apppulse

AppPulse — Data Processing Agreement (DPA)

Effective date: [TO BE SET ON LAUNCH DAY] Last updated: May 7, 2026 Version: 1.0

DISCLAIMER: This DPA is a starting template based on GDPR Article 28 standard practice. Have it reviewed by a privacy attorney before publishing or signing with enterprise customers. Templates from Termly, Iubenda, or attorneys typically cost $100–$500.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Malon Global Tech LLC ("Processor," "AppPulse," "we") and the Customer ("Controller," "you") and applies to the extent AppPulse processes Personal Data on your behalf in connection with the Service.

If there is a conflict between this DPA and the Terms of Service, this DPA governs as to data protection matters.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service or in applicable Data Protection Laws.

  • Data Protection Laws: GDPR, UK GDPR, Data Protection Act 2018, CCPA/CPRA, and other applicable privacy laws.
  • Personal Data: any information relating to an identified or identifiable natural person, as defined in Data Protection Laws.
  • Processing: any operation performed on Personal Data (collection, use, storage, transfer, etc.).
  • Controller, Processor, Data Subject, Sub-Processor: as defined in GDPR.
  • Standard Contractual Clauses (SCCs): the EU Commission's standard contractual clauses for data transfers to third countries, as updated.

2. Roles

  • Controller: You decide what is being audited and what data the audit will incidentally observe.
  • Processor: AppPulse processes Personal Data on your instructions to deliver the Service.

For Personal Data you provide directly to us about yourself or your team (account info, billing), we act as Controller, not Processor. That data is governed by our Privacy Policy.

3. Scope and Purpose of Processing

AspectDescription
Subject matterAudit of customer-authorized applications
DurationThe term of the Agreement + retention periods (see Section 7)
NatureAutomated and human-augmented analysis of application data
PurposeProducing audit findings and reports for the Customer
Categories of Personal Data(see Section 4)
Categories of Data Subjects(see Section 4)

4. Categories of Personal Data and Data Subjects

4.1 Personal Data Processed (incidentally, during audits)

  • User account data visible in your application's database (email addresses, usernames, hashed passwords, profile data) — observed via read-only role
  • Customer data within your application that is exposed by vulnerabilities (e.g., a Critical finding may surface that user records are publicly accessible)
  • Test account credentials you provide
  • Code identifiers (commit authors, file paths) within your repository
  • API logs (LLM interactions) when AI Safety Audits are scoped

4.2 Categories of Data Subjects

  • Your end users / customers (whose data exists in your app)
  • Your employees / contractors (commit authors in your repos)
  • Test users (credentials you provide)

4.3 Special Categories of Personal Data

We do not intentionally process special categories (health, biometric, political opinion, etc.). If your application contains such data and an audit incidentally observes it, the same protections in this DPA apply.

You agree to inform us in writing before the audit if your application contains special categories so we can apply heightened controls (additional encryption, restricted access, etc.).

5. AppPulse Obligations as Processor

AppPulse will:

(a) Process Personal Data only on your documented instructions, including for transfers, except where required by law (with notice to you where permitted).

(b) Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.

(c) Implement appropriate technical and organizational measures to protect Personal Data (see Section 9).

(d) Engage Sub-Processors only under the conditions in Section 8.

(e) Assist you in responding to Data Subject requests and other obligations under Data Protection Laws.

(f) Notify you of any Personal Data breach without undue delay (within 72 hours of discovery, where feasible).

(g) Make available all information necessary to demonstrate compliance and allow audits, subject to Section 12.

(h) Delete or return all Personal Data upon termination per Section 7.

6. Customer Obligations as Controller

You will:

(a) Have all required legal bases (consent, legitimate interest, contract, etc.) to authorize the audit and the incidental processing of any Personal Data within your application.

(b) Ensure your privacy notices to your end users adequately disclose that your application may be audited by service providers like AppPulse.

(c) Provide accurate authorization scope (URLs, repos, DB roles).

(d) Notify AppPulse if any Special Categories of Personal Data are present.

(e) Comply with your own obligations under Data Protection Laws, including Data Subject request handling for data within your control.

(f) Indemnify AppPulse for any third-party claim arising from your failure to have lawful basis for the audit.

7. Data Retention and Deletion

Personal Data observed during audits is retained as follows:

Data TypeRetention
Source code accessed via GitHub AppEphemeral only — deleted immediately after scan completes
Database contents observed via read-only roleNot persisted
Audit findings (text descriptions, severity, file references)Per Terms of Service Section 8.5
Test credentialsDeleted within 30 days of audit delivery
Scanner logs90 days

Upon termination of the Agreement, AppPulse will delete all Personal Data within 90 days unless retention is required by law (e.g., for tax, accounting, or legal defense purposes).

You may request earlier deletion via email; honored within 7 days unless legally prohibited.

8. Sub-Processors

8.1 Authorization

You authorize AppPulse to engage Sub-Processors as listed in our Privacy Policy Section 5.1 (and at apppulse.net/legal/sub-processors).

8.2 Notification of Changes

We will notify you of new Sub-Processors at least 30 days before engagement, via email (if you have an active subscription) or via update to the published list.

8.3 Objection Right

You may object to a new Sub-Processor for legitimate data protection reasons within 30 days of notification. If we cannot accommodate the objection, you may terminate the affected portion of the Service with a pro-rated refund of any prepaid fees for unused service.

8.4 Sub-Processor Obligations

We require all Sub-Processors to commit, in writing, to data protection obligations no less protective than those in this DPA.

8.5 AppPulse Responsibility

AppPulse remains responsible for Sub-Processor compliance.

9. Security Measures

AppPulse implements the following technical and organizational measures:

9.1 Technical Measures

  • Encryption in transit: TLS 1.3
  • Encryption at rest: AES-256
  • Network security: firewalls, DDoS protection (Cloudflare)
  • Access controls: role-based access, MFA required for all team members
  • Source code isolation: ephemeral sandboxes destroyed post-scan
  • Logging and monitoring: all admin actions logged, anomaly alerts
  • Backup: encrypted backups, tested recovery procedures
  • Software security: automated dependency scanning, penetration testing
  • Endpoint security: full-disk encryption on team devices, MDM where applicable

9.2 Organizational Measures

  • Confidentiality agreements: all team members sign NDAs
  • Background checks: for team members with production access
  • Security awareness training: annual minimum
  • Incident response runbook: documented and tested
  • Access provisioning: principle of least privilege; quarterly review
  • Vendor management: Sub-Processors vetted before engagement

9.3 Updates

We may update security measures provided the level of protection is not materially diminished.

10. Personal Data Breach Notification

10.1 Definition

A "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

10.2 Notification

AppPulse will notify you of any confirmed Personal Data Breach without undue delay and in any case within 72 hours of discovery, providing:

  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Likely consequences
  • Measures taken or proposed to address the breach
  • Contact for further information

10.3 Cooperation

We will cooperate with you in good faith to investigate, mitigate, and notify Data Subjects and authorities as required by law.

10.4 Costs

Each party bears its own costs of breach response unless the breach is caused by AppPulse's gross negligence or willful misconduct, in which case AppPulse will reimburse your reasonable costs.

11. Data Subject Requests

11.1 Routing

Data Subject requests should be directed to you, the Controller. We will not respond directly to Data Subjects of your application without your authorization.

11.2 Assistance

We will provide reasonable assistance to help you respond to Data Subject requests, including:

  • Helping locate Data Subject data within audit findings
  • Deleting Data Subject data from our records on your instruction
  • Exporting Data Subject data in a portable format

11.3 Costs

Assistance is included at no charge for reasonable volumes. For high-volume requests, we may charge time and materials at our standard rates with prior notice.

12. Audits

12.1 Audit Reports

We will make available to you, upon request, the most recent reports of independent third-party audits or certifications (e.g., SOC 2 once obtained).

12.2 Customer Audits

For Enterprise customers with documented regulatory requirements, you may request an audit of our processing, subject to:

  • 60 days' prior written notice
  • During business hours
  • Limited to once per 12 months
  • At your own cost
  • Subject to confidentiality obligations
  • Conducted by independent third-party assessors mutually agreed

12.3 Information Requests

We will respond in good faith to reasonable information requests demonstrating our compliance with this DPA without requiring a full audit.

13. International Transfers

13.1 Cross-Border Transfers

Where AppPulse processes Personal Data outside the country of origin (e.g., EU customer data processed in the US), we rely on:

  • Adequacy decisions where available
  • Standard Contractual Clauses (SCCs) with all relevant Sub-Processors and Customer
  • Supplementary measures: encryption, access controls, transparency

13.2 SCCs Incorporated

For transfers from the EEA, UK, or Switzerland to the US or other non-adequate countries, the EU Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) are incorporated by reference and govern those transfers.

A copy of the SCCs is available upon request.

13.3 UK Addendum

For UK Personal Data, the UK International Data Transfer Addendum is incorporated by reference.

13.4 EU Representative

If required, we will appoint an EU Representative under GDPR Article 27. Until appointment, contact us via omotereolamide@malonglobaltech.com.

14. Liability

14.1 General

Liability for breaches of this DPA is governed by the limitation of liability clause in the Terms of Service.

14.2 Carve-out

Liability for breach of this DPA in cases of gross negligence or willful misconduct is not subject to the standard liability cap in the Terms of Service, to the extent such carve-out is required by applicable law.

15. Term and Termination

This DPA is in effect for as long as AppPulse processes Personal Data on your behalf. It survives termination of the underlying Agreement to the extent any Personal Data remains within our systems.

16. Governing Law

This DPA is governed by the same law as the Terms of Service (Delaware, USA), except where Data Protection Laws require otherwise (in which case those laws govern the relevant provisions).

17. Order of Precedence

In case of conflict:

  1. Mandatory provisions of applicable Data Protection Laws
  2. SCCs (where applicable)
  3. This DPA
  4. Terms of Service

18. Signature (Optional for Self-Serve Customers)

For self-serve customers, acceptance of the Terms of Service constitutes acceptance of this DPA, and a separate signature is not required.

For Enterprise customers requiring signed DPAs:

Signed for and on behalf of CUSTOMER:

Name: ____________________________
Title: ____________________________
Date: ____________________________
Signature: ____________________________


Signed for and on behalf of MALON GLOBAL TECH LLC (AppPulse):

Name: Olamide Omotere
Title: Founder
Date: ____________________________
Signature: ____________________________

19. Annexes

Annex 1 — Description of Processing

See Section 3 of this DPA.

Annex 2 — Sub-Processors

See apppulse.net/legal/sub-processors and Privacy Policy Section 5.1.

Annex 3 — Security Measures

See Section 9 of this DPA.

Annex 4 — Standard Contractual Clauses (SCCs)

Available upon request. Module Two (Controller-to-Processor) applies.

End of Data Processing Agreement.