Platform
Explore
CapabilitiesPricingDownload
LoginCreate your space

Legal

AcknowledgementsFSL LicenseCookies PolicyPivot Platform LicensePrivacy PolicyTerms and Conditions of SaleTerms of Service
Back to legal

Oct 20, 2025

Data Processing Addendum ("DPA")

Data Processing Addendum ("DPA")

Table of Contents

1. Definitions2. Roles & Instructions3. Confidentiality & Personnel4. Security of ProcessingAnnex I — Details of ProcessingAnnex II — Technical & Organizational Measures (TOMs)Annex III — Sub‑processorsAnnex IV — Jurisdiction‑Specific Terms

This Data Processing Addendum (“DPA”) forms part of the Agreement between the customer (“Controller”) and Pivot Technologies Holdings Inc., a Delaware corporation with its principal office at 2219 Main St Unit #371, Santa Monica, CA 90405, United States (“Pivot” or “Processor”). This DPA governs Pivot’s processing of Customer Personal Data on behalf of Controller in connection with the Services described in the Agreement.

1. Definitions

  • Applicable Data Protection Law means all data protection and privacy laws and regulations applicable to the processing of Customer Personal Data under the Agreement, including, where applicable, the EU GDPR, UK GDPR, Swiss FADP, and similar laws.
  • Customer Personal Data means any Personal Data processed by Pivot on behalf of Controller via the Services.
  • Data Subject, Personal Data, Processing, Controller, Processor, Supervisory Authority have the meanings given in the GDPR.
  • Sub‑processor means any third party engaged by Pivot that processes Customer Personal Data.
  • Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Pivot.

2. Roles & Instructions

2.1 Roles. Controller is the Controller and Pivot is the Processor with respect to Customer Personal Data.

2.2 Instructions. Pivot will process Customer Personal Data only on documented instructions from Controller as set out in the Agreement and this DPA (including Annex I), unless required by law. Where law requires processing beyond Controller’s instructions, Pivot will (to the extent permitted) inform Controller. If Pivot reasonably believes an instruction infringes Applicable Data Protection Law, Pivot will notify Controller without undue delay.

3. Confidentiality & Personnel

Pivot ensures that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and receive appropriate privacy and security training.

4. Security of Processing

4.1 Measures. Pivot implements and maintains appropriate technical and organizational measures (“TOMs”) designed to protect Customer Personal Data, as described in Annex II.

4.2 Reviews. Pivot reviews the TOMs at least annually and updates them to address evolving risks, considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

5. Sub‑processing

5.1 Authorization. Controller provides a general authorization for Pivot to engage Sub‑processors. The current list is published at /legal/subprocessors.

5.2 Requirements. Pivot will impose data protection obligations on Sub‑processors providing at least the same level of protection as this DPA and remains responsible for their performance. 5.3 Changes. Pivot will provide advance notice of changes to Sub‑processors by updating the aforementioned page and, where requested, via email/RSS. Controller may object on reasonable data protection grounds within 10 days of notice. If not resolved, Controller may suspend the affected Services or terminate the Agreement for convenience with respect to the impacted Services, subject to any applicable refund.

6. Assistance & Data Subject Requests

Taking into account the nature of processing and the information available to Pivot, Pivot will assist Controller by appropriate technical and organizational measures with: (a) fulfilling Controller’s obligation to respond to Data Subject requests; (b) security obligations; (c) data protection impact assessments; and (d) consultation with Supervisory Authorities. Where a request is made directly to Pivot, Pivot will, where feasible, promptly notify Controller and not respond except on documented instructions of Controller.

7. Security Incidents

Pivot will notify Controller without undue delay and no later than 72 hours after becoming aware of a Security Incident affecting Customer Personal Data. The notice will include information reasonably available to Pivot to help Controller meet its breach notification obligations, and Pivot will provide updates as more information becomes available. Pivot will investigate, contain, mitigate, and remediate the Security Incident and document its response.

8. Audits & Information

8.1 Documentation. Pivot will make available to Controller information reasonably necessary to demonstrate compliance with this DPA. 8.2 Audit. No more than once in any 12‑month period, Controller (or an independent auditor mandated by Controller, not a competitor of Pivot) may audit Pivot’s compliance with this DPA upon 30 days’ prior written notice, subject to confidentiality, safety, and operational constraints. Audits will be conducted during normal business hours and avoid unreasonable disruption. 8.3 Alternatives. As an alternative to on‑site audits, Pivot may provide recent third‑party assessments or reports (e.g., penetration test summaries, SOC reports when available) and written responses to reasonable security questionnaires.

9. International Transfers

9.1 EEA/Swiss Transfers. Where processing involves a transfer of Customer Personal Data to a country outside the EEA/Switzerland not recognized as providing an adequate level of protection, the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) are incorporated by reference as follows: Module 2 (Controller→Processor) and, where Pivot engages a Sub‑processor located in a third country, Module 3 (Processor→Processor).

9.2 UK Transfers. For transfers subject to UK law, the UK International Data Transfer Addendum to the SCCs is incorporated by reference.

9.3 Supplementary Measures. Pivot may implement supplementary measures (e.g., encryption in transit and at rest, access controls, regional hosting options) to address transfer risks.

9.4 Conflicts. In case of conflict between the SCCs and this DPA, the SCCs prevail for the relevant transfer.

10. Return & Deletion

Upon termination or expiration of the Services, Controller may request return of Customer Personal Data. Pivot will delete Customer Personal Data from active systems within 30 days and from backups within 90 days, unless a longer retention is required by law. Details are described in the Data Deletion & Retention Policy. Upon request, Pivot will confirm deletion in writing.

11. Liability, Precedence & Governing Law

11.1 Liability. Each party’s liability under this DPA is subject to the limitations and exclusions set forth in the Agreement, to the extent permitted by law.

11.2 Precedence. In the event of conflict between this DPA and the Agreement, this DPA controls with respect to the subject matter herein. In the event of conflict between this DPA and the SCCs (where applicable), the SCCs control.

11.3 Governing Law. This DPA is governed by the law specified in the Agreement, unless otherwise required by the SCCs.

12. Miscellaneous

12.1 Records. Pivot maintains records of processing activities as required by Applicable Data Protection Law.

12.2 No Sale of Personal Data. Pivot does not sell Personal Data as defined by applicable state privacy laws.

12.3 Changes. Pivot may update this DPA to reflect changes in laws, industry standards, or Services. Material changes will be notified to Controller and posted with an updated effective date.

Annex I — Details of Processing

Subject matter & duration: Processing Customer Personal Data to provide the Services, for the term of the Agreement plus deletion period.

Nature & purpose: Hosting and storage; collaboration features; chat/messaging; video rooms; analytics; search/indexing; customer support; security, fraud prevention, and service improvement.

Categories of Data Subjects: Controller’s users (employees, contractors, members, students, community participants), and any individuals whose Personal Data is submitted to the Services.

Categories of Personal Data: Account/profile data (names, emails, photos); organization and team metadata; content created in spaces/rooms/posts/files; event and usage data; device and technical logs; support communications. Special categories are not intended to be processed but may be incidentally included if uploaded.

Controller instructions: Process data only to provide, secure, support, and improve the Services; prevent/address technical or security issues; comply with law.

Annex II — Technical & Organizational Measures (TOMs)

  • Governance & Policy: Security program with designated owner; risk assessments; annual policy reviews. Workforce security/privacy training; background checks where permitted by law.
  • Access Control & Identity: RBAC, least‑privilege access, MFA for administrative/production access, SSO support where available, session management.
  • Data Security: Encryption in transit (TLS 1.2+) and at rest (AES‑256 or equivalent); key management via cloud KMS; data minimization; tenant data segregation.
  • Application Security: Secure SDLC with peer review, CI dependency scanning; vulnerability management with remediation SLAs; regular third‑party testing.
  • Infrastructure & Monitoring: Hosted on AWS/GCP/Azure with network segmentation, patch management, centralized logging/alerting, anomaly detection, DDoS protection, WAF/edge security.
  • Backups & Resilience: Encrypted backups; integrity testing; geo‑redundancy; RTO/RPO objectives documented; disaster recovery exercises.
  • Incident Response: Documented runbooks for detection, containment, eradication, recovery, post‑incident review; breach notification as per Section 7.
  • Third‑Party Management: Vendor due diligence, DPAs with Sub‑processors, ongoing monitoring, published Sub‑processor list and notifications.
  • Data Subject Rights & Privacy by Design: Tools and APIs for access/export/deletion; audit logging; privacy impact assessments for high‑risk features.
  • Physical & Environmental Security: Cloud provider physical security, access controls, surveillance, environmental safeguards.

Annex III — Sub‑processors

Current Sub‑processors are listed at /legal/subprocessors with processing purpose, location, and transfer mechanism. Customers may subscribe to updates.

Annex IV — Jurisdiction‑Specific Terms

  • United States (CCPA/CPRA): Pivot acts as a “service provider” or “processor” and will not retain, use, or disclose Personal Information beyond the business purposes specified in the Agreement.
  • Canada (PIPEDA): Pivot implements safeguards appropriate to the sensitivity of the information and notifies Controller of material privacy breaches as required by law.
  • Brazil (LGPD): References to GDPR include analogous provisions under LGPD; Supervisory Authority includes the ANPD.
  • United Kingdom: References to GDPR include UK GDPR; Supervisory Authority includes the ICO.

Contact

Terms of Service Clause: “The Pivot Data Processing Addendum (“DPA”) is incorporated into these Terms by reference and governs Pivot’s processing of Customer Personal Data on your behalf. The current DPA is available at /legal/dpa. If there is a conflict between the DPA and these Terms regarding data protection, the DPA controls.”