Data Processing Agreement
Effective: May 17, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between LicensePulse ("LicensePulse", "Processor") and the customer named in the order form or otherwise identified ("Customer", "Controller"). It applies whenever LicensePulse processes Personal Data on Customer's behalf in connection with the Service.
If the Agreement and this DPA conflict on a data protection matter, this DPA controls.
1. Definitions
Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data Protection Laws.
- Data Protection Laws means GDPR (EU 2016/679), the UK GDPR, the Swiss FADP, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA / CPRA"), and any other applicable laws governing the processing of Personal Data.
- Personal Data, Controller, Processor, Sub-processor, Processing, Data Subject have the meanings in GDPR.
- Standard Contractual Clauses ("SCCs") means the EU SCCs adopted under Commission Decision 2021/914.
2. Subject matter and roles
- Subject matter: LicensePulse's processing of Personal Data to deliver the Service per the Agreement.
- Duration: until the Agreement ends and any post-termination data export period closes.
- Categories of Data Subjects: Customer's employees and contractors who appear in license records, plus any other individuals reflected in Customer Data.
- Categories of Personal Data: business contact details (name, work email), license-usage attributes (username, department, time of activity), and any other Personal Data Customer chooses to upload.
- Special categories: none expected. Customer must not upload sensitive data (Article 9 GDPR), Protected Health Information, or payment card data.
- Roles: Customer is the Controller; LicensePulse is the Processor. For end-user account data of Customer's own users (e.g. a Customer's IT admin who logs in to LicensePulse), LicensePulse acts as a separate Controller for the limited purposes set out in our Privacy Policy.
3. LicensePulse's obligations
LicensePulse will:
- Process Personal Data only on documented Customer instructions, including for international transfers, except where required by law (we will tell Customer first unless prohibited).
- Ensure confidentiality — personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures (see Annex II below) to protect Personal Data against unauthorized or unlawful processing and accidental loss.
- Engage Sub-processors only as permitted in Section 5.
- Assist Customer, taking into account the nature of processing, with: - Responses to Data Subject Requests under Articles 15–22 GDPR (Section 6). - Data protection impact assessments under Article 35 GDPR. - Notifications to supervisory authorities and Data Subjects under Articles 33–34 GDPR.
- Notify Customer of Personal Data Breaches without undue delay and in any case within 72 hours of becoming aware (Section 7).
- On termination, return or delete Personal Data per Section 9.
- Make available all information necessary to demonstrate compliance with this DPA, and allow audits per Section 8.
4. Customer's obligations
Customer warrants that:
- It has a lawful basis to provide Personal Data to LicensePulse and to instruct the processing.
- It has provided required notices and obtained required consents from Data Subjects.
- Its instructions to LicensePulse comply with Data Protection Laws.
- It will not upload data outside the categories above.
5. Sub-processors
- Customer authorizes LicensePulse to engage the Sub-processors listed at https://licensepulse.app/subprocessors. The same list is reproduced in
subprocessors.md. - LicensePulse will give Customer at least 14 days' advance notice of new or replacement Sub-processors (subscription to that page suffices). Customer may object on reasonable grounds; if the parties cannot resolve the objection within 30 days, Customer may terminate the affected portion of the Service for a pro-rata refund.
- LicensePulse imposes data protection obligations on Sub-processors that are at least as protective as this DPA, and remains liable for their performance.
6. Data Subject Requests
If LicensePulse receives a request directly from a Data Subject of Customer, LicensePulse will (a) not respond to the substantive request and (b) forward it to Customer without undue delay. LicensePulse will assist Customer in responding (e.g. by exporting, correcting, or deleting Personal Data on instruction).
Customer can make many Data Subject Request operations directly through the Service (export, deletion, correction).
7. Personal Data Breaches
LicensePulse will notify Customer without undue delay and in any case within 72 hours of becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent known:
- Nature of the breach, including categories and approximate number of Data Subjects and records.
- Likely consequences.
- Measures taken or proposed to mitigate.
- Contact point at LicensePulse for further information.
LicensePulse will provide updates as the investigation progresses and a final post-mortem within 30 days.
8. Audits
LicensePulse will make available to Customer, on request:
- Its current security and compliance certifications (when available — e.g. SOC 2 reports).
- Responses to industry-standard security questionnaires (e.g. CAIQ-Lite — see
caiq-lite.md).
If Customer reasonably believes those documents are insufficient, Customer may, once per 12 months and on at least 30 days' notice, conduct an audit at Customer's expense, by an independent auditor agreed by both parties, during business hours, with no disruption to the Service. The auditor must sign confidentiality terms acceptable to LicensePulse before any audit. Aggregate audit costs above $5,000 per audit are at Customer's expense unless an audit reveals material non-compliance, in which case LicensePulse pays.
9. Return and deletion
On termination of the Agreement, Customer may export Personal Data via the in-app export tools or by written request for 30 days. After that, LicensePulse will delete Personal Data from active systems within 30 days, and from backups within 90 days (when the backups age out), except to the extent retention is required by law. On Customer's written request, LicensePulse will provide written confirmation of deletion.
10. International transfers
Where Customer's Personal Data is transferred from the EU/EEA, UK, or Switzerland to LicensePulse in the United States, the parties incorporate by reference:
- The EU SCCs (Module 2: Controller-to-Processor) adopted by Commission Decision 2021/914.
- The UK Addendum to the EU SCCs (Information Commissioner's Office form, version B1.0).
- For Switzerland, the SCCs apply with references to the Swiss FADP and the Federal Data Protection and Information Commissioner.
For SCC purposes:
- Module 2 applies (Controller to Processor).
- Clause 7 (Docking Clause) is included.
- Clause 9 option 2 (general written authorization for Sub-processors) applies, with 14 days' notice.
- Clause 11 option (independent dispute resolution) is not selected.
- Clause 17 governing law: Ireland.
- Clause 18 forum: Ireland.
- Annex I.A (Parties): Customer is the data exporter; LicensePulse is the data importer.
- Annex I.B (Description of transfer): see Section 2 above.
- Annex I.C (Competent supervisory authority): the supervisory authority of the Member State where the data exporter is established (or Ireland if the exporter is not established in the EEA).
- Annex II (Technical and organizational measures): below.
- Annex III (Sub-processors): the list at https://licensepulse.app/subprocessors.
11. CCPA-specific terms (California)
To the extent Customer Personal Data includes information about California residents:
- LicensePulse is a Service Provider under CCPA/CPRA.
- LicensePulse will not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data outside the direct business relationship with Customer; (c) combine Personal Data with information received from another source except as permitted by CCPA/CPRA.
- LicensePulse certifies that it understands and will comply with these restrictions.
12. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
13. Order of precedence
In the event of conflict between (a) the SCCs, (b) this DPA, and (c) the Agreement, the order of precedence is: SCCs > DPA > Agreement.
Annex I — Description of processing
A. Parties - Data exporter (Controller): Customer, as identified in the Agreement. - Data importer (Processor): LicensePulse.
B. Description of transfer
| Field | Detail |
|---|---|
| Categories of Data Subjects | Customer's personnel and (optionally) end users whose license usage Customer tracks |
| Categories of Personal Data | Names, work emails, usernames, department / cost-center identifiers, software-usage records, contract metadata |
| Special categories | None |
| Frequency | Continuous (during the term of the Agreement) |
| Nature | Hosting, analytics, alerting, reporting |
| Purpose | Provision of the Service |
| Retention | Per Section 9 of this DPA |
C. Competent supervisory authority: as defined in Section 10 above.
Annex II — Technical and Organizational Measures
LicensePulse implements at least the following measures:
- Access control: role-based access (Owner / Admin / Viewer); per-tenant isolation by
org_id; bcrypt-hashed passwords; SHA-256-hashed agent API keys; revocation on demand. - Encryption: TLS 1.2+ in transit on every endpoint; AES-256 at rest on the database volume.
- Network security: HTTPS-only public surface; no inbound ports to internal infrastructure; rate limits per API key.
- Logging & monitoring: application access logs, integration sync logs, error tracking; logs retained 90 days minimum.
- Backup: daily Postgres backups, 7-day retention, point-in-time recovery within 24 hours, quarterly restore drills.
- Personnel: confidentiality obligations in employment agreements; access on a need-to-know basis.
- Incident response: documented playbook; 72-hour Customer notification; 30-day post-mortem.
- Sub-processor management: written contracts with equivalent obligations; published list with advance-notice mechanism.
- Vulnerability management: dependency scanning; security patches applied within 30 days of release; vulnerability disclosure mailbox at security@licensepulse.app.
Annex III — Sub-processors
See https://licensepulse.app/subprocessors. As of May 17, 2026, the list is reproduced in subprocessors.md.
LicensePulse — legal@licensepulse.app