Data Processing Agreement

Last updated: March 2026

Note for customers requiring a signed DPA: This page sets out the standard terms under which PinkPepper acts as a data processor. If your organisation requires a countersigned DPA for compliance purposes, email support@pinkpepper.io and we will arrange execution.

1. Parties and definitions

This Data Processing Agreement ("DPA") is between PinkPepper.io ("Processor") and the customer using the PinkPepper service ("Controller").

Applicable Data Protection Law: GDPR (EU) 2016/679 and UK GDPR as applicable.
Personal Data: any information relating to an identified or identifiable natural person processed through the Service.
Processing: any operation performed on personal data as defined in applicable law.
Subprocessor: a third party engaged by PinkPepper to assist in providing the Service.

2. Subject matter and duration

PinkPepper processes personal data on behalf of the Controller solely to provide the PinkPepper service as described in the Terms of Service. Processing continues for the duration of the Controller's subscription and ceases when the account is closed or this DPA is terminated.

3. Nature and purpose of processing

Storing user accounts, authentication credentials, and profile data.
Processing chat messages and uploaded files to generate AI-assisted responses.
Storing conversation history and generated documents.
Processing billing information (via Stripe) to manage subscriptions.
Sending transactional emails (via Resend) in connection with account activity.

4. Categories of data subjects and data types

Data subjects: employees, agents, and end-users of the Controller who use the Service.

Data types processed:

Identifiers: email address, name, account ID.
Authentication credentials (hashed passwords, session tokens).
Content data: chat messages, uploaded images, generated documents.
Usage data: usage counts, timestamps, subscription tier.
Billing data: billing name, address (card data is processed directly by Stripe).
Technical data: IP address, browser type, log data.

5. Controller obligations

The Controller warrants that it has a lawful basis for providing personal data to PinkPepper for processing.
The Controller is responsible for providing required notices to data subjects.
The Controller will promptly respond to data subject requests that require Controller action.

6. Processor obligations

PinkPepper will:

Process personal data only on documented instructions from the Controller (i.e., use of the Service), unless required by law.
Ensure that persons authorised to process personal data are bound by confidentiality obligations.
Implement appropriate technical and organisational security measures as described in our Security page.
Not engage new subprocessors without giving the Controller prior notice (at least 14 days) and an opportunity to object.
Assist the Controller in responding to data subject rights requests to the extent technically feasible.
Notify the Controller without undue delay (within 72 hours of becoming aware) of a personal data breach affecting Controller data.
Provide reasonable assistance with the Controller's GDPR obligations including DPIAs where applicable.
Upon termination, delete or return all personal data in accordance with our Privacy Policy retention schedules.

7. Subprocessors

PinkPepper uses the following subprocessors. All are bound by data processing agreements and appropriate transfer mechanisms:

Subprocessor	Purpose	Location
Supabase	Database, authentication, storage	EU (Frankfurt)
Vercel	Application hosting	EU / Global CDN
Groq	LLM inference (chat responses)	US (SCCs)
OpenAI	Embeddings and image analysis	US (SCCs)
Stripe	Payment processing	US / EU (SCCs)
Resend	Transactional email delivery	US (SCCs)

8. International transfers

Where personal data is transferred to subprocessors located outside the EEA or UK, PinkPepper relies on Standard Contractual Clauses (SCCs) approved by the European Commission and, for UK transfers, the UK International Data Transfer Agreement (IDTA).

9. Security measures

In accordance with Article 32 GDPR, PinkPepper implements the following technical and organisational measures to ensure a level of security appropriate to the risk:

Encryption in transit: TLS 1.2 or higher for all connections to the Service.
Encryption at rest: AES-256 for stored database records, file storage, and backups.
Access controls: role-based access for PinkPepper personnel; principle of least privilege; MFA on all administrative accounts.
Data isolation: row-level security policies in the database enforce per-account tenant isolation.
Credential protection: passwords stored as one-way hashes; session tokens rotated; no plaintext credential storage.
Logging and monitoring: security-relevant events logged; anomaly alerts on administrative access.
Vulnerability management: dependency scanning and timely patching of security advisories.
Personnel: confidentiality obligations and security training for staff with access to personal data.
Backup and recovery: regular encrypted backups with documented restoration procedures.
Subprocessor due diligence: executed DPAs and appropriate transfer mechanisms with every subprocessor listed in Section 7.

Further detail is available on our Security page. PinkPepper will review these measures periodically and update them to reflect the evolving state of the art and the risks posed to the rights and freedoms of data subjects.

10. Audits and information rights

In accordance with Article 28(3)(h) GDPR, PinkPepper will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and in Article 28 GDPR.

Standing documentation: PinkPepper satisfies its information duty by making available the Privacy Policy, this DPA, the Security page, and current subprocessor list. The Controller may request reasonable additional information by emailing support@pinkpepper.io.
Audit request:once per 12-month period, or more frequently if required by a competent supervisory authority or following a personal data breach affecting the Controller, the Controller (or an independent auditor bound by confidentiality and mandated by the Controller) may audit PinkPepper's compliance with this DPA.
Procedure:audits shall be conducted on at least 30 days' prior written notice, during PinkPepper's normal business hours, in a manner that does not unreasonably interfere with PinkPepper's operations, and subject to the auditor signing reasonable confidentiality undertakings. PinkPepper may satisfy audit requests by providing a recent third-party attestation report (for example, an ISO 27001 or SOC 2 report) covering the requested scope, where available.
Costs: the Controller bears its own audit costs. PinkPepper may charge reasonable fees for time spent supporting the audit in excess of what is required by applicable law.
Regulator co-operation: PinkPepper will co-operate with requests from competent supervisory authorities relating to the processing carried out under this DPA.

11. Governing law

This DPA is governed by the laws of the Republic of Ireland and the provisions of the GDPR as applicable. For UK customers, the UK GDPR and Data Protection Act 2018 apply in parallel.

12. Contact

For DPA enquiries or to request a countersigned copy, contact support@pinkpepper.io.