Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Pipelizo Terms of Service and sets out the terms under which Pipelizo, Inc. processes personal data on behalf of its customers. It is designed to satisfy GDPR Art. 28, UK-GDPR, and CCPA service-provider requirements.

For personal data within customer workspaces, the customer is the controller and Pipelizo is the processor. For account and marketing data, Pipelizo is the controller.

Pipelizo processes customer data only on documented instructions from the customer, for the purpose of providing the service as described in the Terms.

Categories of data subjects: customer's employees, prospects, contacts, customers. Categories of data: name, email, phone, company, job title, communication history, deal metadata, and any custom fields the customer chooses to create.

A current list of authorized sub-processors is maintained at pipelizo.com/sub-processors. The customer hereby provides general authorization for these sub-processors.

Pipelizo will give 30 days' notice before adding any new sub-processor; the customer may object by terminating the affected portion of the service.

Where data is transferred outside the EEA/UK, Pipelizo relies on EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, supplemented by appropriate technical safeguards (encryption, pseudonymization, access controls).

Pipelizo implements technical and organizational measures as documented in our Security overview, which form part of this DPA by reference.

Pipelizo will, taking into account the nature of processing, assist the customer in fulfilling data subject access, rectification, erasure, restriction, and portability requests — at no additional charge.

Pipelizo will notify the customer without undue delay (target: within 48 hours) of becoming aware of a personal data breach. Notifications include the nature of the breach, affected data, likely consequences, and remediation steps.

The customer may, at most once per year, request reasonable audit information about Pipelizo's compliance — typically satisfied by sharing our SOC 2 Type II report.

On termination, Pipelizo will delete or return all customer data within 30 days, except where retention is required by law.

This DPA is automatically incorporated into your Pipelizo Terms. If a signed DPA is required for your records, email support@pipelizo.com — we counter-sign within 48 hours.