← Back to Home

Data Processing Agreement (DPA)

Last updated: 10/19/2025

Note: This DPA applies to customers who use TeamPulze to process personal data of their team members. It forms part of your service agreement with TeamPulze.

1. Parties and Scope

1.1 Parties

This Data Processing Agreement ("DPA") is entered into between:

  • "Controller" or "Customer": The organization that has subscribed to TeamPulze services and controls the personal data of their team members
  • "Processor" or "TeamPulze": TeamPulze Inc., the provider of team feedback and pulse survey services

1.2 Scope and Purpose

This DPA governs the processing of personal data by TeamPulze on behalf of the Customer for the following purposes:

  • Providing team pulse survey and feedback collection services
  • Generating AI-powered insights from aggregated, anonymized team responses
  • Tracking team health metrics and trends over time
  • Facilitating team management and collaboration

2. Definitions

  • "Personal Data": Information relating to identified or identifiable individuals (team members, managers)
  • "Data Subject": Individual team members whose data is processed
  • "Processing": Any operation performed on personal data (collection, storage, analysis, deletion)
  • "Sub-processor": Third-party service providers engaged by TeamPulze to assist in processing
  • "GDPR": General Data Protection Regulation (EU) 2016/679
  • "Data Protection Laws": All applicable data protection and privacy laws (GDPR, CCPA, etc.)

3. Details of Data Processing

3.1 Categories of Data Subjects

  • Team managers (Customer's employees who create and manage pulses)
  • Team members (Customer's employees who respond to pulses)

3.2 Categories of Personal Data

  • Identity Data: Name, email address
  • Account Data: Username, password (hashed), authentication tokens
  • Survey Data: Pulse responses, ratings, text feedback, sentiment
  • Usage Data: Login times, feature usage, IP addresses
  • Technical Data: Browser type, device information, cookies

3.3 Special Categories of Data

TeamPulze does not intentionally collect special categories of personal data (e.g., health data, racial/ethnic origin, political opinions). However, team members may voluntarily include such information in free-text responses. The Customer is responsible for instructing team members not to include such data.

3.4 Processing Operations

  • Collection of survey responses from team members
  • Storage and organization of responses in secure databases
  • Aggregation and anonymization of responses for insights
  • Generation of AI-powered analysis and trends
  • Display of aggregated results to managers
  • Retention for historical tracking
  • Deletion upon Customer request or account termination

3.5 Duration of Processing

Processing continues for the duration of the service agreement and up to 30 days after termination, unless the Customer requests earlier deletion or legal obligations require longer retention.

4. Processor Obligations

TeamPulze shall:

  • Process personal data only on documented instructions from the Customer (via the service interface)
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational measures to ensure data security
  • Only engage Sub-processors in accordance with this DPA (see Section 6 below)
  • Assist the Customer in responding to data subject rights requests
  • Assist the Customer in ensuring compliance with security, breach notification, and impact assessment obligations
  • Delete or return all personal data to the Customer after termination, unless legal obligations require retention
  • Make available to the Customer information necessary to demonstrate compliance and allow for audits
  • Immediately inform the Customer if instructions violate Data Protection Laws

5. Customer Obligations

The Customer shall:

  • Ensure it has a lawful basis for processing personal data and sharing it with TeamPulze
  • Provide clear, accurate instructions for data processing via the service
  • Ensure data subjects have been informed about the processing (via privacy notices)
  • Not instruct TeamPulze to process special categories of personal data
  • Comply with all applicable Data Protection Laws regarding its use of the service
  • Respond to data subject requests, with assistance from TeamPulze as needed

6. Sub-processors

6.1 General Authorization

The Customer authorizes TeamPulze to engage Sub-processors to assist in providing the service. TeamPulze shall:

  • Impose data protection obligations on Sub-processors that provide at least the same level of protection as this DPA
  • Remain fully liable to the Customer for Sub-processor performance

6.2 Current Sub-processors

TeamPulze currently engages the following Sub-processors:

Sub-processorPurposeLocationSafeguards
Supabase Inc.
supabase.com		Cloud database, authentication, storageUnited States (AWS)SOC 2 Type II, GDPR compliant, Standard Contractual Clauses (SCCs)
OpenAI L.L.C.
openai.com		AI-powered insights generation from aggregated, anonymized dataUnited StatesSOC 2 Type II, GDPR compliant, Enterprise data usage policy (no training on customer data)
Stripe Inc.
stripe.com		Payment processing and subscription billingUnited StatesPCI DSS Level 1, SOC 2 Type II, GDPR compliant, Standard Contractual Clauses (SCCs)
Functional Software Inc. (Sentry)
sentry.io		Error monitoring and application performanceUnited StatesSOC 2 Type II, GDPR compliant, Standard Contractual Clauses (SCCs)

6.3 Changes to Sub-processors

TeamPulze will provide at least 30 days' notice before adding or replacing Sub-processors via:

  • Email notification to the Customer's account email
  • Update to this DPA page with "last updated" date change
  • In-app notification (if applicable)

If the Customer reasonably objects to a new Sub-processor on data protection grounds, the Customer may terminate the service agreement with 30 days' notice.

7. Technical and Organizational Measures

TeamPulze implements the following security measures to protect personal data:

7.1 Technical Measures

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Control: Role-based access control (RBAC), multi-factor authentication (MFA) available
  • Authentication: Secure authentication via Supabase with hashed passwords (bcrypt)
  • Anonymization: Individual survey responses are anonymized to managers
  • Logging: Security event logging and monitoring via Sentry
  • Network Security: Firewall protection, DDoS mitigation, intrusion detection

7.2 Organizational Measures

  • Confidentiality: All personnel with data access sign confidentiality agreements
  • Training: Regular data protection and security training for staff
  • Access Management: Principle of least privilege, regular access reviews
  • Incident Response: Documented incident response and breach notification procedures
  • Vendor Management: Security assessment of all Sub-processors
  • Backups: Regular encrypted backups with 90-day retention

8. Assisting with Data Subject Rights

TeamPulze will assist the Customer in responding to data subject requests by:

  • Access: Providing tools to export personal data in portable format (JSON/CSV)
  • Rectification: Allowing customers to update/correct data via the platform interface
  • Erasure: Providing deletion functionality for accounts, team members, and responses
  • Restriction: Allowing customers to deactivate team members without deletion
  • Portability: Export functionality for all personal data
  • Objection: Allowing customers to stop processing by canceling service

For requests that cannot be fulfilled through the platform, the Customer may contact dpo@teampulse.com for assistance within 5 business days.

9. Data Breach Notification

In the event of a personal data breach, TeamPulze will:

  • Notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide details of the breach including: nature of breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed
  • Provide ongoing updates as investigation progresses
  • Cooperate with the Customer in investigating and mitigating the breach
  • Document all breaches and make records available to supervisory authorities upon request

Breach notifications will be sent to the Customer's account email address and, for critical breaches, via emergency contact methods if provided.

10. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States where our Sub-processors operate.

For transfers from the EEA to third countries, TeamPulze ensures adequate safeguards through:

  • Standard Contractual Clauses (SCCs): EU Commission-approved SCCs with all Sub-processors handling EEA data
  • Sub-processor Commitments: All Sub-processors listed in Section 6.2 have executed SCCs or rely on other adequate transfer mechanisms
  • Supplementary Measures: Technical measures including encryption and access controls to protect data

Copies of applicable SCCs are available upon request to legal@teampulse.com.

11. Data Retention and Deletion

11.1 Retention Period

  • Account Data: Retained while service agreement is active
  • Survey Responses: Retained for 2 years or until Customer requests deletion
  • Aggregated Analytics: May be retained indefinitely in anonymized form
  • Backups: Deleted data may remain in backups for up to 90 days

11.2 Deletion Upon Termination

Upon termination of the service agreement, TeamPulze will:

  • Delete all personal data within 30 days, unless otherwise instructed
  • Provide Customer with option to export all data before deletion (available for 30 days post-termination)
  • Certify deletion in writing upon Customer request
  • Retain only data required by applicable law (e.g., accounting records, dispute resolution)

12. Audit Rights

TeamPulze will make available to the Customer information necessary to demonstrate compliance with this DPA, including:

  • Annual SOC 2 Type II audit reports (upon request under NDA)
  • Security documentation and certifications
  • Sub-processor security attestations

The Customer may conduct audits or inspections no more than once per year, upon 30 days' written notice, during business hours, and subject to confidentiality obligations. Such audits shall not unreasonably interfere with TeamPulze's business operations.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the main service agreement.

TeamPulze shall be liable for the acts and omissions of its Sub-processors to the same extent as if they were its own acts and omissions.

Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be limited by applicable law.

14. Term and Termination

This DPA comes into effect on the date the Customer accepts the Terms of Service and remains in effect until termination of the service agreement.

Provisions that by their nature should survive termination shall survive, including confidentiality, data deletion obligations, and liability provisions.

15. Governing Law

This DPA is governed by the same law as the main service agreement. For matters not covered by this DPA, the terms of the main service agreement shall apply.

16. Order of Precedence

In the event of any conflict between this DPA and the main service agreement, this DPA shall take precedence with respect to data protection matters only.

17. Questions and Contact Information

For questions about this DPA or data processing practices, contact:

Acceptance

By using TeamPulze services, the Customer agrees to the terms of this Data Processing Agreement.

This DPA forms part of the service agreement and is automatically incorporated by reference.