Pondral
← All compliance documents
Document · DPA-2026.04

Data Processing Addendum.

Standard DPA for paid Pondral plans. Incorporates SCCs (Module 2 — Controller-to-Processor) for EU/UK transfers.

Version 2026.04Effective April 1, 2026Pages 14

1. Definitions

"Customer" means the entity that has executed an Order Form with Pondral. "Pondral" or "Processor" means Pondral, Inc. "Personal Data" has the meaning given in applicable Data Protection Laws (GDPR Art. 4(1), CCPA §1798.140(o)).

"Sub-processor" means any third party engaged by Pondral to Process Personal Data on Customer's behalf. "Data Protection Laws" means GDPR, UK GDPR, CCPA/CPRA, and any other applicable privacy laws as amended.

2. Scope and roles

Customer is the Controller; Pondral is the Processor. This DPA applies to all Personal Data Processed by Pondral on behalf of Customer in connection with the Services.

The subject matter is the provision of the AI Visibility platform. Duration matches the underlying Order Form. Categories of Data Subjects: Customer's personnel and end-users whose data is supplied to the Services.

3. Pondral obligations

Process Personal Data only on documented Customer instructions; ensure persons authorized to Process are bound by confidentiality; implement the Security Measures set out in Annex II; assist Customer with Data Subject requests; notify Customer of Personal Data Breaches without undue delay (and within 72 hours).

4. Sub-processors

Customer authorizes Pondral to engage the Sub-processors listed in the Subprocessor List. Pondral will give Customer at least 30 days' notice of any new Sub-processor and a right to object on reasonable grounds.

5. International transfers

For transfers from the EEA, UK, and Switzerland to third countries, the SCCs (EU 2021/914, Module 2) and UK Addendum apply and are hereby incorporated. Customer is the data exporter; Pondral is the data importer.

6. Security

Annex II details the Security Measures: encryption at rest (AES-256) and in transit (TLS 1.2+), least-privilege access controls, audit logging, annual third-party penetration testing, and 24-hour breach notification SLA.

7. Audits

Customer may request an audit no more than once per calendar year, on at least 30 days' notice. Pondral will respond within 14 days with a current Trust Report and penetration test summary in lieu of on-site audit, except where required by law.

8. Termination and deletion

Upon termination, Pondral will delete or return all Personal Data within 30 days, except where retention is required by law. Backups are purged within 90 days under our standard retention policy.

Signature pages and Annex I (Description of Processing) and Annex II (Security Measures) are exchanged with the executed Order Form. To execute, email hello@pondral.com.

Last updated April 2026Run a free audit