Data Processing Agreement

Effective: May 17, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between LicensePulse ("LicensePulse", "Processor") and the customer named in the order form or otherwise identified ("Customer", "Controller"). It applies whenever LicensePulse processes Personal Data on Customer's behalf in connection with the Service.

If the Agreement and this DPA conflict on a data protection matter, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data Protection Laws.

2. Subject matter and roles

3. LicensePulse's obligations

LicensePulse will:

  1. Process Personal Data only on documented Customer instructions, including for international transfers, except where required by law (we will tell Customer first unless prohibited).
  2. Ensure confidentiality — personnel authorized to process Personal Data are bound by confidentiality obligations.
  3. Implement appropriate technical and organizational measures (see Annex II below) to protect Personal Data against unauthorized or unlawful processing and accidental loss.
  4. Engage Sub-processors only as permitted in Section 5.
  5. Assist Customer, taking into account the nature of processing, with: - Responses to Data Subject Requests under Articles 15–22 GDPR (Section 6). - Data protection impact assessments under Article 35 GDPR. - Notifications to supervisory authorities and Data Subjects under Articles 33–34 GDPR.
  6. Notify Customer of Personal Data Breaches without undue delay and in any case within 72 hours of becoming aware (Section 7).
  7. On termination, return or delete Personal Data per Section 9.
  8. Make available all information necessary to demonstrate compliance with this DPA, and allow audits per Section 8.

4. Customer's obligations

Customer warrants that:

5. Sub-processors

6. Data Subject Requests

If LicensePulse receives a request directly from a Data Subject of Customer, LicensePulse will (a) not respond to the substantive request and (b) forward it to Customer without undue delay. LicensePulse will assist Customer in responding (e.g. by exporting, correcting, or deleting Personal Data on instruction).

Customer can make many Data Subject Request operations directly through the Service (export, deletion, correction).

7. Personal Data Breaches

LicensePulse will notify Customer without undue delay and in any case within 72 hours of becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent known:

  1. Nature of the breach, including categories and approximate number of Data Subjects and records.
  2. Likely consequences.
  3. Measures taken or proposed to mitigate.
  4. Contact point at LicensePulse for further information.

LicensePulse will provide updates as the investigation progresses and a final post-mortem within 30 days.

8. Audits

LicensePulse will make available to Customer, on request:

If Customer reasonably believes those documents are insufficient, Customer may, once per 12 months and on at least 30 days' notice, conduct an audit at Customer's expense, by an independent auditor agreed by both parties, during business hours, with no disruption to the Service. The auditor must sign confidentiality terms acceptable to LicensePulse before any audit. Aggregate audit costs above $5,000 per audit are at Customer's expense unless an audit reveals material non-compliance, in which case LicensePulse pays.

9. Return and deletion

On termination of the Agreement, Customer may export Personal Data via the in-app export tools or by written request for 30 days. After that, LicensePulse will delete Personal Data from active systems within 30 days, and from backups within 90 days (when the backups age out), except to the extent retention is required by law. On Customer's written request, LicensePulse will provide written confirmation of deletion.

10. International transfers

Where Customer's Personal Data is transferred from the EU/EEA, UK, or Switzerland to LicensePulse in the United States, the parties incorporate by reference:

For SCC purposes:

11. CCPA-specific terms (California)

To the extent Customer Personal Data includes information about California residents:

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

13. Order of precedence

In the event of conflict between (a) the SCCs, (b) this DPA, and (c) the Agreement, the order of precedence is: SCCs > DPA > Agreement.


Annex I — Description of processing

A. Parties - Data exporter (Controller): Customer, as identified in the Agreement. - Data importer (Processor): LicensePulse.

B. Description of transfer

Field Detail
Categories of Data Subjects Customer's personnel and (optionally) end users whose license usage Customer tracks
Categories of Personal Data Names, work emails, usernames, department / cost-center identifiers, software-usage records, contract metadata
Special categories None
Frequency Continuous (during the term of the Agreement)
Nature Hosting, analytics, alerting, reporting
Purpose Provision of the Service
Retention Per Section 9 of this DPA

C. Competent supervisory authority: as defined in Section 10 above.

Annex II — Technical and Organizational Measures

LicensePulse implements at least the following measures:

Annex III — Sub-processors

See https://licensepulse.app/subprocessors. As of May 17, 2026, the list is reproduced in subprocessors.md.


LicensePulse — legal@licensepulse.app