach notification

• pulse notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data.

• The notice will include the information required by Art. 33(3) GDPR where available, and updates will follow as facts are confirmed.

• pulse will promptly take necessary remediation steps and cooperate with the Customer.

11. Return and deletion

• During the agreement and for 30 days after termination, the Customer can export its data in a standard format.

• After the export window, pulse will delete Customer Personal Data from active systems and schedule deletion from backups according to standard retention cycles.

• Unless a longer retention is required by law, full deletion (including backups) will be completed within 90 days after the export window.

• On written request, pulse will provide a deletion confirmation.

12. Audits and information

• On reasonable prior notice, once per 12 months (or after a material security incident), the Customer may audit pulse’s compliance with this DPA.

• Audits will be conducted during normal business hours, without disrupting operations, under appropriate confidentiality, and may use independent third-party auditors.

• As a first step, pulse will make available relevant information (e.g., policy summaries, security whitepapers, penetration test summaries, third-party reports) to reduce or replace on-site audits where appropriate.

13. Mirror pages and support channels (service-specific points)

• Mirror pages: For Markdown mirror hosting, the Customer remains the Controller for page content and visitor data. pulse acts as Processor for hosting and related logs. By default, mirror pages do not include non-essential third-party trackers. If the Customer requests analytics, roles and responsibilities (including consent) must be agreed in writing. The Customer provides imprint/privacy texts; pulse deploys them.

• Support channels (Slack / Teams / email): Used under the Customer’s instructions. The Customer should avoid sending unnecessary Personal Data. pulse applies access controls and retention aligned with Section 11.

14. AI-model integrations (service-specific points)

• pulse integrates third-party AI model providers on behalf of the Customer and under this DPA.

• pulse minimises data sent to AI providers and disables model-training/retention where settings allow.

• AI outputs are treated as Customer Data.

• The Customer must not instruct pulse to submit sensitive or unlawful content to AI models.

15. Liability and governing law

• This DPA follows the liability and governing law of the main agreement. Mandatory GDPR obligations remain unaffected.

If any provision is invalid, the remainder stays effective.

Contact for privacy matters: info@pulse-energy.eu.