Data Processing Agreement

The Controller determines the purposes and means of processing personal data uploaded to or generated within the Platform ("Customer Personal Data"). PulseMenu acts as Processor and processes Customer Personal Data on the Controller's documented instructions, which are set out in the Agreement (the Terms of Service, any Order Form, this DPA, and any further written instructions).

Where PulseMenu engages another company to process Customer Personal Data on its behalf, that company acts as a sub-processor and is bound by the obligations set out in Section "Sub-processors".

• Process Customer Personal Data only on the Controller's documented instructions, including for international transfers, unless required by EU or Member State law to which PulseMenu is subject;
• Ensure that personnel authorised to process Customer Personal Data are subject to confidentiality obligations;
• Implement and maintain the technical and organisational measures described in Annex II;
• Engage sub-processors only in accordance with Section "Sub-processors";
• Assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR;
• Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, DPIAs, prior consultation);
• At the Controller's choice, return or delete all Customer Personal Data at the end of the provision of services, subject to limited backup retention; and
• Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

The Controller provides general written authorisation for PulseMenu to engage sub-processors. PulseMenu maintains an up-to-date list of sub-processors, including their name, role, and country, available on request and via the trust centre.

PulseMenu will inform the Controller of any intended changes concerning the addition or replacement of sub-processors with at least 30 days' notice. The Controller may object on reasonable grounds related to data protection within that period. If the parties cannot resolve the objection, the Controller may terminate the affected services for cause.

PulseMenu enters into a written contract with each sub-processor imposing data protection obligations substantively equivalent to those in this DPA and remains liable to the Controller for the performance of its sub-processors.

PulseMenu implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption — TLS 1.2+ in transit; AES-256 or equivalent at rest;
• Access control — role-based access, least privilege, multi-factor authentication for administrators;
• Network security — segmented production networks, web application firewall, DDoS protection;
• Software development lifecycle — peer code review, automated tests, dependency scanning;
• Monitoring and logging — centralised audit logs with tamper protection and anomaly detection;
• Backup and recovery — encrypted, geographically redundant backups with periodic restore testing;
• Incident response — 24×7 on-call, documented runbooks, post-incident reviews;
• Personnel — background checks for security-sensitive roles, mandatory security training;
• Physical security — cloud infrastructure providers with ISO 27001 and SOC 2 certifications;
• Vendor management — risk assessments and contractual safeguards for all sub-processors.

Customer Personal Data is stored in the European Economic Area by default. Where personal data is transferred to a country outside the EEA without an adequacy decision, PulseMenu relies on the European Commission's 2021 Standard Contractual Clauses (the "SCCs"), with Module Two (controller-to-processor) or Module Three (processor-to-processor) as applicable, incorporated by reference into this DPA.

For data originating in the UK, the parties also incorporate the UK International Data Transfer Addendum. For Swiss-originated data, the SCCs apply with the amendments published by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

PulseMenu performs transfer impact assessments and implements supplementary technical, contractual, and organisational measures where required to ensure an essentially equivalent level of protection.

PulseMenu will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights under the GDPR. Where PulseMenu receives a request directly from a data subject, it will forward it to the Controller without undue delay and will not respond to the request unless authorised by the Controller.

PulseMenu will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records, contact information, likely consequences, and measures taken or proposed to address the breach. PulseMenu will cooperate with the Controller and provide such further information as is reasonably required for the Controller to comply with its own breach notification obligations.

PulseMenu will make available to the Controller, on reasonable request, the information necessary to demonstrate compliance with this DPA. This will normally take the form of summary reports, certifications (e.g. ISO 27001), and the latest penetration testing summary. The Controller may, no more than once per year and with reasonable advance notice, conduct or commission an audit of PulseMenu's facilities and documentation relevant to the processing, at its own expense and subject to mutually agreed scope, confidentiality, and timing.

Upon termination of the Agreement and at the Controller's election, PulseMenu will either return all Customer Personal Data in a commonly used format, or delete it from production systems within 30 days. Backups will continue to be subject to the documented backup retention period and will be deleted in the ordinary course. PulseMenu may retain Customer Personal Data where required by applicable law.

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. In the event of any conflict between this DPA and the Terms of Service with respect to processing of personal data, this DPA prevails.

This DPA is governed by the laws specified in the Terms of Service. If any provision of this DPA is held invalid, the remaining provisions will continue in full force and effect. Each party will appoint a privacy contact responsible for matters under this DPA; PulseMenu's contact is privacy@pulse-menu.com.

Most customers do not need a countersigned copy because acceptance of our Terms of Service constitutes acceptance of this DPA. If your procurement process requires a signed PDF, email legal@pulse-menu.com and we will return a fully signed copy within two business days.