Data Processing Addendum

Last Updated: July 15, 2026

This Data Processing Addendum (the "DPA") forms part of the LLM Pulse Terms of Service (the "Terms") between LLM PULSE SL ("LLM Pulse", "we", "our", or "us") and the Customer ("you"). It applies whenever we process personal data on your behalf in connection with the Service. It is incorporated into the Terms by reference, so it applies automatically and does not need a separate signature. If you and we have signed a separate data processing agreement, that signed agreement prevails over this DPA.

Contents

1. Definitions

"GDPR" means Regulation (EU) 2016/679, and "personal data", "processing", "controller", "processor", and "data subject" have the meanings given there. "Customer Personal Data" means personal data contained in Customer Data (as defined in the Terms) that we process on your behalf to provide the Service. "Data protection law" means the GDPR and any other privacy law applicable to the processing under this DPA.

2. Roles and scope

You are the controller of Customer Personal Data (or a processor acting on behalf of your own clients), and we act as your processor (or sub-processor). Annex 1 describes the subject matter, duration, nature, and purposes of the processing, the categories of data subjects, and the types of personal data. Each party will comply with its own obligations under applicable data protection law. Where you act as a processor for your own clients, you warrant that the instructions you give us are authorized by the relevant controller and that you have made the disclosures and obtained the permissions needed for us to process the data as described.

3. Processing on your instructions

We process Customer Personal Data only on your documented instructions, which consist of the Terms and this DPA, your configuration of the Service, and your use of its features, unless we are required to process otherwise by EU or member state law (in which case we will inform you before processing, unless the law prohibits it). We will inform you if we believe an instruction infringes data protection law, and we may pause the affected processing until the issue is resolved.

4. Confidentiality

We make sure that every person we authorize to process Customer Personal Data (including our staff and contractors) is bound by contractual or statutory confidentiality obligations.

5. Security

We implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing. The current measures are described in Annex 2. We will assist you, to a reasonable extent and taking into account the information available to us, in meeting your own security obligations under data protection law.

6. Sub-processors

You give us general written authorization to engage the sub-processors listed at https://llmpulse.ai/subprocessors. We will update that page and notify you (by email or in the app) at least 30 days before we add or replace a sub-processor. You may object in writing within that period on reasonable data-protection grounds; if we cannot offer a solution, you may terminate the affected part of the Service and receive a pro-rata refund of prepaid fees for the unused period. We impose on every sub-processor data protection obligations materially equivalent to this DPA, and we remain responsible for their performance.

7. Data subject requests

Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as this is possible, in responding to requests from data subjects exercising their rights (such as access, rectification, erasure, or portability). If a data subject contacts us directly about data processed on your behalf, we will forward the request to you without undue delay and will not respond on the merits, except where required by law.

8. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information reasonably available to us, such as the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. We may provide information in phases as it becomes available and will not delay the initial notice solely because every detail is not yet known. We will cooperate with you and provide reasonable assistance for your own notification obligations.

9. Impact assessments

We will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent they relate to the Service and taking into account the information available to us.

10. International transfers

We host Customer Personal Data in the European Union. Where a sub-processor processes Customer Personal Data outside the European Economic Area, we ensure a lawful transfer mechanism, such as an adequacy decision of the European Commission (including the EU-US Data Privacy Framework where the recipient is certified) or the Standard Contractual Clauses adopted by the European Commission, together with supplementary measures where needed. Details per provider are on the Sub-processors page.

11. Audits and information

We will make available to you the information reasonably necessary to demonstrate compliance with Article 28 GDPR, including responses to reasonable written security questionnaires. You may audit our compliance with this DPA no more than once every 12 months, on at least 30 days written notice, during business hours, without disrupting our operations, at your own cost, under confidentiality, and without access to data of other customers. The frequency and notice limits do not apply where an audit is reasonably required following a suspected or confirmed personal data breach, credible evidence of material non-compliance, or a request from a competent supervisory authority. In those cases, you will give the notice that is reasonable in the circumstances. Where possible, we will first satisfy audit requests with documentation and third-party attestations. If an audit reveals material non-compliance, we will remediate it without undue delay.

12. Return and deletion of data

When the processing ends, at your choice we will return Customer Personal Data to you and delete existing copies, or delete it, unless EU or member state law requires storage. You can make that choice in writing during your subscription or within 30 days after termination. During that period, we will on request make a reasonable export available as described in the Terms. If you give no instruction, you instruct us to delete the data. We complete deletion within 90 days after termination, except for backup copies that are overwritten in the normal backup cycle and data we must retain by law, which remains protected under this DPA until deleted. On written request, we will confirm deletion.

13. Liability

The exclusions and limitations of liability in the Terms apply to this DPA to the maximum extent permitted by law, and the combined liability under the Terms and this DPA is subject to a single aggregate cap. These contractual limits apply only between you and us. They do not limit the rights of data subjects, the powers of supervisory authorities, or any liability that applicable data protection law does not permit the parties to exclude or limit.

14. Term, precedence, and changes

This DPA applies for as long as we process Customer Personal Data under the Terms. For data-protection subject matter, this DPA prevails over the Terms. We may update this DPA following the change mechanics of the Terms; changes needed to comply with data protection law may take effect on shorter notice, and we will inform you of them.

Annex 1: Details of processing

Subject matter: provision of the LLM Pulse platform, the optional features selected by the Customer, and related support.
Duration: the term of your subscription plus the return and deletion period described in Section 12. Raw files uploaded to Agent Analytics are retained for up to 30 days after processing.
Nature and purposes: hosting, storage, analysis, reporting, connected web analytics, Agent Analytics, embedded experiences, AI-assisted features you request, support, security, and service improvement as instructed through your use of the Service.
Categories of data subjects: your Users and staff; your clients and end viewers of embedded or shared reports; website visitors or leads whose personal data is included in a connected analytics source or a log source you provide; and individuals whose personal data appears in public sources analyzed by the Service.
Categories of personal data: identification and contact details (such as names and email addresses), business and professional details, aggregated traffic, session and conversion data, page URLs and referrers, end-viewer activity, technical request and log data included in sources you provide, and content data contained in those sources.
Special categories: none intended; you agree not to submit them to the Service.

Annex 2: Technical and organizational measures

Our measures include: hosting in the European Union with reputable providers; encryption of data in transit (TLS); access controls based on least privilege and role-based permissions; strict authentication controls for administrative access; logging and monitoring of production systems; separation of production and non-production environments; regular backups with defined retention; personnel confidentiality commitments; due diligence on sub-processors; documented incident response procedures; and secure development practices, including code review and dependency updates.

Annex 3: Sub-processors

The current list of sub-processors, the purpose of each, and their regions is published at https://llmpulse.ai/subprocessors. Changes are notified as described in Section 6 of this DPA.