Data Processing Agreement

Effective Date: March 12, 2026

Last Updated: March 12, 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service between SalesPulse Inc., a company registered in Fajardo, Puerto Rico ("Processor"), and the customer ("Controller") who has agreed to the SalesPulse Terms of Service. This DPA governs the processing of personal data that the Controller submits to or generates through the SalesPulse platform.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, and deletion.
  • "Data Subject" means the individual to whom the Personal Data relates (e.g., your leads, contacts, and clients).
  • "Sub-processor" means a third-party service provider engaged by the Processor to process Personal Data.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Service as described in the Terms of Service. Categories of data processed include:

  • Contact information (names, phone numbers, email addresses, mailing addresses).
  • Insurance-specific data (policy information, licensed states, product types).
  • Communication records (call recordings, transcripts, SMS/email logs).
  • Transaction data (lead purchases, billing records).
  • Usage and analytics data.

3. Controller Obligations

The Controller shall:

  • Ensure it has a lawful basis for processing and transferring Personal Data to the Processor (e.g., consent, legitimate interest, or contractual necessity).
  • Obtain all necessary consents from Data Subjects before recording calls, sending communications, or processing their data through the Service.
  • Comply with all applicable data protection laws, including CCPA, GDPR (if applicable), and state privacy regulations.
  • Promptly notify the Processor of any Data Subject requests (access, deletion, rectification) that require the Processor's assistance.

4. Processor Obligations

The Processor shall:

  • Process Personal Data only in accordance with the Controller's documented instructions and the Terms of Service.
  • Implement appropriate technical and organizational security measures, including encryption, access controls, and regular security assessments.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Assist the Controller in responding to Data Subject requests within commercially reasonable timeframes.
  • Notify the Controller without undue delay (and in no event later than 72 hours) upon becoming aware of a personal data breach.
  • Upon termination of the Service, delete or return all Personal Data within 30 days, unless retention is required by applicable law.

5. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. Current Sub-processors include:

  • Supabase, Inc. — Database hosting and authentication (US).
  • Twilio, Inc. — Telephony, SMS, call recording, and voice intelligence (US).
  • Stripe, Inc. — Payment processing (US).
  • Square, Inc. (Block, Inc.) — Payment processing (US).
  • Vercel, Inc. — Application hosting and CDN (US/global).
  • OpenAI / Anthropic — AI processing for call summaries and analytics (US).

The Processor will notify the Controller of any new Sub-processors at least 30 days before engagement. The Controller may object to a new Sub-processor by contacting us within that period. Sub-processors are bound by data protection obligations no less protective than those in this DPA.

6. International Data Transfers

The Service is primarily hosted in the United States. If Personal Data is transferred from the EU/EEA or other jurisdictions with data transfer restrictions, the Processor will ensure appropriate safeguards are in place (such as Standard Contractual Clauses) to protect the data in accordance with applicable law.

7. Security Measures

The Processor implements the following security measures to protect Personal Data:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls with principle of least privilege.
  • Row-Level Security (RLS) policies on all database tables.
  • CSRF protection and rate limiting on all API endpoints.
  • Regular security assessments and dependency updates.
  • Audit logging for data access and administrative actions.
  • Automatic session expiration and token rotation.

8. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and provide the following information:

  • The nature of the breach, including categories and approximate number of records affected.
  • The likely consequences of the breach.
  • Measures taken or proposed to address the breach and mitigate its effects.

9. Audits

The Processor shall make available to the Controller, upon reasonable request and at the Controller's expense, information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, no more than once per year with at least 30 days' prior notice.

10. Duration and Termination

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination of the Service agreement, the Processor will delete all Personal Data within 30 days unless retention is required by law. The Controller may request a copy of their data before deletion using the platform's export features.

11. Contact

For questions about this DPA or to exercise data protection rights:

SalesPulse Inc.
Fajardo, Puerto Rico
Data Protection Contact: sales@salespulse.app
Phone: (787) 965-4777

Other Legal Documents

Terms of ServicePrivacy PolicyBilling & Refund PolicyData Processing AgreementTCPA DisclosureBuyer TermsVendor TermsLead Return Policy
Questions? Contact us at sales@salespulse.app or (787) 965-4777